From 3685c9a69d6225e6355628761bb54b2148294481 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 24 May 2023 00:06:42 +0200 Subject: [PATCH] no idempotent yet --- handlers/main.yml | 1 + molecule/with_custom_ca/group_vars/all.yml | 4 +-- molecule/with_custom_ca/verify.yml | 34 ++++++++++++++++++++-- tasks/import.yml | 7 +++++ 4 files changed, 42 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c276b4a..c35ea85 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,4 +2,5 @@ # handlers file for import_vault_root_ca - name: "Update the trust store" ansible.builtin.command: update-ca-certificates + changed_when: false listen: "update-ca-certificates" diff --git a/molecule/with_custom_ca/group_vars/all.yml b/molecule/with_custom_ca/group_vars/all.yml index 6ff14db..a3f2470 100644 --- a/molecule/with_custom_ca/group_vars/all.yml +++ b/molecule/with_custom_ca/group_vars/all.yml @@ -1,4 +1,4 @@ --- import_vault_root_ca_certificate_list: - - url: "https://openstack01.ednz.fr:8200/v1/ednz-root-ca/ca" - cert_name: "ednz_ca" \ No newline at end of file + - url: "https://letsencrypt.org/certs/isrg-root-x2.pem" + cert_name: "isrg_root" diff --git a/molecule/with_custom_ca/verify.yml b/molecule/with_custom_ca/verify.yml index ee4599b..f5b9be4 100644 --- a/molecule/with_custom_ca/verify.yml +++ b/molecule/with_custom_ca/verify.yml @@ -12,7 +12,13 @@ path: "/usr/local/share/ca-certificates" register: usr_local_share_ca_certificates - - name: "Verify directory {{ import_vault_root_ca_cert_dir }}" + - name: "Find files in directory /usr/local/share/ca-certificates" + ansible.builtin.find: + paths: "/usr/local/share/ca-certificates" + file_type: file + register: usr_local_share_ca_certificates_ls + + - name: "Verify directory /usr/local/share/ca-certificates" ansible.builtin.assert: that: - usr_local_share_ca_certificates.stat.exists @@ -20,5 +26,29 @@ - usr_local_share_ca_certificates.stat.pw_name == 'root' - usr_local_share_ca_certificates.stat.gr_name == 'root' - usr_local_share_ca_certificates.stat.mode == '0755' + - (usr_local_share_ca_certificates_ls.files|length) == 1 + - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' - - name: "Get certificate information" + - name: "Test: certificate isrg_root.crt" + block: + - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" + ansible.builtin.stat: + path: "/usr/local/share/ca-certificates/isrg_root.crt" + register: isrg_root_file + + - name: "Get certificate info" + community.crypto.x509_certificate_info: + path: "/usr/local/share/ca-certificates/isrg_root.crt" + register: isrg_root_pem + + - name: "Verify certificate is readable" + ansible.builtin.assert: + that: + - isrg_root_file.stat.exists + - isrg_root_file.stat.isreg + - isrg_root_file.stat.pw_name == 'root' + - isrg_root_file.stat.gr_name == 'root' + - isrg_root_file.stat.mode == '0644' + - not isrg_root_pem.failed + - not isrg_root_pem.expired + - isrg_root_pem.issuer == isrg_root_pem.subject diff --git a/tasks/import.yml b/tasks/import.yml index 25710c3..ff49c2f 100644 --- a/tasks/import.yml +++ b/tasks/import.yml @@ -4,6 +4,7 @@ ansible.builtin.get_url: url: "{{ item.url }}" validate_certs: false + force: false dest: "/tmp/{{ item.cert_name }}.tmp" mode: '0600' loop: "{{ import_vault_root_ca_certificate_list }}" @@ -15,3 +16,9 @@ loop: "{{ import_vault_root_ca_certificate_list }}" notify: - update-ca-certificates + +- name: "Delete temporary certificate" + ansible.builtin.file: + path: "/tmp/{{ item.cert_name }}.tmp" + state: absent + loop: "{{ import_vault_root_ca_certificate_list }}"