feat: add become, add vagrant tests, fix #1
All checks were successful
test / Linting (push) Successful in 11s
test / Molecule tests (default, debian11) (push) Successful in 1m5s
test / Molecule tests (default, debian12) (push) Successful in 1m8s
test / Molecule tests (default, ubuntu2004) (push) Successful in 1m20s
test / Molecule tests (default, ubuntu2204) (push) Successful in 1m21s
test / Molecule tests (with_custom_config, debian11) (push) Successful in 1m5s
test / Molecule tests (with_custom_config, debian12) (push) Successful in 1m7s
test / Molecule tests (with_custom_config, ubuntu2004) (push) Successful in 1m19s
test / Molecule tests (with_custom_config, ubuntu2204) (push) Successful in 1m18s
All checks were successful
test / Linting (push) Successful in 11s
test / Molecule tests (default, debian11) (push) Successful in 1m5s
test / Molecule tests (default, debian12) (push) Successful in 1m8s
test / Molecule tests (default, ubuntu2004) (push) Successful in 1m20s
test / Molecule tests (default, ubuntu2204) (push) Successful in 1m21s
test / Molecule tests (with_custom_config, debian11) (push) Successful in 1m5s
test / Molecule tests (with_custom_config, debian12) (push) Successful in 1m7s
test / Molecule tests (with_custom_config, ubuntu2004) (push) Successful in 1m19s
test / Molecule tests (with_custom_config, ubuntu2204) (push) Successful in 1m18s
This commit is contained in:
parent
1a41fb5bf3
commit
ed2c223727
@ -3,17 +3,20 @@
|
|||||||
- name: "Reload service file"
|
- name: "Reload service file"
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
become: true
|
||||||
listen: "systemctl-daemon-reload"
|
listen: "systemctl-daemon-reload"
|
||||||
|
|
||||||
- name: "Enable vault-certs service"
|
- name: "Enable vault-certs service"
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: vault-certs
|
name: vault-certs
|
||||||
enabled: true
|
enabled: true
|
||||||
|
become: true
|
||||||
listen: "systemctl-enable-vault-certs"
|
listen: "systemctl-enable-vault-certs"
|
||||||
|
|
||||||
- name: "Start vault-certs service"
|
- name: "Start vault-certs service"
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: vault-certs
|
name: vault-certs
|
||||||
state: restarted
|
state: restarted
|
||||||
|
become: true
|
||||||
listen: "systemctl-restart-vault-certs"
|
listen: "systemctl-restart-vault-certs"
|
||||||
when: renew_vault_certificates_start_service
|
when: renew_vault_certificates_start_service
|
||||||
|
|||||||
@ -6,6 +6,7 @@
|
|||||||
ansible.builtin.group:
|
ansible.builtin.group:
|
||||||
name: "vault"
|
name: "vault"
|
||||||
state: present
|
state: present
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Create user vault"
|
- name: "Create user vault"
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
@ -13,3 +14,4 @@
|
|||||||
group: "vault"
|
group: "vault"
|
||||||
shell: /bin/false
|
shell: /bin/false
|
||||||
state: present
|
state: present
|
||||||
|
become: true
|
||||||
|
|||||||
@ -1,23 +1,8 @@
|
|||||||
---
|
---
|
||||||
- name: Verify
|
- name: Verify
|
||||||
hosts: all
|
hosts: all
|
||||||
gather_facts: false
|
gather_facts: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Test: file /etc/hosts"
|
|
||||||
block:
|
|
||||||
- name: "Stat file /etc/hosts"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "/etc/hosts"
|
|
||||||
register: stat_etc_hosts
|
|
||||||
|
|
||||||
- name: "Verify file /etc/hosts"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- stat_etc_hosts.stat.exists
|
|
||||||
- stat_etc_hosts.stat.isreg
|
|
||||||
- stat_etc_hosts.stat.pw_name == 'root'
|
|
||||||
- stat_etc_hosts.stat.gr_name == 'root'
|
|
||||||
|
|
||||||
- name: "Test: directory /etc/consul-template.d/vault"
|
- name: "Test: directory /etc/consul-template.d/vault"
|
||||||
block:
|
block:
|
||||||
- name: "Stat directory /etc/consul-template.d/vault"
|
- name: "Stat directory /etc/consul-template.d/vault"
|
||||||
@ -34,6 +19,7 @@
|
|||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify directory /etc/consul-template.d/vault"
|
- name: "Verify directory /etc/consul-template.d/vault"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
@ -74,6 +60,7 @@
|
|||||||
src: "{{ item.path }}"
|
src: "{{ item.path }}"
|
||||||
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
register: slurp_etc_consul_template_d_vault_templates
|
register: slurp_etc_consul_template_d_vault_templates
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
||||||
vars:
|
vars:
|
||||||
@ -122,6 +109,7 @@
|
|||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/systemd/system/vault-certs.service"
|
src: "/etc/systemd/system/vault-certs.service"
|
||||||
register: slurp_etc_systemd_system_vault_certs_service
|
register: slurp_etc_systemd_system_vault_certs_service
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify service vault"
|
- name: "Verify service vault"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
|
|||||||
7
molecule/default_vagrant/converge.yml
Normal file
7
molecule/default_vagrant/converge.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: "Include ednxzu.renew_vault_certificates"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: "ednxzu.renew_vault_certificates"
|
||||||
35
molecule/default_vagrant/molecule.yml
Normal file
35
molecule/default_vagrant/molecule.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
requirements-file: ./requirements.yml
|
||||||
|
driver:
|
||||||
|
name: vagrant
|
||||||
|
provider:
|
||||||
|
name: libvirt
|
||||||
|
platforms:
|
||||||
|
- name: instance
|
||||||
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
|
cpus: 4
|
||||||
|
memory: 4096
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
config_options:
|
||||||
|
defaults:
|
||||||
|
remote_tmp: /tmp/.ansible
|
||||||
|
verifier:
|
||||||
|
name: ansible
|
||||||
|
scenario:
|
||||||
|
name: default_vagrant
|
||||||
|
test_sequence:
|
||||||
|
- dependency
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
||||||
|
- syntax
|
||||||
|
- create
|
||||||
|
- prepare
|
||||||
|
- converge
|
||||||
|
- idempotence
|
||||||
|
- verify
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
||||||
17
molecule/default_vagrant/prepare.yml
Normal file
17
molecule/default_vagrant/prepare.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: "Create group vault"
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "vault"
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Create user vault"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "vault"
|
||||||
|
group: "vault"
|
||||||
|
shell: /bin/false
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
5
molecule/default_vagrant/requirements.yml
Normal file
5
molecule/default_vagrant/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
# requirements file for molecule
|
||||||
|
roles:
|
||||||
|
- name: ednxzu.manage_repositories
|
||||||
|
- name: ednxzu.manage_apt_packages
|
||||||
126
molecule/default_vagrant/verify.yml
Normal file
126
molecule/default_vagrant/verify.yml
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
---
|
||||||
|
- name: Verify
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
tasks:
|
||||||
|
- name: "Test: directory /etc/consul-template.d/vault"
|
||||||
|
block:
|
||||||
|
- name: "Stat directory /etc/consul-template.d/vault"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault"
|
||||||
|
register: stat_etc_consul_template_d_vault
|
||||||
|
|
||||||
|
- name: "Stat file /etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
register: stat_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
|
||||||
|
- name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify directory /etc/consul-template.d/vault"
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- stat_etc_consul_template_d_vault.stat.exists
|
||||||
|
- stat_etc_consul_template_d_vault.stat.isdir
|
||||||
|
- stat_etc_consul_template_d_vault.stat.pw_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault.stat.gr_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault.stat.mode == '0755'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600'
|
||||||
|
- slurp_etc_consul_template_d_vault_vault_config_hcl.content != ''
|
||||||
|
|
||||||
|
- name: "Test: directory /etc/consul-template.d/vault/templates"
|
||||||
|
block:
|
||||||
|
- name: "Stat directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault/templates"
|
||||||
|
register: stat_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Find in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.find:
|
||||||
|
paths: "/etc/consul-template.d/vault/templates"
|
||||||
|
file_type: file
|
||||||
|
register: find_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Stat in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
|
register: stat_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Slurp in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ item.path }}"
|
||||||
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
|
register: slurp_etc_consul_template_d_vault_templates
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
||||||
|
vars:
|
||||||
|
vault_cert_file: |
|
||||||
|
{% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}
|
||||||
|
{{ .Data.certificate }}
|
||||||
|
{{ .Data.issuing_ca }}
|
||||||
|
{{ end }}{% endraw %}
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- item.item.isreg
|
||||||
|
- item.item.pw_name == 'vault'
|
||||||
|
- item.item.gr_name == 'vault'
|
||||||
|
- item.item.mode == '0600'
|
||||||
|
- "(item.content|b64decode) == vault_cert_file"
|
||||||
|
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
|
||||||
|
when: (item.item.path | basename) == 'vault_cert.pem.tpl'
|
||||||
|
|
||||||
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl"
|
||||||
|
vars:
|
||||||
|
vault_key_file: |
|
||||||
|
{% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}
|
||||||
|
{{ .Data.private_key }}
|
||||||
|
{{ end }}{% endraw %}
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- item.item.isreg
|
||||||
|
- item.item.pw_name == 'vault'
|
||||||
|
- item.item.gr_name == 'vault'
|
||||||
|
- item.item.mode == '0600'
|
||||||
|
- "(item.content|b64decode) == vault_key_file"
|
||||||
|
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
|
||||||
|
when: (item.item.path | basename) == 'vault_key.pem.tpl'
|
||||||
|
|
||||||
|
- name: "Test: service vault-certs"
|
||||||
|
block:
|
||||||
|
- name: "Get service vault-certs"
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
|
||||||
|
- name: "Stat file /etc/systemd/system/vault-certs.service"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/systemd/system/vault-certs.service"
|
||||||
|
register: stat_etc_systemd_system_vault_certs_service
|
||||||
|
|
||||||
|
- name: "Slurp file /etc/systemd/system/vault.service"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "/etc/systemd/system/vault-certs.service"
|
||||||
|
register: slurp_etc_systemd_system_vault_certs_service
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify service vault"
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.exists
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.isreg
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root'
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root'
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.mode == '0644'
|
||||||
|
- slurp_etc_systemd_system_vault_certs_service.content != ''
|
||||||
|
- ansible_facts.services['vault-certs.service'] is defined
|
||||||
|
- ansible_facts.services['vault-certs.service']['source'] == 'systemd'
|
||||||
|
- ansible_facts.services['vault-certs.service']['state'] == 'stopped'
|
||||||
|
- ansible_facts.services['vault-certs.service']['status'] == 'enabled'
|
||||||
@ -6,6 +6,7 @@
|
|||||||
ansible.builtin.group:
|
ansible.builtin.group:
|
||||||
name: "vault"
|
name: "vault"
|
||||||
state: present
|
state: present
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Create user vault"
|
- name: "Create user vault"
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
@ -13,3 +14,4 @@
|
|||||||
group: "vault"
|
group: "vault"
|
||||||
shell: /bin/false
|
shell: /bin/false
|
||||||
state: present
|
state: present
|
||||||
|
become: true
|
||||||
|
|||||||
@ -1,23 +1,8 @@
|
|||||||
---
|
---
|
||||||
- name: Verify
|
- name: Verify
|
||||||
hosts: all
|
hosts: all
|
||||||
gather_facts: false
|
gather_facts: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Test: file /etc/hosts"
|
|
||||||
block:
|
|
||||||
- name: "Stat file /etc/hosts"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "/etc/hosts"
|
|
||||||
register: stat_etc_hosts
|
|
||||||
|
|
||||||
- name: "Verify file /etc/hosts"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- stat_etc_hosts.stat.exists
|
|
||||||
- stat_etc_hosts.stat.isreg
|
|
||||||
- stat_etc_hosts.stat.pw_name == 'root'
|
|
||||||
- stat_etc_hosts.stat.gr_name == 'root'
|
|
||||||
|
|
||||||
- name: "Test: directory /etc/consul-template.d/vault"
|
- name: "Test: directory /etc/consul-template.d/vault"
|
||||||
block:
|
block:
|
||||||
- name: "Stat directory /etc/consul-template.d/vault"
|
- name: "Stat directory /etc/consul-template.d/vault"
|
||||||
@ -34,6 +19,7 @@
|
|||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify directory /etc/consul-template.d/vault"
|
- name: "Verify directory /etc/consul-template.d/vault"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
@ -74,6 +60,7 @@
|
|||||||
src: "{{ item.path }}"
|
src: "{{ item.path }}"
|
||||||
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
register: slurp_etc_consul_template_d_vault_templates
|
register: slurp_etc_consul_template_d_vault_templates
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
||||||
vars:
|
vars:
|
||||||
@ -122,6 +109,7 @@
|
|||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "/etc/systemd/system/vault-certs.service"
|
src: "/etc/systemd/system/vault-certs.service"
|
||||||
register: slurp_etc_systemd_system_vault_certs_service
|
register: slurp_etc_systemd_system_vault_certs_service
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Verify service vault"
|
- name: "Verify service vault"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
|
|||||||
7
molecule/with_custom_config_vagrant/converge.yml
Normal file
7
molecule/with_custom_config_vagrant/converge.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: "Include ednxzu.renew_vault_certificates"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: "ednxzu.renew_vault_certificates"
|
||||||
18
molecule/with_custom_config_vagrant/group_vars/all.yml
Normal file
18
molecule/with_custom_config_vagrant/group_vars/all.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
renew_vault_certificates_config_dir: /etc/consul-template.d/vault
|
||||||
|
renew_vault_certificates_vault_user: vault
|
||||||
|
renew_vault_certificates_vault_group: vault
|
||||||
|
renew_vault_certificates_vault_addr: "https://vault.example.com"
|
||||||
|
renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange
|
||||||
|
renew_vault_certificates_vault_token_unwrap: false
|
||||||
|
renew_vault_certificates_vault_token_renew: true
|
||||||
|
renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem
|
||||||
|
renew_vault_certificates_key_dest: /opt/vault/tls/key.pem
|
||||||
|
renew_vault_certificates_info:
|
||||||
|
issuer_path: pki/issue/vault-issuer
|
||||||
|
common_name: vault01.example.com
|
||||||
|
ip_addr: "192.168.1.1"
|
||||||
|
ttl: 90d
|
||||||
|
include_consul_service: true
|
||||||
|
renew_vault_certificates_consul_service_name: vault.service.consul
|
||||||
|
renew_vault_certificates_start_service: false
|
||||||
35
molecule/with_custom_config_vagrant/molecule.yml
Normal file
35
molecule/with_custom_config_vagrant/molecule.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
options:
|
||||||
|
requirements-file: ./requirements.yml
|
||||||
|
driver:
|
||||||
|
name: vagrant
|
||||||
|
provider:
|
||||||
|
name: libvirt
|
||||||
|
platforms:
|
||||||
|
- name: instance
|
||||||
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
|
cpus: 4
|
||||||
|
memory: 4096
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
config_options:
|
||||||
|
defaults:
|
||||||
|
remote_tmp: /tmp/.ansible
|
||||||
|
verifier:
|
||||||
|
name: ansible
|
||||||
|
scenario:
|
||||||
|
name: with_custom_config_vagrant
|
||||||
|
test_sequence:
|
||||||
|
- dependency
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
||||||
|
- syntax
|
||||||
|
- create
|
||||||
|
- prepare
|
||||||
|
- converge
|
||||||
|
- idempotence
|
||||||
|
- verify
|
||||||
|
- cleanup
|
||||||
|
- destroy
|
||||||
17
molecule/with_custom_config_vagrant/prepare.yml
Normal file
17
molecule/with_custom_config_vagrant/prepare.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: "Create group vault"
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "vault"
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Create user vault"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "vault"
|
||||||
|
group: "vault"
|
||||||
|
shell: /bin/false
|
||||||
|
state: present
|
||||||
|
become: true
|
||||||
5
molecule/with_custom_config_vagrant/requirements.yml
Normal file
5
molecule/with_custom_config_vagrant/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
# requirements file for molecule
|
||||||
|
roles:
|
||||||
|
- name: ednxzu.manage_repositories
|
||||||
|
- name: ednxzu.manage_apt_packages
|
||||||
126
molecule/with_custom_config_vagrant/verify.yml
Normal file
126
molecule/with_custom_config_vagrant/verify.yml
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
---
|
||||||
|
- name: Verify
|
||||||
|
hosts: all
|
||||||
|
gather_facts: true
|
||||||
|
tasks:
|
||||||
|
- name: "Test: directory /etc/consul-template.d/vault"
|
||||||
|
block:
|
||||||
|
- name: "Stat directory /etc/consul-template.d/vault"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault"
|
||||||
|
register: stat_etc_consul_template_d_vault
|
||||||
|
|
||||||
|
- name: "Stat file /etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
register: stat_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
|
||||||
|
- name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "/etc/consul-template.d/vault/vault_config.hcl"
|
||||||
|
register: slurp_etc_consul_template_d_vault_vault_config_hcl
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify directory /etc/consul-template.d/vault"
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- stat_etc_consul_template_d_vault.stat.exists
|
||||||
|
- stat_etc_consul_template_d_vault.stat.isdir
|
||||||
|
- stat_etc_consul_template_d_vault.stat.pw_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault.stat.gr_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault.stat.mode == '0755'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault'
|
||||||
|
- stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600'
|
||||||
|
- slurp_etc_consul_template_d_vault_vault_config_hcl.content != ''
|
||||||
|
|
||||||
|
- name: "Test: directory /etc/consul-template.d/vault/templates"
|
||||||
|
block:
|
||||||
|
- name: "Stat directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/consul-template.d/vault/templates"
|
||||||
|
register: stat_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Find in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.find:
|
||||||
|
paths: "/etc/consul-template.d/vault/templates"
|
||||||
|
file_type: file
|
||||||
|
register: find_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Stat in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
|
register: stat_etc_consul_template_d_vault_templates
|
||||||
|
|
||||||
|
- name: "Slurp in directory /etc/consul-template.d/vault/templates"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ item.path }}"
|
||||||
|
loop: "{{ find_etc_consul_template_d_vault_templates.files }}"
|
||||||
|
register: slurp_etc_consul_template_d_vault_templates
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl"
|
||||||
|
vars:
|
||||||
|
vault_cert_file: |
|
||||||
|
{% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}
|
||||||
|
{{ .Data.certificate }}
|
||||||
|
{{ .Data.issuing_ca }}
|
||||||
|
{{ end }}{% endraw %}
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- item.item.isreg
|
||||||
|
- item.item.pw_name == 'vault'
|
||||||
|
- item.item.gr_name == 'vault'
|
||||||
|
- item.item.mode == '0600'
|
||||||
|
- "(item.content|b64decode) == vault_cert_file"
|
||||||
|
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
|
||||||
|
when: (item.item.path | basename) == 'vault_cert.pem.tpl'
|
||||||
|
|
||||||
|
- name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl"
|
||||||
|
vars:
|
||||||
|
vault_key_file: |
|
||||||
|
{% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}
|
||||||
|
{{ .Data.private_key }}
|
||||||
|
{{ end }}{% endraw %}
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- item.item.isreg
|
||||||
|
- item.item.pw_name == 'vault'
|
||||||
|
- item.item.gr_name == 'vault'
|
||||||
|
- item.item.mode == '0600'
|
||||||
|
- "(item.content|b64decode) == vault_key_file"
|
||||||
|
loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}"
|
||||||
|
when: (item.item.path | basename) == 'vault_key.pem.tpl'
|
||||||
|
|
||||||
|
- name: "Test: service vault-certs"
|
||||||
|
block:
|
||||||
|
- name: "Get service vault-certs"
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
|
||||||
|
- name: "Stat file /etc/systemd/system/vault-certs.service"
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "/etc/systemd/system/vault-certs.service"
|
||||||
|
register: stat_etc_systemd_system_vault_certs_service
|
||||||
|
|
||||||
|
- name: "Slurp file /etc/systemd/system/vault.service"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "/etc/systemd/system/vault-certs.service"
|
||||||
|
register: slurp_etc_systemd_system_vault_certs_service
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: "Verify service vault"
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.exists
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.isreg
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root'
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root'
|
||||||
|
- stat_etc_systemd_system_vault_certs_service.stat.mode == '0644'
|
||||||
|
- slurp_etc_systemd_system_vault_certs_service.content != ''
|
||||||
|
- ansible_facts.services['vault-certs.service'] is defined
|
||||||
|
- ansible_facts.services['vault-certs.service']['source'] == 'systemd'
|
||||||
|
- ansible_facts.services['vault-certs.service']['state'] == 'stopped'
|
||||||
|
- ansible_facts.services['vault-certs.service']['status'] == 'enabled'
|
||||||
@ -1,6 +1,7 @@
|
|||||||
---
|
---
|
||||||
# task/configure file for renew_vault_certificates
|
# task/configure file for renew_vault_certificates
|
||||||
- name: "Configure files for vault certificate renewal"
|
- name: "Configure files for vault certificate renewal"
|
||||||
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- "systemctl-enable-vault-certs"
|
- "systemctl-enable-vault-certs"
|
||||||
- "systemctl-restart-vault-certs"
|
- "systemctl-restart-vault-certs"
|
||||||
@ -36,5 +37,6 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
become: true
|
||||||
notify:
|
notify:
|
||||||
- "systemctl-daemon-reload"
|
- "systemctl-daemon-reload"
|
||||||
|
|||||||
@ -7,6 +7,7 @@
|
|||||||
owner: "{{ renew_vault_certificates_vault_user }}"
|
owner: "{{ renew_vault_certificates_vault_user }}"
|
||||||
group: "{{ renew_vault_certificates_vault_group }}"
|
group: "{{ renew_vault_certificates_vault_group }}"
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Create directory templates directory in {{ renew_vault_certificates_config_dir }}"
|
- name: "Create directory templates directory in {{ renew_vault_certificates_config_dir }}"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
@ -15,6 +16,7 @@
|
|||||||
owner: "{{ renew_vault_certificates_vault_user }}"
|
owner: "{{ renew_vault_certificates_vault_user }}"
|
||||||
group: "{{ renew_vault_certificates_vault_group }}"
|
group: "{{ renew_vault_certificates_vault_group }}"
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: "Ensure certificate/key directory(ies) exist(s)"
|
- name: "Ensure certificate/key directory(ies) exist(s)"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
@ -23,6 +25,7 @@
|
|||||||
owner: "{{ renew_vault_certificates_vault_user }}"
|
owner: "{{ renew_vault_certificates_vault_user }}"
|
||||||
group: "{{ renew_vault_certificates_vault_group }}"
|
group: "{{ renew_vault_certificates_vault_group }}"
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
become: true
|
||||||
loop:
|
loop:
|
||||||
- "{{ renew_vault_certificates_cert_dest }}"
|
- "{{ renew_vault_certificates_cert_dest }}"
|
||||||
- "{{ renew_vault_certificates_key_dest }}"
|
- "{{ renew_vault_certificates_key_dest }}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user