diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml new file mode 100644 index 0000000..77b20fa --- /dev/null +++ b/.gitea/workflows/test.yml @@ -0,0 +1,52 @@ +--- +name: test +on: [push] + +jobs: + lint: + name: Linting + runs-on: ubuntu-latest + container: + image: git.ednz.fr/container-factory/ansible-runner:act-latest + credentials: + username: ${{ secrets.ACTIONS_USER }} + password: ${{ secrets.ACTIONS_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: "Ansible lint" + run: ansible-lint --force-color + working-directory: ${{ gitea.workspace }} + + - name: "YAML lint" + run: yamllint . -f colored -c .yamllint + working-directory: ${{ gitea.workspace }} + + molecule-test: + name: Molecule tests + runs-on: ubuntu-latest + needs: lint + container: + image: git.ednz.fr/container-factory/ansible-runner:act-latest + credentials: + username: ${{ secrets.ACTIONS_USER }} + password: ${{ secrets.ACTIONS_TOKEN }} + strategy: + matrix: + test_os: [debian11, debian12, ubuntu2004, ubuntu2204] + scenario: [default, with_custom_config] + env: + ANSIBLE_HOST_KEY_CHECKING: 'false' + ANSIBLE_FORCE_COLOR: 'true' + ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: "Molecule test" + run: molecule test -s ${{ matrix.scenario }} + shell: bash + working-directory: ${{ gitea.workspace }} + env: + MOLECULE_TEST_OS: ${{ matrix.test_os }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 468a01d..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -stages: - - verify - - test-default - - test-with-custom-config - -image: - name: registry.ednz.fr/forge/ansible-runner - -variables: - ANSIBLE_HOST_KEY_CHECKING: 'false' - ANSIBLE_FORCE_COLOR: 'true' - ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 - DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG - -.stage-test-default: - stage: test-default - -.stage-test-with-custom-config: - stage: test-with-custom-config - -.variables-ubuntu-2004: - variables: - MOLECULE_TEST_OS: "ubuntu2004" - -.variables-ubuntu-2204: - variables: - MOLECULE_TEST_OS: "ubuntu2204" - -.variables-debian-11: - variables: - MOLECULE_TEST_OS: "debian11" - -.script-molecule-test-default: - script: - - molecule test - -.script-molecule-test-with-custom-config: - script: - - molecule test -s with_custom_config - -ansible-verify: - stage: verify - script: - - yamllint . -c .yamllint - - ansible-lint - -ansible-test-ubuntu-2004-default: - extends: - - .stage-test-default - - .variables-ubuntu-2004 - - .script-molecule-test-default - -ansible-test-ubuntu-2204-default: - extends: - - .stage-test-default - - .variables-ubuntu-2204 - - .script-molecule-test-default - -ansible-test-debian-11-default: - extends: - - .stage-test-default - - .variables-debian-11 - - .script-molecule-test-default - -ansible-test-ubuntu-2004-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-ubuntu-2004 - - .script-molecule-test-with-custom-config - -ansible-test-ubuntu-2204-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-ubuntu-2204 - - .script-molecule-test-with-custom-config - -ansible-test-debian-11-with-custom-config: - extends: - - .stage-test-with-custom-config - - .variables-debian-11 - - .script-molecule-test-with-custom-config diff --git a/LICENSE b/LICENSE index 9ef042d..c9a37e5 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2017 Jeff Geerling +Copyright (c) 2017 Bertrand Lanson Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in diff --git a/README.md b/README.md index 4f25129..2873848 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Renew consul certificates +renew_consul_certificates ========= > This repository is only a mirror. Development and testing is done on a private gitlab server. diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7a62eb2..49efc7f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: default test_sequence: diff --git a/molecule/default/tests/conftest.py b/molecule/default/tests/conftest.py deleted file mode 100644 index a11928c..0000000 --- a/molecule/default/tests/conftest.py +++ /dev/null @@ -1,22 +0,0 @@ -"""PyTest Fixtures.""" - -import os - -import pytest - - -def pytest_runtest_setup(item): - """Run tests only when under molecule with testinfra installed.""" - try: - import testinfra - except ImportError: - pytest.skip("Test requires testinfra", allow_module_level=True) - if "MOLECULE_INVENTORY_FILE" in os.environ: - pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ["MOLECULE_INVENTORY_FILE"], - ).get_hosts("all") - else: - pytest.skip( - "Test should run only from inside molecule.", - allow_module_level=True, - ) diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index ea4948e..0000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,50 +0,0 @@ -"""Role testing files using testinfra.""" - - -def test_hosts_file(host): - """Validate /etc/hosts file.""" - etc_hosts = host.file("/etc/hosts") - assert etc_hosts.exists - assert etc_hosts.user == "root" - assert etc_hosts.group == "root" - -def test_consul_template_config(host): - """Validate /etc/consul-template.d/consul/ files.""" - etc_consul_template_d_consul_config_hcl = host.file("/etc/consul-template.d/consul/consul_config.hcl") - assert etc_consul_template_d_consul_config_hcl.exists - assert etc_consul_template_d_consul_config_hcl.user == "consul" - assert etc_consul_template_d_consul_config_hcl.group == "consul" - assert etc_consul_template_d_consul_config_hcl.mode == 0o600 - -def test_template_files(host): - """Validate /etc/consul-template.d/consul/templates/ files.""" - consul_ca_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_ca.pem.tpl") - consul_cert_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_cert.pem.tpl") - consul_key_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_key.pem.tpl") - for file in consul_cert_pem_tpl, consul_key_pem_tpl: - assert file.exists - assert file.user == "consul" - assert file.group == "consul" - assert file.mode == 0o600 - assert consul_ca_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' - -def test_consul_certs_service_file(host): - """Validate consul-certs service file.""" - etc_systemd_system_consul_certs_service = host.file("/etc/systemd/system/consul-certs.service") - assert etc_systemd_system_consul_certs_service.exists - assert etc_systemd_system_consul_certs_service.user == "root" - assert etc_systemd_system_consul_certs_service.group == "root" - assert etc_systemd_system_consul_certs_service.mode == 0o644 - assert etc_systemd_system_consul_certs_service.content_string != "" - -def test_consul_certs_service(host): - """Validate consul-certs service.""" - consul_certs_service = host.service("consul-certs.service") - assert consul_certs_service.is_enabled - assert not consul_certs_service.is_running - assert consul_certs_service.systemd_properties["Restart"] == "on-failure" - assert consul_certs_service.systemd_properties["User"] == "consul" - assert consul_certs_service.systemd_properties["Group"] == "consul" - assert consul_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/consul-certs.service" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..f443c6c --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,154 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == 'root' + + - name: "Test: directory /etc/consul-template.d/consul" + block: + - name: "Stat directory /etc/consul-template.d/consul" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/consul_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/consul/consul_config.hcl" + register: slurp_etc_consul_template_d_consul_consul_config_hcl + + - name: "Verify directory /etc/consul-template.d/consul" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/consul/templates" + block: + - name: "Stat directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/templates" + register: stat_etc_consul_template_d_consul_templates + + - name: "Find in directory /etc/consul-template.d/consul/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/consul/templates" + file_type: file + register: find_etc_consul_template_d_consul_templates + + - name: "Stat in directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: stat_etc_consul_template_d_consul_templates + + - name: "Slurp in directory /etc/consul-template.d/consul/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" + vars: + consul_ca_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" + vars: + consul_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" + vars: + consul_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_key.pem.tpl' + + - name: "Test: service consul-certs" + block: + - name: "Get service consul-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/consul-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/consul-certs.service" + register: stat_etc_systemd_system_consul_certs_service + + - name: "Slurp file /etc/systemd/system/consul-certs.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/consul-certs.service" + register: slurp_etc_systemd_system_consul_certs_service + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_consul_certs_service.stat.exists + - stat_etc_systemd_system_consul_certs_service.stat.isreg + - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_consul_certs_service.content != '' + - ansible_facts.services['consul-certs.service'] is defined + - ansible_facts.services['consul-certs.service']['source'] == 'systemd' + - ansible_facts.services['consul-certs.service']['state'] == 'stopped' + - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/molecule/with_custom_config/molecule.yml b/molecule/with_custom_config/molecule.yml index 6132acb..4df62e9 100644 --- a/molecule/with_custom_config/molecule.yml +++ b/molecule/with_custom_config/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: with_custom_config test_sequence: diff --git a/molecule/with_custom_config/tests/conftest.py b/molecule/with_custom_config/tests/conftest.py deleted file mode 100644 index f7ddb3f..0000000 --- a/molecule/with_custom_config/tests/conftest.py +++ /dev/null @@ -1,22 +0,0 @@ -"""PyTest Fixtures.""" -from __future__ import absolute_import - -import os - -import pytest - - -def pytest_runtest_setup(item): - """Run tests only when under molecule with testinfra installed.""" - try: - import testinfra - except ImportError: - pytest.skip("Test requires testinfra", allow_module_level=True) - if "MOLECULE_INVENTORY_FILE" in os.environ: - pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ["MOLECULE_INVENTORY_FILE"] - ).get_hosts("all") - else: - pytest.skip( - "Test should run only from inside molecule.", allow_module_level=True - ) diff --git a/molecule/with_custom_config/tests/test_default.py b/molecule/with_custom_config/tests/test_default.py deleted file mode 100644 index c411ac2..0000000 --- a/molecule/with_custom_config/tests/test_default.py +++ /dev/null @@ -1,50 +0,0 @@ -"""Role testing files using testinfra.""" - - -def test_hosts_file(host): - """Validate /etc/hosts file.""" - etc_hosts = host.file("/etc/hosts") - assert etc_hosts.exists - assert etc_hosts.user == "root" - assert etc_hosts.group == "root" - -def test_consul_template_config(host): - """Validate /etc/consul-template.d/consul/ files.""" - etc_consul_template_d_consul_config_hcl = host.file("/etc/consul-template.d/consul/consul_config.hcl") - assert etc_consul_template_d_consul_config_hcl.exists - assert etc_consul_template_d_consul_config_hcl.user == "consul" - assert etc_consul_template_d_consul_config_hcl.group == "consul" - assert etc_consul_template_d_consul_config_hcl.mode == 0o600 - -def test_template_files(host): - """Validate /etc/consul-template.d/consul/templates/ files.""" - consul_ca_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_ca.pem.tpl") - consul_cert_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_cert.pem.tpl") - consul_key_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_key.pem.tpl") - for file in consul_cert_pem_tpl, consul_key_pem_tpl: - assert file.exists - assert file.user == "consul" - assert file.group == "consul" - assert file.mode == 0o600 - assert consul_ca_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' - -def test_consul_certs_service_file(host): - """Validate consul-certs service file.""" - etc_systemd_system_consul_certs_service = host.file("/etc/systemd/system/consul-certs.service") - assert etc_systemd_system_consul_certs_service.exists - assert etc_systemd_system_consul_certs_service.user == "root" - assert etc_systemd_system_consul_certs_service.group == "root" - assert etc_systemd_system_consul_certs_service.mode == 0o644 - assert etc_systemd_system_consul_certs_service.content_string != "" - -def test_consul_certs_service(host): - """Validate consul-certs service.""" - consul_certs_service = host.service("consul-certs.service") - assert consul_certs_service.is_enabled - assert not consul_certs_service.is_running - assert consul_certs_service.systemd_properties["Restart"] == "on-failure" - assert consul_certs_service.systemd_properties["User"] == "consul" - assert consul_certs_service.systemd_properties["Group"] == "consul" - assert consul_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/consul-certs.service" diff --git a/molecule/with_custom_config/verify.yml b/molecule/with_custom_config/verify.yml new file mode 100644 index 0000000..c6bcda0 --- /dev/null +++ b/molecule/with_custom_config/verify.yml @@ -0,0 +1,154 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == 'root' + + - name: "Test: directory /etc/consul-template.d/consul" + block: + - name: "Stat directory /etc/consul-template.d/consul" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/consul_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/consul/consul_config.hcl" + register: slurp_etc_consul_template_d_consul_consul_config_hcl + + - name: "Verify directory /etc/consul-template.d/consul" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/consul/templates" + block: + - name: "Stat directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/templates" + register: stat_etc_consul_template_d_consul_templates + + - name: "Find in directory /etc/consul-template.d/consul/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/consul/templates" + file_type: file + register: find_etc_consul_template_d_consul_templates + + - name: "Stat in directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: stat_etc_consul_template_d_consul_templates + + - name: "Slurp in directory /etc/consul-template.d/consul/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" + vars: + consul_ca_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" + vars: + consul_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" + vars: + consul_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_key.pem.tpl' + + - name: "Test: service consul-certs" + block: + - name: "Get service consul-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/consul-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/consul-certs.service" + register: stat_etc_systemd_system_consul_certs_service + + - name: "Slurp file /etc/systemd/system/consul-certs.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/consul-certs.service" + register: slurp_etc_systemd_system_consul_certs_service + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_consul_certs_service.stat.exists + - stat_etc_systemd_system_consul_certs_service.stat.isreg + - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_consul_certs_service.content != '' + - ansible_facts.services['consul-certs.service'] is defined + - ansible_facts.services['consul-certs.service']['source'] == 'systemd' + - ansible_facts.services['consul-certs.service']['state'] == 'stopped' + - ansible_facts.services['consul-certs.service']['status'] == 'enabled'