does most of the job

2023-05-22 20:23:57 +02:00 · 2023-05-22 20:23:57 +02:00 · 273d12c942
commit 273d12c942
parent 26280ef8e5
11 changed files with 79 additions and 38 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,2 +1,5 @@
 ---
 # defaults file for import_vault_root_ca
+import_vault_root_ca_certificate_list:
+  - url: "https://openstack01.ednz.fr:8200/v1/ednz-root-ca/ca"
+    cert_name: "ednz_ca"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,2 +1,5 @@
 ---
 # handlers file for import_vault_root_ca
+- name: "Update the trust store"
+  ansible.builtin.command: update-ca-certificates
+  listen: "update-ca-certificates"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -2,9 +2,9 @@
 # meta file for hashicorp_nomad
 galaxy_info:
  namespace: 'ednxzu'
-  role_name: 'hashicorp_nomad'
+  role_name: 'import_vault_root_ca'
  author: 'Bertrand Lanson'
-  description: 'Install and configure hashicorp nomad for debian-based distros.'
+  description: 'Imports root CA certificates from Vault to the trust store on debian-based distros.'
  license: 'license (BSD, MIT)'
  min_ansible_version: '2.10'
  platforms:
@ -18,7 +18,9 @@ galaxy_info:
  galaxy_tags:
    - 'ubuntu'
    - 'debian'
-    - 'hashicorp'
-    - 'nomad'
+    - 'vault'
+    - 'openssl'
+    - 'store'
+    - 'certificate'

 dependencies: []
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -20,7 +20,7 @@ provisioner:
    defaults:
      remote_tmp: /tmp/.ansible
 verifier:
-  name: testinfra
+  name: ansible
 scenario:
  name: default
  test_sequence:
--- a/molecule/default/tests/conftest.py
+++ b/molecule/default/tests/conftest.py
@ -1,22 +0,0 @@
-"""PyTest Fixtures."""
-
-import os
-
-import pytest
-
-
-def pytest_runtest_setup(item):
-    """Run tests only when under molecule with testinfra installed."""
-    try:
-        import testinfra
-    except ImportError:
-        pytest.skip("Test requires testinfra", allow_module_level=True)
-    if "MOLECULE_INVENTORY_FILE" in os.environ:
-        pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-            os.environ["MOLECULE_INVENTORY_FILE"],
-        ).get_hosts("all")
-    else:
-        pytest.skip(
-            "Test should run only from inside molecule.",
-            allow_module_level=True,
-        )
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -1,10 +0,0 @@
-"""Role testing files using testinfra."""
-
-
-def test_hosts_file(host):
-    """Validate /etc/hosts file."""
-    f = host.file("/etc/hosts")
-
-    assert f.exists
-    assert f.user == "root"
-    assert f.group == "root"
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Example assertion
+      ansible.builtin.assert:
+        that: true
--- a/tasks/import.yml
+++ b/tasks/import.yml
@ -0,0 +1,17 @@
+---
+# task/import file for import_vault_root_ca
+- name: "Download certificate file"
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    validate_certs: false
+    dest: "/tmp/{{ item.cert_name }}.tmp"
+    mode: '0600'
+  loop: "{{ import_vault_root_ca_certificate_list }}"
+
+- name: "Make sure certificate is in PEM format"
+  ansible.builtin.command:
+    cmd: "openssl x509 -in /tmp/{{ item.cert_name }}.tmp -out {{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt -outform pem"
+    creates: "{{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt"
+  loop: "{{ import_vault_root_ca_certificate_list }}"
+  notify:
+    - update-ca-certificates
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,7 @@
 ---
-# tasks file for import_vault_root_ca
+# task/main file for import_vault_root_ca
+- name: "Import prerequisites.yml"
+  ansible.builtin.include_tasks: prerequisites.yml
+
+- name: "Import import.yml"
+  ansible.builtin.include_tasks: import.yml
--- a/tasks/prerequisites.yml
+++ b/tasks/prerequisites.yml
@ -0,0 +1,23 @@
+---
+# task/prerequisites file for import_vault_root_ca
+- name: "Install required roles"
+  ansible.builtin.command:
+    cmd: "ansible-galaxy install {{ item }}"
+  loop: "{{ import_vault_root_ca_prerequisites_roles }}"
+  changed_when: false
+  delegate_to: localhost
+  run_once: true
+
+- name: "Install dependencies"
+  ansible.builtin.include_role:
+    name: ednxzu.manage_apt_packages
+  vars:
+    manage_apt_packages_list: "{{ import_vault_root_ca_packages }}"
+
+- name: "Create directory {{ import_vault_root_ca_cert_dir }}"
+  ansible.builtin.file:
+    path: "{{ import_vault_root_ca_cert_dir }}"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: '0755'
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,2 +1,12 @@
 ---
 # vars file for import_vault_root_ca
+import_vault_root_ca_cert_dir: /usr/local/share/ca-certificates
+import_vault_root_ca_prerequisites_roles:
+  - ednxzu.manage_apt_packages
+import_vault_root_ca_packages:
+  - name: openssl
+    version: latest
+    state: present
+  - name: ca-certificates
+    version: latest
+    state: present