ansible-roles/import_vault_root_ca
ansible-roles/import_vault_root_ca
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add become, add vagrant tests, fix #1
All checks were successful
test / Linting (push) Successful in 9s
Details
test / Molecule tests (default, debian11) (push) Successful in 35s
Details
test / Molecule tests (default, debian12) (push) Successful in 43s
Details
test / Molecule tests (default, ubuntu2004) (push) Successful in 42s
Details
test / Molecule tests (default, ubuntu2204) (push) Successful in 39s
Details
test / Molecule tests (with_custom_ca, debian11) (push) Successful in 41s
Details
test / Molecule tests (with_custom_ca, debian12) (push) Successful in 42s
Details
test / Molecule tests (with_custom_ca, ubuntu2004) (push) Successful in 46s
Details
test / Molecule tests (with_custom_ca, ubuntu2204) (push) Successful in 50s
Details

Browse Source
This commit is contained in:
Bertrand Lanson 2023-12-01 22:52:48 +01:00
parent 263da6e7ab
commit 2ae5d8826d
11 changed files with 178 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
handlers/main.yml
View File

@ -3,4 +3,5 @@
- name: "Update the trust store"
ansible.builtin.command: update-ca-certificates
changed_when: false
become: true
listen: "update-ca-certificates"

7
molecule/default_vagrant/converge.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
tasks:
- name: "Include ednxzu.import_vault_root_ca"
ansible.builtin.include_role:
name: "ednxzu.import_vault_root_ca"

35
molecule/default_vagrant/molecule.yml Normal file
View File

@ -0,0 +1,35 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: vagrant
provider:
name: libvirt
platforms:
- name: instance
box: generic/${MOLECULE_TEST_OS}
cpus: 4
memory: 4096
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: default_vagrant
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

4
molecule/default_vagrant/requirements.yml Normal file
View File

@ -0,0 +1,4 @@
---
# requirements file for molecule
roles:
- name: ednxzu.manage_apt_packages

27
molecule/default_vagrant/verify.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Verify
hosts: all
gather_facts: true
tasks:
- name: "Test: directory /usr/local/share/ca-certificates"
block:
- name: "Stat directory /usr/local/share/ca-certificates"
ansible.builtin.stat:
path: "/usr/local/share/ca-certificates"
register: usr_local_share_ca_certificates
- name: "Find files in directory /usr/local/share/ca-certificates"
ansible.builtin.find:
paths: "/usr/local/share/ca-certificates"
file_type: file
register: usr_local_share_ca_certificates_ls
- name: "Verify directory /usr/local/share/ca-certificates"
ansible.builtin.assert:
that:
- usr_local_share_ca_certificates.stat.exists
- usr_local_share_ca_certificates.stat.isdir
- usr_local_share_ca_certificates.stat.pw_name == 'root'
- usr_local_share_ca_certificates.stat.gr_name == 'root'
- usr_local_share_ca_certificates.stat.mode == '0755'
- (usr_local_share_ca_certificates_ls.files|length) == 0

7
molecule/with_custom_ca_vagrant/converge.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
tasks:
- name: "Include ednxzu.import_vault_root_ca"
ansible.builtin.include_role:
name: "ednxzu.import_vault_root_ca"

5
molecule/with_custom_ca_vagrant/group_vars/all.yml Normal file
View File

@ -0,0 +1,5 @@
---
import_vault_root_ca_certificate_force_download: false
import_vault_root_ca_certificate_list:
- url: "https://letsencrypt.org/certs/isrg-root-x2.pem"
cert_name: "isrg_root"

35
molecule/with_custom_ca_vagrant/molecule.yml Normal file
View File

@ -0,0 +1,35 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: vagrant
provider:
name: libvirt
platforms:
- name: instance
box: generic/${MOLECULE_TEST_OS}
cpus: 4
memory: 4096
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: with_custom_ca_vagrant
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

4
molecule/with_custom_ca_vagrant/requirements.yml Normal file
View File

@ -0,0 +1,4 @@
---
# requirements file for molecule
roles:
- name: ednxzu.manage_apt_packages

52
molecule/with_custom_ca_vagrant/verify.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Verify
hosts: all
gather_facts: true
tasks:
- name: "Test: directory /usr/local/share/ca-certificates"
block:
- name: "Stat directory /usr/local/share/ca-certificates"
ansible.builtin.stat:
path: "/usr/local/share/ca-certificates"
register: usr_local_share_ca_certificates
- name: "Find files in directory /usr/local/share/ca-certificates"
ansible.builtin.find:
paths: "/usr/local/share/ca-certificates"
file_type: file
register: usr_local_share_ca_certificates_ls
- name: "Verify directory /usr/local/share/ca-certificates"
ansible.builtin.assert:
that:
- usr_local_share_ca_certificates.stat.exists
- usr_local_share_ca_certificates.stat.isdir
- usr_local_share_ca_certificates.stat.pw_name == 'root'
- usr_local_share_ca_certificates.stat.gr_name == 'root'
- usr_local_share_ca_certificates.stat.mode == '0755'
- (usr_local_share_ca_certificates_ls.files|length) == 1
- (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
- name: "Test: certificate isrg_root.crt"
block:
- name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
ansible.builtin.stat:
path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_file
- name: "Get certificate info"
community.crypto.x509_certificate_info:
path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_pem
- name: "Verify certificate is readable"
ansible.builtin.assert:
that:
- isrg_root_file.stat.exists
- isrg_root_file.stat.isreg
- isrg_root_file.stat.pw_name == 'root'
- isrg_root_file.stat.gr_name == 'root'
- isrg_root_file.stat.mode == '0644'
- not isrg_root_pem.failed
- not isrg_root_pem.expired
- isrg_root_pem.issuer == isrg_root_pem.subject

3
tasks/import.yml
View File

@ -23,7 +23,6 @@
cmd: openssl x509 -inform {{ 'PEM' if item.rc == 0 else 'DER' }} -in {{ item.item.dest }} -out {{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt -outform pem
creates: "{{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt"
loop: "{{ cert_format_results.results }}"
become: true
notify:
- update-ca-certificates
# loop_control:
# loop_var: item