From a4d952ef1a6c7229a8b7dbbb3dc15a59366bac58 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sat, 2 Dec 2023 16:48:14 +0100 Subject: [PATCH] feat: add become, add vagrant tests, fix#1 --- handlers/main.yml | 3 + molecule/default/prepare.yml | 2 + molecule/default/verify.yml | 18 +-- molecule/default_vagrant/converge.yml | 7 + molecule/default_vagrant/molecule.yml | 35 +++++ molecule/default_vagrant/prepare.yml | 17 +++ molecule/default_vagrant/requirements.yml | 5 + molecule/default_vagrant/verify.yml | 142 ++++++++++++++++++ molecule/with_custom_config/prepare.yml | 2 + molecule/with_custom_config/verify.yml | 18 +-- .../with_custom_config_vagrant/converge.yml | 7 + .../group_vars/all.yml | 21 +++ .../with_custom_config_vagrant/molecule.yml | 35 +++++ .../with_custom_config_vagrant/prepare.yml | 17 +++ .../requirements.yml | 5 + .../with_custom_config_vagrant/verify.yml | 142 ++++++++++++++++++ tasks/configure.yml | 2 + tasks/prerequisites.yml | 3 + 18 files changed, 451 insertions(+), 30 deletions(-) create mode 100644 molecule/default_vagrant/converge.yml create mode 100644 molecule/default_vagrant/molecule.yml create mode 100644 molecule/default_vagrant/prepare.yml create mode 100644 molecule/default_vagrant/requirements.yml create mode 100644 molecule/default_vagrant/verify.yml create mode 100644 molecule/with_custom_config_vagrant/converge.yml create mode 100644 molecule/with_custom_config_vagrant/group_vars/all.yml create mode 100644 molecule/with_custom_config_vagrant/molecule.yml create mode 100644 molecule/with_custom_config_vagrant/prepare.yml create mode 100644 molecule/with_custom_config_vagrant/requirements.yml create mode 100644 molecule/with_custom_config_vagrant/verify.yml diff --git a/handlers/main.yml b/handlers/main.yml index 450a046..c362c65 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,12 +3,14 @@ - name: "Reload service file" ansible.builtin.systemd: daemon_reload: true + become: true listen: "systemctl-daemon-reload" - name: "Enable nomad-certs service" ansible.builtin.service: name: nomad-certs enabled: true + become: true listen: "systemctl-enable-nomad-certs" - name: "Start nomad-certs service" @@ -17,3 +19,4 @@ state: restarted listen: "systemctl-restart-nomad-certs" when: renew_nomad_certificates_start_service + become: true diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 242d4a7..702c21d 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "nomad" state: present + become: true - name: "Create user nomad" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "nomad" shell: /bin/false state: present + become: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 93a8632..8462cf2 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -3,21 +3,6 @@ hosts: all gather_facts: false tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/nomad" block: - name: "Stat directory /etc/consul-template.d/nomad" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/nomad/nomad_config.hcl" register: slurp_etc_consul_template_d_nomad_nomad_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/nomad" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" register: slurp_etc_consul_template_d_nomad_templates + become: true - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl" vars: @@ -138,6 +125,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/nomad-certs.service" register: slurp_etc_systemd_system_nomad_certs_service + become: true - name: "Verify service nomad" ansible.builtin.assert: diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml new file mode 100644 index 0000000..e272496 --- /dev/null +++ b/molecule/default_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_nomad_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_nomad_certificates" diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml new file mode 100644 index 0000000..2b02360 --- /dev/null +++ b/molecule/default_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: default_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/default_vagrant/prepare.yml b/molecule/default_vagrant/prepare.yml new file mode 100644 index 0000000..702c21d --- /dev/null +++ b/molecule/default_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group nomad" + ansible.builtin.group: + name: "nomad" + state: present + become: true + + - name: "Create user nomad" + ansible.builtin.user: + name: "nomad" + group: "nomad" + shell: /bin/false + state: present + become: true diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/default_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml new file mode 100644 index 0000000..584ad7b --- /dev/null +++ b/molecule/default_vagrant/verify.yml @@ -0,0 +1,142 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/nomad" + block: + - name: "Stat directory /etc/consul-template.d/nomad" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/nomad/nomad_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad/nomad_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/nomad/nomad_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/nomad/nomad_config.hcl" + register: slurp_etc_consul_template_d_nomad_nomad_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/nomad" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'nomad' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'nomad' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'nomad' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'nomad' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_nomad_nomad_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/nomad/templates" + block: + - name: "Stat directory /etc/consul-template.d/nomad/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad/templates" + register: stat_etc_consul_template_d_nomad_templates + + - name: "Find in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/nomad/templates" + file_type: file + register: find_etc_consul_template_d_nomad_templates + + - name: "Stat in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" + register: stat_etc_consul_template_d_nomad_templates + + - name: "Slurp in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + become: true + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl" + vars: + nomad_ca_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_cert.pem.tpl" + vars: + nomad_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_key.pem.tpl" + vars: + nomad_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_key.pem.tpl' + + - name: "Test: service nomad-certs" + block: + - name: "Get service nomad-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/nomad-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/nomad-certs.service" + register: stat_etc_systemd_system_nomad_certs_service + + - name: "Slurp file /etc/systemd/system/nomad.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/nomad-certs.service" + register: slurp_etc_systemd_system_nomad_certs_service + become: true + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_nomad_certs_service.stat.exists + - stat_etc_systemd_system_nomad_certs_service.stat.isreg + - stat_etc_systemd_system_nomad_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_nomad_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_nomad_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_nomad_certs_service.content != '' + - ansible_facts.services['nomad-certs.service'] is defined + - ansible_facts.services['nomad-certs.service']['source'] == 'systemd' + - ansible_facts.services['nomad-certs.service']['state'] == 'stopped' + - ansible_facts.services['nomad-certs.service']['status'] == 'enabled' diff --git a/molecule/with_custom_config/prepare.yml b/molecule/with_custom_config/prepare.yml index 242d4a7..702c21d 100644 --- a/molecule/with_custom_config/prepare.yml +++ b/molecule/with_custom_config/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "nomad" state: present + become: true - name: "Create user nomad" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "nomad" shell: /bin/false state: present + become: true diff --git a/molecule/with_custom_config/verify.yml b/molecule/with_custom_config/verify.yml index 38cada4..30a8dfe 100644 --- a/molecule/with_custom_config/verify.yml +++ b/molecule/with_custom_config/verify.yml @@ -3,21 +3,6 @@ hosts: all gather_facts: false tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/nomad" block: - name: "Stat directory /etc/consul-template.d/nomad" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/nomad/nomad_config.hcl" register: slurp_etc_consul_template_d_nomad_nomad_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/nomad" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" register: slurp_etc_consul_template_d_nomad_templates + become: true - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl" vars: @@ -138,6 +125,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/nomad-certs.service" register: slurp_etc_systemd_system_nomad_certs_service + become: true - name: "Verify service nomad" ansible.builtin.assert: diff --git a/molecule/with_custom_config_vagrant/converge.yml b/molecule/with_custom_config_vagrant/converge.yml new file mode 100644 index 0000000..e272496 --- /dev/null +++ b/molecule/with_custom_config_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_nomad_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_nomad_certificates" diff --git a/molecule/with_custom_config_vagrant/group_vars/all.yml b/molecule/with_custom_config_vagrant/group_vars/all.yml new file mode 100644 index 0000000..61ed9ac --- /dev/null +++ b/molecule/with_custom_config_vagrant/group_vars/all.yml @@ -0,0 +1,21 @@ +--- +renew_nomad_certificates_config_dir: /etc/consul-template.d/nomad +renew_nomad_certificates_nomad_user: nomad +renew_nomad_certificates_nomad_group: nomad +renew_nomad_certificates_vault_addr: "https://vault.example.com" +renew_nomad_certificates_vault_token: mysupersecretnomadtokenthatyoushouldchange +renew_nomad_certificates_vault_token_unwrap: false +renew_nomad_certificates_vault_token_renew: true +renew_nomad_certificates_ca_dest: /opt/nomad/tls/ca.pem +renew_nomad_certificates_cert_dest: /opt/nomad/tls/cert.pem +renew_nomad_certificates_key_dest: /opt/nomad/tls/key.pem +renew_nomad_certificates_info: + issuer_path: pki/issue/your-ca-int + common_name: nomad01.example.com + ttl: 90d + is_server: true + is_client: true + include_nomad_service: true +renew_nomad_certificates_nomad_dc_name: dc1.nomad +renew_nomad_certificates_nomad_service_name: nomad.service.nomad +renew_nomad_certificates_start_service: false diff --git a/molecule/with_custom_config_vagrant/molecule.yml b/molecule/with_custom_config_vagrant/molecule.yml new file mode 100644 index 0000000..890cdd0 --- /dev/null +++ b/molecule/with_custom_config_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_custom_config_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_custom_config_vagrant/prepare.yml b/molecule/with_custom_config_vagrant/prepare.yml new file mode 100644 index 0000000..702c21d --- /dev/null +++ b/molecule/with_custom_config_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group nomad" + ansible.builtin.group: + name: "nomad" + state: present + become: true + + - name: "Create user nomad" + ansible.builtin.user: + name: "nomad" + group: "nomad" + shell: /bin/false + state: present + become: true diff --git a/molecule/with_custom_config_vagrant/requirements.yml b/molecule/with_custom_config_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/with_custom_config_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/with_custom_config_vagrant/verify.yml b/molecule/with_custom_config_vagrant/verify.yml new file mode 100644 index 0000000..4bb103a --- /dev/null +++ b/molecule/with_custom_config_vagrant/verify.yml @@ -0,0 +1,142 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/nomad" + block: + - name: "Stat directory /etc/consul-template.d/nomad" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/nomad/nomad_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad/nomad_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/nomad/nomad_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/nomad/nomad_config.hcl" + register: slurp_etc_consul_template_d_nomad_nomad_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/nomad" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'nomad' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'nomad' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'nomad' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'nomad' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_nomad_nomad_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/nomad/templates" + block: + - name: "Stat directory /etc/consul-template.d/nomad/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/nomad/templates" + register: stat_etc_consul_template_d_nomad_templates + + - name: "Find in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/nomad/templates" + file_type: file + register: find_etc_consul_template_d_nomad_templates + + - name: "Stat in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" + register: stat_etc_consul_template_d_nomad_templates + + - name: "Slurp in directory /etc/consul-template.d/nomad/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_nomad_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + become: true + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl" + vars: + nomad_ca_file: | + {% raw %}{{ with secret "pki/issue/your-ca-int" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_cert.pem.tpl" + vars: + nomad_cert_file: | + {% raw %}{{ with secret "pki/issue/your-ca-int" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/nomad/templates/nomad_key.pem.tpl" + vars: + nomad_key_file: | + {% raw %}{{ with secret "pki/issue/your-ca-int" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'nomad' + - item.item.gr_name == 'nomad' + - item.item.mode == '0600' + - "(item.content|b64decode) == nomad_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'nomad_key.pem.tpl' + + - name: "Test: service nomad-certs" + block: + - name: "Get service nomad-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/nomad-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/nomad-certs.service" + register: stat_etc_systemd_system_nomad_certs_service + + - name: "Slurp file /etc/systemd/system/nomad.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/nomad-certs.service" + register: slurp_etc_systemd_system_nomad_certs_service + become: true + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_nomad_certs_service.stat.exists + - stat_etc_systemd_system_nomad_certs_service.stat.isreg + - stat_etc_systemd_system_nomad_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_nomad_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_nomad_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_nomad_certs_service.content != '' + - ansible_facts.services['nomad-certs.service'] is defined + - ansible_facts.services['nomad-certs.service']['source'] == 'systemd' + - ansible_facts.services['nomad-certs.service']['state'] == 'stopped' + - ansible_facts.services['nomad-certs.service']['status'] == 'enabled' diff --git a/tasks/configure.yml b/tasks/configure.yml index 4c576ee..9f68bee 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,6 +1,7 @@ --- # task/configure file for renew_nomad_certificates - name: "Configure files for nomad certificate renewal" + become: true notify: - "systemctl-enable-nomad-certs" - "systemctl-restart-nomad-certs" @@ -44,5 +45,6 @@ owner: root group: root mode: '0644' + become: true notify: - "systemctl-daemon-reload" diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml index f1bce54..fb2836b 100644 --- a/tasks/prerequisites.yml +++ b/tasks/prerequisites.yml @@ -7,6 +7,7 @@ owner: "{{ renew_nomad_certificates_nomad_user }}" group: "{{ renew_nomad_certificates_nomad_group }}" mode: '0755' + become: true - name: "Create directory templates directory in {{ renew_nomad_certificates_config_dir }}" ansible.builtin.file: @@ -15,6 +16,7 @@ owner: "{{ renew_nomad_certificates_nomad_user }}" group: "{{ renew_nomad_certificates_nomad_group }}" mode: '0755' + become: true - name: "Ensure certificate/key directory(ies) exist(s)" ansible.builtin.file: @@ -27,3 +29,4 @@ - "{{ renew_nomad_certificates_cert_dest }}" - "{{ renew_nomad_certificates_key_dest }}" - "{{ renew_nomad_certificates_ca_dest }}" + become: true