Auto-detect and normalize installer certificates

[ehelms]

Why are you introducing these changes? (Problem description, related links)

Migrating from a foreman-installer deployment to foremanctl requires converting
both the answer file parameters and the certificate layout. Previously this had
to be done manually. The migrate subcommand now handles this in a single step,
but the migrate playbook was running without elevated privileges, causing a
permission error when reading /etc/foreman-installer/ files.

What are the changes introduced in this pull request?

• Add migrate_foreman_installer role that runs during foremanctl migrate to
  copy certificates from /root/ssl-build/ into /root/certificates/, persist
  the CA passphrase into parameters.yaml, and back up the original directory
• Auto-detect custom server certificates by comparing the internal CA against
  the server CA; write certificates_source: custom_server to parameters.yaml
  when they differ so subsequent deploys do not overwrite the custom cert
• Remove the installer certificate source — migrated certs use standard default
  source paths after normalization; mark certificate path parameters as IGNORE
  in answer file migration since the role handles cert files directly
• Consolidate default_certificates.yml and custom_server_certificates.yml
  into a single certificates.yml (paths were identical after normalization)
• Add a dedicated CI job that exercises the full migrate workflow: install
  foreman-installer, run foremanctl migrate, deploy, and test
• Fix permission error in migrate playbook by adding become: true to the
  answer file migration play so the module can read files under
  /etc/foreman-installer/

How to test this pull request

Steps to reproduce:

• Run the migration CI job and verify it passes end-to-end
• On a host with an existing foreman-installer install, run foremanctl migrate
  and confirm a valid parameters.yaml is produced and certs are copied into place
• Verify a host with a custom server cert gets certificates_source: custom_server
  written to parameters.yaml
• Run foremanctl deploy after migration and confirm it succeeds without
  re-running certificate migration

Checklist

• Tests added/updated (if applicable)
• Documentation updated (if applicable)

[evgeni]

@ehelms could you please rebase this one

[evgeni]

This fails for "installer" certs, as the CA password is not properly loaded.

OTOH, I don't see why it would re-generate the installer issued certs to begin with.

[evgeni]

the keys really should not be world readable

[evgeni]

certs-check is right, /root/certificates/certs/quadlet.example.com.crt is signed by Foreman Self-signed CA, not by Custom Test CA - but why?!

"TASK [certificates : Sign server certificate] **********************************" did re-sign the cert, it really should not for "custom" certs, those can't be managed by us.

[evgeni]

At this point, will that ever be false?

[evgeni]

normalize.yml deletes /root/ssl-build/katello-default-ca.crt after execution, so on the next run of the role not certificates_installer_ca.stat.exists will be true and ca.yml will run -- is that intentional?

[evgeni]

yepp, ran into this in https://github.com/theforeman/foremanctl/actions/runs/24706818357/job/72261872791?pr=421

[evgeni]

arguably, this file now should be just certificates.yml, right?

[evgeni]

The more I think about it, the more I think normalize should be part of the "one time migration from old installer" (as started in #446), not a thing that "continuously" runs as I think copying files is not sufficient for that step. We need to at least also make foremanctl aware of the passphrase of the CA (I hacked that up with slurp now, but I hate it) and ideally also import the old CA properties so that it does not get regenerated on follow up runs.

and the custom cert setup is a nice addition, but is also valuable outside the normalize flow, so IMHO this PR should be two?

[ehelms]

I agree I can now pull out the custom certificates to their own PR. And that, installer certificates via migration handling makes more sense as a one time operation.

Do you generally agree on the direction of installer certs support? That is should be "converted" so foremanctl manages it like our default ones?

[ehelms]

Custom certificate handling now exists at: #462
This will need to be incorporated into the migrate command once that's available. Setting this to draft for now as it will require re-work once those two conditions are met.

[evgeni]

Do you generally agree on the direction of installer certs support? That is should be "converted" so foremanctl manages it like our default ones?

Yes, as the setup (well, at the very least the CA) need to be fully usable in foremanctl to deploy new proxies etc.