ansible-roles/renew_vault_certificates
ansible-roles/renew_vault_certificates
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added gitea actions, debian 12 support and some linting
All checks were successful
test / Linting (push) Successful in 26s
Details
test / Molecule tests (default, ubuntu2004) (push) Successful in 1m35s
Details
test / Molecule tests (default, debian12) (push) Successful in 1m57s
Details
test / Molecule tests (default, debian11) (push) Successful in 1m57s
Details
test / Molecule tests (default, ubuntu2204) (push) Successful in 1m45s
Details
test / Molecule tests (with_custom_config, debian11) (push) Successful in 1m42s
Details
test / Molecule tests (with_custom_config, debian12) (push) Successful in 1m46s
Details
test / Molecule tests (with_custom_config, ubuntu2004) (push) Successful in 1m9s
Details
test / Molecule tests (with_custom_config, ubuntu2204) (push) Successful in 1m35s
Details

Browse Source
This commit is contained in:
Bertrand Lanson 2023-07-07 15:58:16 +02:00
parent 7d067bd4c2
commit 6762041ac8
9 changed files with 333 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
.gitea/workflows/test.yml Normal file
View File

@ -0,0 +1,52 @@
---
name: test
on: [push]
jobs:
lint:
name: Linting
runs-on: ubuntu-latest
container:
image: git.ednz.fr/container-factory/ansible-runner:act-latest
credentials:
username: ${{ secrets.ACTIONS_USER }}
password: ${{ secrets.ACTIONS_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: "Ansible lint"
run: ansible-lint --force-color
working-directory: ${{ gitea.workspace }}
- name: "YAML lint"
run: yamllint . -f colored -c .yamllint
working-directory: ${{ gitea.workspace }}
molecule-test:
name: Molecule tests
runs-on: ubuntu-latest
needs: lint
container:
image: git.ednz.fr/container-factory/ansible-runner:act-latest
credentials:
username: ${{ secrets.ACTIONS_USER }}
password: ${{ secrets.ACTIONS_TOKEN }}
strategy:
matrix:
test_os: [debian11, debian12, ubuntu2004, ubuntu2204]
scenario: [default, with_custom_config]
env:
ANSIBLE_HOST_KEY_CHECKING: 'false'
ANSIBLE_FORCE_COLOR: 'true'
ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
steps:
- name: Checkout
uses: actions/checkout@v3
- name: "Molecule test"
run: molecule test -s ${{ matrix.scenario }}
shell: bash
working-directory: ${{ gitea.workspace }}
env:
MOLECULE_TEST_OS: ${{ matrix.test_os }}

82
.gitlab-ci.yml
View File

@ -1,82 +0,0 @@
---
stages:
- verify
- test-default
- test-with-custom-config
image:
name: registry.ednz.fr/forge/ansible-runner
variables:
ANSIBLE_HOST_KEY_CHECKING: 'false'
ANSIBLE_FORCE_COLOR: 'true'
ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG
.stage-test-default:
stage: test-default
.stage-test-with-custom-config:
stage: test-with-custom-config
.variables-ubuntu-2004:
variables:
MOLECULE_TEST_OS: "ubuntu2004"
.variables-ubuntu-2204:
variables:
MOLECULE_TEST_OS: "ubuntu2204"
.variables-debian-11:
variables:
MOLECULE_TEST_OS: "debian11"
.script-molecule-test-default:
script:
- molecule test
.script-molecule-test-with-custom-config:
script:
- molecule test -s with_custom_config
ansible-verify:
stage: verify
script:
- yamllint . -c .yamllint
- ansible-lint
ansible-test-ubuntu-2004-default:
extends:
- .stage-test-default
- .variables-ubuntu-2004
- .script-molecule-test-default
ansible-test-ubuntu-2204-default:
extends:
- .stage-test-default
- .variables-ubuntu-2204
- .script-molecule-test-default
ansible-test-debian-11-default:
extends:
- .stage-test-default
- .variables-debian-11
- .script-molecule-test-default
ansible-test-ubuntu-2004-with-custom-config:
extends:
- .stage-test-with-custom-config
- .variables-ubuntu-2004
- .script-molecule-test-with-custom-config
ansible-test-ubuntu-2204-with-custom-config:
extends:
- .stage-test-with-custom-config
- .variables-ubuntu-2204
- .script-molecule-test-with-custom-config
ansible-test-debian-11-with-custom-config:
extends:
- .stage-test-with-custom-config
- .variables-debian-11
- .script-molecule-test-with-custom-config

2
LICENSE
View File

@ -1,6 +1,6 @@
The MIT License (MIT) The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling Copyright (c) 2017 Bertrand Lanson
Permission is hereby granted, free of charge, to any person obtaining a copy of Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in this software and associated documentation files (the "Software"), to deal in

2
README.md
View File

@ -1,4 +1,4 @@
Renew vault certificates renew_vault_certificates
========= =========
> This repository is only a mirror. Development and testing is done on a private gitlab server. > This repository is only a mirror. Development and testing is done on a private gitlab server.

1
meta/main.yml
View File

@ -15,6 +15,7 @@ galaxy_info:
- name: Debian - name: Debian
versions: versions:
- bullseye - bullseye
- bookworm
galaxy_tags: galaxy_tags:
- 'ubuntu' - 'ubuntu'
- 'debian' - 'debian'

2
molecule/default/molecule.yml
View File

@ -20,7 +20,7 @@ provisioner:
defaults: defaults:
remote_tmp: /tmp/.ansible remote_tmp: /tmp/.ansible
verifier: verifier:
name: testinfra name: ansible
scenario: scenario:
name: default name: default
test_sequence: test_sequence:

138
molecule/default/verify.yml Normal file
View File

@ -0,0 +1,138 @@
---
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: "Test: file /etc/hosts"
block:
- name: "Stat file /etc/hosts"
ansible.builtin.stat:
path: "/etc/hosts"
register: stat_etc_hosts
- name: "Verify file /etc/hosts"
ansible.builtin.assert:
that:
- stat_etc_hosts.stat.exists
- stat_etc_hosts.stat.isreg
- stat_etc_hosts.stat.pw_name == 'root'
- stat_etc_hosts.stat.gr_name == 'root'
- name: "Test: directory /etc/consul-template.d/vault"
block:
- name: "Stat directory /etc/consul-template.d/vault"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault"
register: stat_etc_consul_template_d_vault
- name: "Stat file /etc/consul-template.d/vault/vault_config.hcl"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault/vault_config.hcl"
register: stat_etc_consul_template_d_vault_vault_config_hcl
- name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl"
ansible.builtin.slurp:
src: "/etc/consul-template.d/vault/vault_config.hcl"
register: slurp_etc_consul_template_d_vault_vault_config_hcl
- name: "Verify directory /etc/consul-template.d/vault"
ansible.builtin.assert:
that:
- stat_etc_consul_template_d_vault.stat.exists
- stat_etc_consul_template_d_vault.stat.isdir
- stat_etc_consul_template_d_vault.stat.pw_name == 'vault'
- stat_etc_consul_template_d_vault.stat.gr_name == 'vault'
- stat_etc_consul_template_d_vault.stat.mode == '0755'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600'
- slurp_etc_consul_template_d_vault_vault_config_hcl.content != ''
- name: "Test: directory /etc/consul-template.d/vault/templates"
block:
- name: "Stat directory /etc/consul-template.d/vault/templates"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault/templates"
register: stat_etc_consul_template_d_vault_templates
- name: "Find in directory /etc/consul-template.d/vault/templates"
ansible.builtin.find:
paths: "/etc/consul-template.d/vault/templates"
file_type: file
register: find_etc_consul_template_d_vault_templates
- name: "Stat in directory /etc/consul-template.d/vault/templates"
ansible.builtin.stat:
path: "{{ item.path }}"
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
register: stat_etc_consul_template_d_vault_templates
- name: "Slurp in directory /etc/consul-template.d/vault/templates"
ansible.builtin.slurp:
src: "{{ item.path }}"
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
register: slurp_etc_consul_template_d_vault_templates
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
vars:
vault_cert_file: |
{% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}
{{ end }}{% endraw %}
ansible.builtin.assert:
that:
- item.item.isreg
- item.item.pw_name == 'vault'
- item.item.gr_name == 'vault'
- item.item.mode == '0600'
- "(item.content|b64decode) == vault_cert_file"
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
when: (item.item.path | basename) == 'vault_cert.pem.tpl'
- name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl"
vars:
vault_key_file: |
{% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}
{{ .Data.private_key }}
{{ end }}{% endraw %}
ansible.builtin.assert:
that:
- item.item.isreg
- item.item.pw_name == 'vault'
- item.item.gr_name == 'vault'
- item.item.mode == '0600'
- "(item.content|b64decode) == vault_key_file"
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
when: (item.item.path | basename) == 'vault_key.pem.tpl'
- name: "Test: service vault-certs"
block:
- name: "Get service vault-certs"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault-certs.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault-certs.service"
register: stat_etc_systemd_system_vault_certs_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault-certs.service"
register: slurp_etc_systemd_system_vault_certs_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_certs_service.stat.exists
- stat_etc_systemd_system_vault_certs_service.stat.isreg
- stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_certs_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_certs_service.content != ''
- ansible_facts.services['vault-certs.service'] is defined
- ansible_facts.services['vault-certs.service']['source'] == 'systemd'
- ansible_facts.services['vault-certs.service']['state'] == 'stopped'
- ansible_facts.services['vault-certs.service']['status'] == 'enabled'

2
molecule/with_custom_config/molecule.yml
View File

@ -20,7 +20,7 @@ provisioner:
defaults: defaults:
remote_tmp: /tmp/.ansible remote_tmp: /tmp/.ansible
verifier: verifier:
name: testinfra name: ansible
scenario: scenario:
name: with_custom_config name: with_custom_config
test_sequence: test_sequence:

138
molecule/with_custom_config/verify.yml Normal file
View File

@ -0,0 +1,138 @@
---
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: "Test: file /etc/hosts"
block:
- name: "Stat file /etc/hosts"
ansible.builtin.stat:
path: "/etc/hosts"
register: stat_etc_hosts
- name: "Verify file /etc/hosts"
ansible.builtin.assert:
that:
- stat_etc_hosts.stat.exists
- stat_etc_hosts.stat.isreg
- stat_etc_hosts.stat.pw_name == 'root'
- stat_etc_hosts.stat.gr_name == 'root'
- name: "Test: directory /etc/consul-template.d/vault"
block:
- name: "Stat directory /etc/consul-template.d/vault"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault"
register: stat_etc_consul_template_d_vault
- name: "Stat file /etc/consul-template.d/vault/vault_config.hcl"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault/vault_config.hcl"
register: stat_etc_consul_template_d_vault_vault_config_hcl
- name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl"
ansible.builtin.slurp:
src: "/etc/consul-template.d/vault/vault_config.hcl"
register: slurp_etc_consul_template_d_vault_vault_config_hcl
- name: "Verify directory /etc/consul-template.d/vault"
ansible.builtin.assert:
that:
- stat_etc_consul_template_d_vault.stat.exists
- stat_etc_consul_template_d_vault.stat.isdir
- stat_etc_consul_template_d_vault.stat.pw_name == 'vault'
- stat_etc_consul_template_d_vault.stat.gr_name == 'vault'
- stat_etc_consul_template_d_vault.stat.mode == '0755'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault'
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600'
- slurp_etc_consul_template_d_vault_vault_config_hcl.content != ''
- name: "Test: directory /etc/consul-template.d/vault/templates"
block:
- name: "Stat directory /etc/consul-template.d/vault/templates"
ansible.builtin.stat:
path: "/etc/consul-template.d/vault/templates"
register: stat_etc_consul_template_d_vault_templates
- name: "Find in directory /etc/consul-template.d/vault/templates"
ansible.builtin.find:
paths: "/etc/consul-template.d/vault/templates"
file_type: file
register: find_etc_consul_template_d_vault_templates
- name: "Stat in directory /etc/consul-template.d/vault/templates"
ansible.builtin.stat:
path: "{{ item.path }}"
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
register: stat_etc_consul_template_d_vault_templates
- name: "Slurp in directory /etc/consul-template.d/vault/templates"
ansible.builtin.slurp:
src: "{{ item.path }}"
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
register: slurp_etc_consul_template_d_vault_templates
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
vars:
vault_cert_file: |
{% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}
{{ end }}{% endraw %}
ansible.builtin.assert:
that:
- item.item.isreg
- item.item.pw_name == 'vault'
- item.item.gr_name == 'vault'
- item.item.mode == '0600'
- "(item.content|b64decode) == vault_cert_file"
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
when: (item.item.path | basename) == 'vault_cert.pem.tpl'
- name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl"
vars:
vault_key_file: |
{% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}
{{ .Data.private_key }}
{{ end }}{% endraw %}
ansible.builtin.assert:
that:
- item.item.isreg
- item.item.pw_name == 'vault'
- item.item.gr_name == 'vault'
- item.item.mode == '0600'
- "(item.content|b64decode) == vault_key_file"
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
when: (item.item.path | basename) == 'vault_key.pem.tpl'
- name: "Test: service vault-certs"
block:
- name: "Get service vault-certs"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault-certs.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault-certs.service"
register: stat_etc_systemd_system_vault_certs_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault-certs.service"
register: slurp_etc_systemd_system_vault_certs_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_certs_service.stat.exists
- stat_etc_systemd_system_vault_certs_service.stat.isreg
- stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_certs_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_certs_service.content != ''
- ansible_facts.services['vault-certs.service'] is defined
- ansible_facts.services['vault-certs.service']['source'] == 'systemd'
- ansible_facts.services['vault-certs.service']['state'] == 'stopped'
- ansible_facts.services['vault-certs.service']['status'] == 'enabled'