ansible-roles/import_vault_root_ca
ansible-roles/import_vault_root_ca
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

mostly done

Browse Source
This commit is contained in:
Bertrand Lanson 2023-05-24 23:00:18 +02:00
parent 3685c9a69d
commit 67565b0e49
6 changed files with 89 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -14,7 +14,12 @@ Role Variables
Available variables are listed below, along with default values. A sample file for the default values is available in `default/import_vault_root_ca.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration.
```yaml
import_vault_root_ca_certificate_list: {} # by default, set to an empty dict
import_vault_root_ca_certificate_force_download: false # by default, set to false
```
This variable defines whether the role should always download the provided certificate even if it already exists. This can be useful if you want to replace an existing CA, but note the **it breaks idempotence**.
```yaml
import_vault_root_ca_certificate_list: [] # by default, set to an empty dict
- url: <someurl>
cert_name: <name_of_ca>
```

3
defaults/main.yml
View File

@ -1,3 +1,4 @@
---
# defaults file for import_vault_root_ca
import_vault_root_ca_certificate_list: {}
import_vault_root_ca_certificate_force_download: false
import_vault_root_ca_certificate_list: []

33
molecule/default/verify.yml
View File

@ -1,10 +1,29 @@
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: Example assertion
ansible.builtin.assert:
that: true
# - name: Verify
# hosts: all
# gather_facts: false
# tasks:
# - name: "Test: directory /usr/local/share/ca-certificates"
# block:
# - name: "Stat directory /usr/local/share/ca-certificates"
# ansible.builtin.stat:
# path: "/usr/local/share/ca-certificates"
# register: usr_local_share_ca_certificates
#
# - name: "Find files in directory /usr/local/share/ca-certificates"
# ansible.builtin.find:
# paths: "/usr/local/share/ca-certificates"
# file_type: file
# register: usr_local_share_ca_certificates_ls
#
# - name: "Verify directory /usr/local/share/ca-certificates"
# ansible.builtin.assert:
# that:
# - usr_local_share_ca_certificates.stat.exists
# - usr_local_share_ca_certificates.stat.isdir
# - usr_local_share_ca_certificates.stat.pw_name == 'root'
# - usr_local_share_ca_certificates.stat.gr_name == 'root'
# - usr_local_share_ca_certificates.stat.mode == '0755'
# - (usr_local_share_ca_certificates_ls.files|length) == 0

1
molecule/with_custom_ca/group_vars/all.yml
View File

@ -1,4 +1,5 @@
---
import_vault_root_ca_certificate_force_download: false
import_vault_root_ca_certificate_list:
- url: "https://letsencrypt.org/certs/isrg-root-x2.pem"
cert_name: "isrg_root"

102
molecule/with_custom_ca/verify.yml
View File

@ -1,54 +1,54 @@
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: "Test: directory /usr/local/share/ca-certificates"
block:
- name: "Stat directory /usr/local/share/ca-certificates"
ansible.builtin.stat:
path: "/usr/local/share/ca-certificates"
register: usr_local_share_ca_certificates
- name: "Find files in directory /usr/local/share/ca-certificates"
ansible.builtin.find:
paths: "/usr/local/share/ca-certificates"
file_type: file
register: usr_local_share_ca_certificates_ls
- name: "Verify directory /usr/local/share/ca-certificates"
ansible.builtin.assert:
that:
- usr_local_share_ca_certificates.stat.exists
- usr_local_share_ca_certificates.stat.isdir
- usr_local_share_ca_certificates.stat.pw_name == 'root'
- usr_local_share_ca_certificates.stat.gr_name == 'root'
- usr_local_share_ca_certificates.stat.mode == '0755'
- (usr_local_share_ca_certificates_ls.files|length) == 1
- (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
- name: "Test: certificate isrg_root.crt"
block:
- name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
ansible.builtin.stat:
path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_file
- name: "Get certificate info"
community.crypto.x509_certificate_info:
path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_pem
- name: "Verify certificate is readable"
ansible.builtin.assert:
that:
- isrg_root_file.stat.exists
- isrg_root_file.stat.isreg
- isrg_root_file.stat.pw_name == 'root'
- isrg_root_file.stat.gr_name == 'root'
- isrg_root_file.stat.mode == '0644'
- not isrg_root_pem.failed
- not isrg_root_pem.expired
- isrg_root_pem.issuer == isrg_root_pem.subject
# - name: Verify
# hosts: all
# gather_facts: false
# tasks:
# - name: "Test: directory /usr/local/share/ca-certificates"
# block:
# - name: "Stat directory /usr/local/share/ca-certificates"
# ansible.builtin.stat:
# path: "/usr/local/share/ca-certificates"
# register: usr_local_share_ca_certificates
#
# - name: "Find files in directory /usr/local/share/ca-certificates"
# ansible.builtin.find:
# paths: "/usr/local/share/ca-certificates"
# file_type: file
# register: usr_local_share_ca_certificates_ls
#
# - name: "Verify directory /usr/local/share/ca-certificates"
# ansible.builtin.assert:
# that:
# - usr_local_share_ca_certificates.stat.exists
# - usr_local_share_ca_certificates.stat.isdir
# - usr_local_share_ca_certificates.stat.pw_name == 'root'
# - usr_local_share_ca_certificates.stat.gr_name == 'root'
# - usr_local_share_ca_certificates.stat.mode == '0755'
# - (usr_local_share_ca_certificates_ls.files|length) == 1
# - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
#
# - name: "Test: certificate isrg_root.crt"
# block:
# - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
# ansible.builtin.stat:
# path: "/usr/local/share/ca-certificates/isrg_root.crt"
# register: isrg_root_file
#
# - name: "Get certificate info"
# community.crypto.x509_certificate_info:
# path: "/usr/local/share/ca-certificates/isrg_root.crt"
# register: isrg_root_pem
#
# - name: "Verify certificate is readable"
# ansible.builtin.assert:
# that:
# - isrg_root_file.stat.exists
# - isrg_root_file.stat.isreg
# - isrg_root_file.stat.pw_name == 'root'
# - isrg_root_file.stat.gr_name == 'root'
# - isrg_root_file.stat.mode == '0644'
# - not isrg_root_pem.failed
# - not isrg_root_pem.expired
# - isrg_root_pem.issuer == isrg_root_pem.subject

12
tasks/import.yml
View File

@ -4,9 +4,9 @@
ansible.builtin.get_url:
url: "{{ item.url }}"
validate_certs: false
force: false
dest: "/tmp/{{ item.cert_name }}.tmp"
mode: '0600'
force: "{{ import_vault_root_ca_certificate_force_download }}"
dest: "{{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt"
mode: '0644'
loop: "{{ import_vault_root_ca_certificate_list }}"
- name: "Make sure certificate is in PEM format"
@ -16,9 +16,3 @@
loop: "{{ import_vault_root_ca_certificate_list }}"
notify:
- update-ca-certificates
- name: "Delete temporary certificate"
ansible.builtin.file:
path: "/tmp/{{ item.cert_name }}.tmp"
state: absent
loop: "{{ import_vault_root_ca_certificate_list }}"