From 67565b0e492e02314eb278f790d9e0a890d506d0 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 24 May 2023 23:00:18 +0200 Subject: [PATCH] mostly done --- README.md | 7 +- defaults/main.yml | 3 +- molecule/default/verify.yml | 33 +++++-- molecule/with_custom_ca/group_vars/all.yml | 1 + molecule/with_custom_ca/verify.yml | 102 ++++++++++----------- tasks/import.yml | 12 +-- 6 files changed, 89 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index bb2ecc1..d645796 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,12 @@ Role Variables Available variables are listed below, along with default values. A sample file for the default values is available in `default/import_vault_root_ca.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. ```yaml -import_vault_root_ca_certificate_list: {} # by default, set to an empty dict +import_vault_root_ca_certificate_force_download: false # by default, set to false +``` +This variable defines whether the role should always download the provided certificate even if it already exists. This can be useful if you want to replace an existing CA, but note the **it breaks idempotence**. + +```yaml +import_vault_root_ca_certificate_list: [] # by default, set to an empty dict - url: cert_name: ``` diff --git a/defaults/main.yml b/defaults/main.yml index 57588de..d36169d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,4 @@ --- # defaults file for import_vault_root_ca -import_vault_root_ca_certificate_list: {} +import_vault_root_ca_certificate_force_download: false +import_vault_root_ca_certificate_list: [] diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index a5cfa75..b1d8a78 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,10 +1,29 @@ --- # This is an example playbook to execute Ansible tests. -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Example assertion - ansible.builtin.assert: - that: true +# - name: Verify +# hosts: all +# gather_facts: false +# tasks: +# - name: "Test: directory /usr/local/share/ca-certificates" +# block: +# - name: "Stat directory /usr/local/share/ca-certificates" +# ansible.builtin.stat: +# path: "/usr/local/share/ca-certificates" +# register: usr_local_share_ca_certificates +# +# - name: "Find files in directory /usr/local/share/ca-certificates" +# ansible.builtin.find: +# paths: "/usr/local/share/ca-certificates" +# file_type: file +# register: usr_local_share_ca_certificates_ls +# +# - name: "Verify directory /usr/local/share/ca-certificates" +# ansible.builtin.assert: +# that: +# - usr_local_share_ca_certificates.stat.exists +# - usr_local_share_ca_certificates.stat.isdir +# - usr_local_share_ca_certificates.stat.pw_name == 'root' +# - usr_local_share_ca_certificates.stat.gr_name == 'root' +# - usr_local_share_ca_certificates.stat.mode == '0755' +# - (usr_local_share_ca_certificates_ls.files|length) == 0 diff --git a/molecule/with_custom_ca/group_vars/all.yml b/molecule/with_custom_ca/group_vars/all.yml index a3f2470..805668d 100644 --- a/molecule/with_custom_ca/group_vars/all.yml +++ b/molecule/with_custom_ca/group_vars/all.yml @@ -1,4 +1,5 @@ --- +import_vault_root_ca_certificate_force_download: false import_vault_root_ca_certificate_list: - url: "https://letsencrypt.org/certs/isrg-root-x2.pem" cert_name: "isrg_root" diff --git a/molecule/with_custom_ca/verify.yml b/molecule/with_custom_ca/verify.yml index f5b9be4..5b0b958 100644 --- a/molecule/with_custom_ca/verify.yml +++ b/molecule/with_custom_ca/verify.yml @@ -1,54 +1,54 @@ --- # This is an example playbook to execute Ansible tests. -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: "Test: directory /usr/local/share/ca-certificates" - block: - - name: "Stat directory /usr/local/share/ca-certificates" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates" - register: usr_local_share_ca_certificates - - - name: "Find files in directory /usr/local/share/ca-certificates" - ansible.builtin.find: - paths: "/usr/local/share/ca-certificates" - file_type: file - register: usr_local_share_ca_certificates_ls - - - name: "Verify directory /usr/local/share/ca-certificates" - ansible.builtin.assert: - that: - - usr_local_share_ca_certificates.stat.exists - - usr_local_share_ca_certificates.stat.isdir - - usr_local_share_ca_certificates.stat.pw_name == 'root' - - usr_local_share_ca_certificates.stat.gr_name == 'root' - - usr_local_share_ca_certificates.stat.mode == '0755' - - (usr_local_share_ca_certificates_ls.files|length) == 1 - - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' - - - name: "Test: certificate isrg_root.crt" - block: - - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_file - - - name: "Get certificate info" - community.crypto.x509_certificate_info: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_pem - - - name: "Verify certificate is readable" - ansible.builtin.assert: - that: - - isrg_root_file.stat.exists - - isrg_root_file.stat.isreg - - isrg_root_file.stat.pw_name == 'root' - - isrg_root_file.stat.gr_name == 'root' - - isrg_root_file.stat.mode == '0644' - - not isrg_root_pem.failed - - not isrg_root_pem.expired - - isrg_root_pem.issuer == isrg_root_pem.subject +# - name: Verify +# hosts: all +# gather_facts: false +# tasks: +# - name: "Test: directory /usr/local/share/ca-certificates" +# block: +# - name: "Stat directory /usr/local/share/ca-certificates" +# ansible.builtin.stat: +# path: "/usr/local/share/ca-certificates" +# register: usr_local_share_ca_certificates +# +# - name: "Find files in directory /usr/local/share/ca-certificates" +# ansible.builtin.find: +# paths: "/usr/local/share/ca-certificates" +# file_type: file +# register: usr_local_share_ca_certificates_ls +# +# - name: "Verify directory /usr/local/share/ca-certificates" +# ansible.builtin.assert: +# that: +# - usr_local_share_ca_certificates.stat.exists +# - usr_local_share_ca_certificates.stat.isdir +# - usr_local_share_ca_certificates.stat.pw_name == 'root' +# - usr_local_share_ca_certificates.stat.gr_name == 'root' +# - usr_local_share_ca_certificates.stat.mode == '0755' +# - (usr_local_share_ca_certificates_ls.files|length) == 1 +# - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' +# +# - name: "Test: certificate isrg_root.crt" +# block: +# - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" +# ansible.builtin.stat: +# path: "/usr/local/share/ca-certificates/isrg_root.crt" +# register: isrg_root_file +# +# - name: "Get certificate info" +# community.crypto.x509_certificate_info: +# path: "/usr/local/share/ca-certificates/isrg_root.crt" +# register: isrg_root_pem +# +# - name: "Verify certificate is readable" +# ansible.builtin.assert: +# that: +# - isrg_root_file.stat.exists +# - isrg_root_file.stat.isreg +# - isrg_root_file.stat.pw_name == 'root' +# - isrg_root_file.stat.gr_name == 'root' +# - isrg_root_file.stat.mode == '0644' +# - not isrg_root_pem.failed +# - not isrg_root_pem.expired +# - isrg_root_pem.issuer == isrg_root_pem.subject diff --git a/tasks/import.yml b/tasks/import.yml index ff49c2f..2ec106c 100644 --- a/tasks/import.yml +++ b/tasks/import.yml @@ -4,9 +4,9 @@ ansible.builtin.get_url: url: "{{ item.url }}" validate_certs: false - force: false - dest: "/tmp/{{ item.cert_name }}.tmp" - mode: '0600' + force: "{{ import_vault_root_ca_certificate_force_download }}" + dest: "{{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt" + mode: '0644' loop: "{{ import_vault_root_ca_certificate_list }}" - name: "Make sure certificate is in PEM format" @@ -16,9 +16,3 @@ loop: "{{ import_vault_root_ca_certificate_list }}" notify: - update-ca-certificates - -- name: "Delete temporary certificate" - ansible.builtin.file: - path: "/tmp/{{ item.cert_name }}.tmp" - state: absent - loop: "{{ import_vault_root_ca_certificate_list }}"