itential · Amunagala-itential · Apr 13, 2026 · Apr 13, 2026
diff --git a/docs/verify_cert_README.md b/docs/verify_cert_README.md
diff --git a/playbooks/site.yml b/playbooks/site.yml
@@ -11,4 +11,4 @@
   import_playbook: itential.iag5.clients
 
 - name: Verify IAG5 TLS certificates post-deployment
-  import_playbook: itential.iag5.certcheck
+  import_playbook: itential.iag5.verify_cert
diff --git a/playbooks/verify_cert.yml b/playbooks/verify_cert.yml
@@ -0,0 +1,82 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# IAG5 TLS Certificate Verification
+#
+# Runs after deployment to verify that all TLS certificates are correctly
+# configured across all IAG5 node types. All variables are defined in each
+# role's defaults/main.yml and derived from the deployer's existing variables.
+#
+# Runs automatically as the final step of site.yml.
+# Can also be run standalone:
+#
+#   ansible-playbook itential.iag5.verify_cert -i <inventory>
+#
+# Or for a specific check suite only:
+#   ansible-playbook itential.iag5.verify_cert -i <inventory> --tags cluster_server_to_runner
+#   ansible-playbook itential.iag5.verify_cert -i <inventory> --tags cluster_client_to_server
+#   ansible-playbook itential.iag5.verify_cert -i <inventory> --tags connect_server_to_gwm
+
+# -----------------------------------------------------------------------
+# CLUSTER TLS — SERVER ↔ RUNNER (gRPC mTLS)
+# -----------------------------------------------------------------------
+- name: "VERIFY_CERT | Cluster TLS — SERVER to RUNNER — SERVER node"
+  hosts: iag5_servers
+  become: true
+  tags: [verify_cert, cluster_server_to_runner]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.verify_cert_cluster_server_to_runner
+      when: gateway_server_use_tls | bool
+
+- name: "VERIFY_CERT | Cluster TLS — SERVER to RUNNER — RUNNER node"
+  hosts: iag5_runners
+  become: true
+  tags: [verify_cert, cluster_server_to_runner]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.verify_cert_cluster_server_to_runner
+      when: gateway_server_use_tls | bool
+
+# -----------------------------------------------------------------------
+# CLUSTER TLS — CLIENT ↔ SERVER (gRPC mTLS)
+# -----------------------------------------------------------------------
+- name: "VERIFY_CERT | Cluster TLS — CLIENT to SERVER — CLIENT node"
+  hosts: iag5_clients
+  become: true
+  tags: [verify_cert, cluster_client_to_server]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.verify_cert_cluster_client_to_server
+      when: gateway_client_use_tls | bool
+
+- name: "VERIFY_CERT | Cluster TLS — CLIENT to SERVER — SERVER node"
+  hosts: iag5_servers
+  become: true
+  tags: [verify_cert, cluster_client_to_server]
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.verify_cert_cluster_client_to_server
+      when: gateway_client_use_tls | bool
+
+# -----------------------------------------------------------------------
+# CONNECT TLS — SERVER → Gateway Manager (WebSocket)
+# Only runs when gateway_manager group is defined in inventory.
+# -----------------------------------------------------------------------
+- name: "VERIFY_CERT | Connect TLS — SERVER to Gateway Manager"
+  hosts: iag5_servers
+  become: true
+  tags: [verify_cert, connect_server_to_gwm]
+  pre_tasks:
+    - name: "VERIFY_CERT | Skip connect checks if gateway_manager group not in inventory"
+      ansible.builtin.meta: end_host
+      when: "'gateway_manager' not in groups or groups['gateway_manager'] | length == 0"
+  roles:
+    - role: itential.iag5.gateway
+      tags: always
+    - role: itential.iag5.verify_cert_connect_server_to_gwm
+      when: gateway_server_use_tls | bool
diff --git a/roles/verify_cert_cluster_client_to_server/defaults/main.yml b/roles/verify_cert_cluster_client_to_server/defaults/main.yml
@@ -0,0 +1,24 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+########################################################
+# verify_cert_cluster_client_to_server default variables
+########################################################
+
+# Inventory group names — must match the deployer's group names
+iag5_server_group: "iag5_servers"
+iag5_client_group: "iag5_clients"
+
+# Gateway config file paths — derived from deployer role variables
+server_gateway_conf: "{{ gateway_server_config_dir }}/gateway.conf"
+client_gateway_conf: "{{ gateway_client_working_dir }}/gateway.conf"
+
+# Service name — matches the systemd unit installed by the deployer
+service_name: iagctl
+
+# Port the server listens on — derived from deployer default
+server_port: "{{ gateway_server_port }}"
+
+# private_ip — used for SAN validation and no_proxy checks.
+# Defaults to ansible_host since the deployer does not define private_ip.
+private_ip: "{{ hostvars[inventory_hostname]['private_ip'] | default(ansible_host) }}"
diff --git a/roles/verify_cert_cluster_client_to_server/tasks/main.yml b/roles/verify_cert_cluster_client_to_server/tasks/main.yml
@@ -0,0 +1,30 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# ROLE: cluster_client_to_server
+# Runs on: CLIENT node and SERVER node (via separate plays in verify_cert.yml)
+# TLS Type: Mutual TLS (mTLS) — gRPC over TCP
+# node_section is set automatically based on which host group the node belongs to
+# Client node uses: ~/.gateway.d/gateway.conf → [client] section
+# Server node uses: /etc/gateway/gateway.conf → [server] section
+
+- name: "INIT | Determine node section and gateway conf"
+  ansible.builtin.set_fact:
+    node_section: "{{ 'client' if inventory_hostname in groups[iag5_client_group] else 'server' }}"
+    gateway_conf: "{{ client_gateway_conf if inventory_hostname in groups[iag5_client_group] else server_gateway_conf }}"
+
+- name: "INIT | Init results tracker"
+  ansible.builtin.set_fact:
+    check_results: []
+
+- name: "Run cert verification checks"
+  ansible.builtin.include_tasks:
+    file: verify_cluster_client_to_server.yml
+
+# -----------------------------------------------------------------------
+# SUMMARY
+# -----------------------------------------------------------------------
+- name: "SUMMARY | Print results"
+  ansible.builtin.include_tasks: ../../verify_cert_common/tasks/summary.yml
+  vars:
+    role_title: "CLUSTER TLS — CLIENT ↔ SERVER (gRPC mTLS) — {{ node_section | upper }} NODE"