add a play and role to configure ziti controller

[qrkourier]

OpenZiti Controller needs at least one CA, a configuration file, and a storage dir for the database. Write an Ansible Playbook that uses the existing downloader Ansible Role to place the ziti CLI in the filesystem, then calls a new Ansible Role like "openziti_controller."

The new Ansible Role:

1. creates a systemd service unit to keep the OpenZiti Controller running.
2. generates a CA unless one is provided
3. uses the CA to issue a server certificate for the controller
4. uses the ziti CLI to create the controller's config YAML by mapping Ansible vars to the env vars expected by ziti CLI

Future:

• support separate CAs for each function: control plane (ctrl), edge signer, and web server certs
• support intermediate CAs for each function

[ares-b]

I've made a custom ansible module that could help generate all PKI parts (CA, Client, Server, Intermediate, etc). I've made it a few months ago tho, don't really know if it's finished, I'll get back to it today and make you a PR

[ares-b]

Edit : I made the PR, but still in WIP, I need to write some docs and unit tests

[ares-b]

For generating a PKI for the Controller, I'm not really familiar with certs configurations. If you explain to me step by step what to do, I'd be glad to do it. @dovholuknf said on discourse that he will maybe do a video where he explains how the express install PKI is made, that would be great material

[dovholuknf]

Overview uploading to/uploaded to https://youtu.be/Fk2sE0ydVo8

There are four basic ports and PKI, but only the controller ports/PKI are relevant to the expressInstall process. I talk about all four ports anyway...

Hope that helps