diff --git a/defaults/main.yml b/defaults/main.yml index 689dde8..861dc85 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,5 @@ --- # defaults file for import_vault_root_ca +import_vault_root_ca_certificate_list: + - url: "https://openstack01.ednz.fr:8200/v1/ednz-root-ca/ca" + cert_name: "ednz_ca" diff --git a/handlers/main.yml b/handlers/main.yml index 5c04086..c276b4a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,5 @@ --- # handlers file for import_vault_root_ca +- name: "Update the trust store" + ansible.builtin.command: update-ca-certificates + listen: "update-ca-certificates" diff --git a/meta/main.yml b/meta/main.yml index 7d17b8b..9d6a9c1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,9 +2,9 @@ # meta file for hashicorp_nomad galaxy_info: namespace: 'ednxzu' - role_name: 'hashicorp_nomad' + role_name: 'import_vault_root_ca' author: 'Bertrand Lanson' - description: 'Install and configure hashicorp nomad for debian-based distros.' + description: 'Imports root CA certificates from Vault to the trust store on debian-based distros.' license: 'license (BSD, MIT)' min_ansible_version: '2.10' platforms: @@ -18,7 +18,9 @@ galaxy_info: galaxy_tags: - 'ubuntu' - 'debian' - - 'hashicorp' - - 'nomad' + - 'vault' + - 'openssl' + - 'store' + - 'certificate' dependencies: [] diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7a62eb2..49efc7f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: default test_sequence: diff --git a/molecule/default/tests/conftest.py b/molecule/default/tests/conftest.py deleted file mode 100644 index a11928c..0000000 --- a/molecule/default/tests/conftest.py +++ /dev/null @@ -1,22 +0,0 @@ -"""PyTest Fixtures.""" - -import os - -import pytest - - -def pytest_runtest_setup(item): - """Run tests only when under molecule with testinfra installed.""" - try: - import testinfra - except ImportError: - pytest.skip("Test requires testinfra", allow_module_level=True) - if "MOLECULE_INVENTORY_FILE" in os.environ: - pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ["MOLECULE_INVENTORY_FILE"], - ).get_hosts("all") - else: - pytest.skip( - "Test should run only from inside molecule.", - allow_module_level=True, - ) diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index 0cff669..0000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,10 +0,0 @@ -"""Role testing files using testinfra.""" - - -def test_hosts_file(host): - """Validate /etc/hosts file.""" - f = host.file("/etc/hosts") - - assert f.exists - assert f.user == "root" - assert f.group == "root" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..a5cfa75 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/tasks/import.yml b/tasks/import.yml new file mode 100644 index 0000000..25710c3 --- /dev/null +++ b/tasks/import.yml @@ -0,0 +1,17 @@ +--- +# task/import file for import_vault_root_ca +- name: "Download certificate file" + ansible.builtin.get_url: + url: "{{ item.url }}" + validate_certs: false + dest: "/tmp/{{ item.cert_name }}.tmp" + mode: '0600' + loop: "{{ import_vault_root_ca_certificate_list }}" + +- name: "Make sure certificate is in PEM format" + ansible.builtin.command: + cmd: "openssl x509 -in /tmp/{{ item.cert_name }}.tmp -out {{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt -outform pem" + creates: "{{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt" + loop: "{{ import_vault_root_ca_certificate_list }}" + notify: + - update-ca-certificates diff --git a/tasks/main.yml b/tasks/main.yml index b5cec53..9adbc03 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,7 @@ --- -# tasks file for import_vault_root_ca +# task/main file for import_vault_root_ca +- name: "Import prerequisites.yml" + ansible.builtin.include_tasks: prerequisites.yml + +- name: "Import import.yml" + ansible.builtin.include_tasks: import.yml diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml new file mode 100644 index 0000000..2f2ce26 --- /dev/null +++ b/tasks/prerequisites.yml @@ -0,0 +1,23 @@ +--- +# task/prerequisites file for import_vault_root_ca +- name: "Install required roles" + ansible.builtin.command: + cmd: "ansible-galaxy install {{ item }}" + loop: "{{ import_vault_root_ca_prerequisites_roles }}" + changed_when: false + delegate_to: localhost + run_once: true + +- name: "Install dependencies" + ansible.builtin.include_role: + name: ednxzu.manage_apt_packages + vars: + manage_apt_packages_list: "{{ import_vault_root_ca_packages }}" + +- name: "Create directory {{ import_vault_root_ca_cert_dir }}" + ansible.builtin.file: + path: "{{ import_vault_root_ca_cert_dir }}" + state: directory + owner: "root" + group: "root" + mode: '0755' diff --git a/vars/main.yml b/vars/main.yml index 4c9b882..9d6b7cc 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,12 @@ --- # vars file for import_vault_root_ca +import_vault_root_ca_cert_dir: /usr/local/share/ca-certificates +import_vault_root_ca_prerequisites_roles: + - ednxzu.manage_apt_packages +import_vault_root_ca_packages: + - name: openssl + version: latest + state: present + - name: ca-certificates + version: latest + state: present