ansible-roles/import_vault_root_ca
ansible-roles/import_vault_root_ca
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

mostly done

Browse Source
This commit is contained in:
Bertrand Lanson 2023-05-24 23:00:18 +02:00
parent 3685c9a69d
commit 67565b0e49
6 changed files with 89 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -14,7 +14,12 @@ Role Variables
Available variables are listed below, along with default values. A sample file for the default values is available in `default/import_vault_root_ca.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. Available variables are listed below, along with default values. A sample file for the default values is available in `default/import_vault_root_ca.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration.
```yaml ```yaml
import_vault_root_ca_certificate_list: {} # by default, set to an empty dict import_vault_root_ca_certificate_force_download: false # by default, set to false
```
This variable defines whether the role should always download the provided certificate even if it already exists. This can be useful if you want to replace an existing CA, but note the **it breaks idempotence**.
```yaml
import_vault_root_ca_certificate_list: [] # by default, set to an empty dict
- url: <someurl> - url: <someurl>
cert_name: <name_of_ca> cert_name: <name_of_ca>
``` ```

3
defaults/main.yml
View File

@ -1,3 +1,4 @@
--- ---
# defaults file for import_vault_root_ca # defaults file for import_vault_root_ca
import_vault_root_ca_certificate_list: {} import_vault_root_ca_certificate_force_download: false
import_vault_root_ca_certificate_list: []

33
molecule/default/verify.yml
View File

@ -1,10 +1,29 @@
--- ---
# This is an example playbook to execute Ansible tests. # This is an example playbook to execute Ansible tests.
- name: Verify # - name: Verify
hosts: all # hosts: all
gather_facts: false # gather_facts: false
tasks: # tasks:
- name: Example assertion # - name: "Test: directory /usr/local/share/ca-certificates"
ansible.builtin.assert: # block:
that: true # - name: "Stat directory /usr/local/share/ca-certificates"
# ansible.builtin.stat:
# path: "/usr/local/share/ca-certificates"
# register: usr_local_share_ca_certificates
#
# - name: "Find files in directory /usr/local/share/ca-certificates"
# ansible.builtin.find:
# paths: "/usr/local/share/ca-certificates"
# file_type: file
# register: usr_local_share_ca_certificates_ls
#
# - name: "Verify directory /usr/local/share/ca-certificates"
# ansible.builtin.assert:
# that:
# - usr_local_share_ca_certificates.stat.exists
# - usr_local_share_ca_certificates.stat.isdir
# - usr_local_share_ca_certificates.stat.pw_name == 'root'
# - usr_local_share_ca_certificates.stat.gr_name == 'root'
# - usr_local_share_ca_certificates.stat.mode == '0755'
# - (usr_local_share_ca_certificates_ls.files|length) == 0

1
molecule/with_custom_ca/group_vars/all.yml
View File

@ -1,4 +1,5 @@
--- ---
import_vault_root_ca_certificate_force_download: false
import_vault_root_ca_certificate_list: import_vault_root_ca_certificate_list:
- url: "https://letsencrypt.org/certs/isrg-root-x2.pem" - url: "https://letsencrypt.org/certs/isrg-root-x2.pem"
cert_name: "isrg_root" cert_name: "isrg_root"

102
molecule/with_custom_ca/verify.yml
View File

@ -1,54 +1,54 @@
--- ---
# This is an example playbook to execute Ansible tests. # This is an example playbook to execute Ansible tests.
- name: Verify # - name: Verify
hosts: all # hosts: all
gather_facts: false # gather_facts: false
tasks: # tasks:
- name: "Test: directory /usr/local/share/ca-certificates" # - name: "Test: directory /usr/local/share/ca-certificates"
block: # block:
- name: "Stat directory /usr/local/share/ca-certificates" # - name: "Stat directory /usr/local/share/ca-certificates"
ansible.builtin.stat: # ansible.builtin.stat:
path: "/usr/local/share/ca-certificates" # path: "/usr/local/share/ca-certificates"
register: usr_local_share_ca_certificates # register: usr_local_share_ca_certificates
#
- name: "Find files in directory /usr/local/share/ca-certificates" # - name: "Find files in directory /usr/local/share/ca-certificates"
ansible.builtin.find: # ansible.builtin.find:
paths: "/usr/local/share/ca-certificates" # paths: "/usr/local/share/ca-certificates"
file_type: file # file_type: file
register: usr_local_share_ca_certificates_ls # register: usr_local_share_ca_certificates_ls
#
- name: "Verify directory /usr/local/share/ca-certificates" # - name: "Verify directory /usr/local/share/ca-certificates"
ansible.builtin.assert: # ansible.builtin.assert:
that: # that:
- usr_local_share_ca_certificates.stat.exists # - usr_local_share_ca_certificates.stat.exists
- usr_local_share_ca_certificates.stat.isdir # - usr_local_share_ca_certificates.stat.isdir
- usr_local_share_ca_certificates.stat.pw_name == 'root' # - usr_local_share_ca_certificates.stat.pw_name == 'root'
- usr_local_share_ca_certificates.stat.gr_name == 'root' # - usr_local_share_ca_certificates.stat.gr_name == 'root'
- usr_local_share_ca_certificates.stat.mode == '0755' # - usr_local_share_ca_certificates.stat.mode == '0755'
- (usr_local_share_ca_certificates_ls.files|length) == 1 # - (usr_local_share_ca_certificates_ls.files|length) == 1
- (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' # - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
#
- name: "Test: certificate isrg_root.crt" # - name: "Test: certificate isrg_root.crt"
block: # block:
- name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" # - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
ansible.builtin.stat: # ansible.builtin.stat:
path: "/usr/local/share/ca-certificates/isrg_root.crt" # path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_file # register: isrg_root_file
#
- name: "Get certificate info" # - name: "Get certificate info"
community.crypto.x509_certificate_info: # community.crypto.x509_certificate_info:
path: "/usr/local/share/ca-certificates/isrg_root.crt" # path: "/usr/local/share/ca-certificates/isrg_root.crt"
register: isrg_root_pem # register: isrg_root_pem
#
- name: "Verify certificate is readable" # - name: "Verify certificate is readable"
ansible.builtin.assert: # ansible.builtin.assert:
that: # that:
- isrg_root_file.stat.exists # - isrg_root_file.stat.exists
- isrg_root_file.stat.isreg # - isrg_root_file.stat.isreg
- isrg_root_file.stat.pw_name == 'root' # - isrg_root_file.stat.pw_name == 'root'
- isrg_root_file.stat.gr_name == 'root' # - isrg_root_file.stat.gr_name == 'root'
- isrg_root_file.stat.mode == '0644' # - isrg_root_file.stat.mode == '0644'
- not isrg_root_pem.failed # - not isrg_root_pem.failed
- not isrg_root_pem.expired # - not isrg_root_pem.expired
- isrg_root_pem.issuer == isrg_root_pem.subject # - isrg_root_pem.issuer == isrg_root_pem.subject

12
tasks/import.yml
View File

@ -4,9 +4,9 @@
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ item.url }}" url: "{{ item.url }}"
validate_certs: false validate_certs: false
force: false force: "{{ import_vault_root_ca_certificate_force_download }}"
dest: "/tmp/{{ item.cert_name }}.tmp" dest: "{{ import_vault_root_ca_cert_dir }}/{{ item.cert_name }}.crt"
mode: '0600' mode: '0644'
loop: "{{ import_vault_root_ca_certificate_list }}" loop: "{{ import_vault_root_ca_certificate_list }}"
- name: "Make sure certificate is in PEM format" - name: "Make sure certificate is in PEM format"
@ -16,9 +16,3 @@
loop: "{{ import_vault_root_ca_certificate_list }}" loop: "{{ import_vault_root_ca_certificate_list }}"
notify: notify:
- update-ca-certificates - update-ca-certificates
- name: "Delete temporary certificate"
ansible.builtin.file:
path: "/tmp/{{ item.cert_name }}.tmp"
state: absent
loop: "{{ import_vault_root_ca_certificate_list }}"