mirror of
https://github.com/rocky-linux/ansible-role-ipa-getcert.git
synced 2024-12-26 10:10:56 +00:00
getcert first push
This commit is contained in:
parent
434dc5c93f
commit
a17eec4193
4 changed files with 102 additions and 61 deletions
19
README.md
19
README.md
|
@ -1,7 +1,11 @@
|
|||
CI Badge
|
||||
|
||||
# Ansible template role
|
||||
basic Role to use going forward because I forget pieces
|
||||
# ipa-getcert Ansible Role
|
||||
A very basic ipa-getcert role used for certificates issued for internal communication. This assumes the client is enrolled with FreeIPA.
|
||||
|
||||
This is loosely based on another project on github with some heavy modifications and adapted for the Rocky Linux infrastructure. It may be used and copied.
|
||||
|
||||
**Note**: Note that the certificates should auto-renew when requested via `ipa-getcert`. However. if you turn on the chain, you will have to renew that manually.
|
||||
|
||||
## Getting started
|
||||
Ensure all dependencies are installed and then follow the below process
|
||||
|
@ -9,7 +13,7 @@ Ensure all dependencies are installed and then follow the below process
|
|||
2. `pre-commit install` Install the pre-commit hooks
|
||||
3. Make edits as explained in the customization section
|
||||
4. `pre-commit` Make sure existing code is good
|
||||
5. `do development` Dont ask me :D
|
||||
5. `do development` You know what to do
|
||||
6. `pre-commit` Make sure the edits are good to go
|
||||
7. `molecule converge`
|
||||
|
||||
|
@ -20,21 +24,14 @@ This repo expects 3 things installed on the local machine
|
|||
3. [yamllint](https://github.com/adrienverge/yamllint) Ensures all yaml is well formed
|
||||
|
||||
### Customization
|
||||
There are a few files that are required to be updated when using this template
|
||||
1. [molecule/requirements.yml](molecule/requirements.yml) - Update with any required roles or collections
|
||||
2. [molecule/default/converge.yml](molecule/default/converge.yml) - update with new role name
|
||||
3. [molecule/default/molecule.yml](molecule/default/molecule.yml) - update with desired distributions and extra playbooks
|
||||
4. [github](github) - Rename to `.github` and push, this will set up yamllint, ansible-lint and a CI check job for the `main` branch
|
||||
1. NOTE: If you are using a SAML token this may fail. You can created the files within the Github web app
|
||||
If you can come up with a customization to this, go for it!
|
||||
|
||||
### Optional
|
||||
The github actions are configured to automatically run the molecule tests but if you want to load them locally you will also need molecule installed on the development machine
|
||||
|
||||
## Advanced
|
||||
|
||||
There are numerous other options within the [defaults/main.yml](./defaults/main.yml) that can change other parts of the behavior of the system
|
||||
|
||||
## Changelog
|
||||
The [changelog](./CHANGELOG.md) is stored externally
|
||||
|
||||
|
||||
|
|
|
@ -1,2 +1,17 @@
|
|||
---
|
||||
# ansible default variables - most variables live here
|
||||
# ansible default variables - most variables live here
|
||||
ipa_getcert_key_location: /etc/pki/tls/private
|
||||
ipa_getcert_cert_location: /etc/pki/tls/certs
|
||||
|
||||
# List of hostnames that should be requested
|
||||
ipa_getcert_requested_hostnames:
|
||||
- "{{ ansible_fqdn }}"
|
||||
|
||||
ipa_getcert_fqdn_symlink: true
|
||||
ipa_getcert_chain: false
|
||||
ipa_getcert_chain_location: /etc/pki/tls/chains
|
||||
|
||||
# If an application user/service account needs to be able to
|
||||
# view the certificate, set the group here. This is only needed
|
||||
# for when chain is true.
|
||||
ipa_getcert_group: root
|
||||
|
|
|
@ -1,53 +1,8 @@
|
|||
galaxy_info:
|
||||
author: your name
|
||||
description: your role description
|
||||
company: your company (optional)
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||
# - BSD-3-Clause (default)
|
||||
# - MIT
|
||||
# - GPL-2.0-or-later
|
||||
# - GPL-3.0-only
|
||||
# - Apache-2.0
|
||||
# - CC-BY-4.0
|
||||
author: Louis Abel
|
||||
description: Basic ipa-getcert role
|
||||
company: Rocky Linux Foundation
|
||||
license: MIT
|
||||
|
||||
min_ansible_version: 2.8
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
|
|
@ -1,2 +1,76 @@
|
|||
---
|
||||
# tasks
|
||||
# Request the certificate for the host from IPA
|
||||
# System must be enrolled as an IPA Client and must be ran as root
|
||||
- name: Check if host is IPA enrolled
|
||||
shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured"
|
||||
register: ipacheck
|
||||
ignore_errors: true
|
||||
|
||||
- name: IPA Certificate Operations
|
||||
block:
|
||||
- name: Request Certificate
|
||||
command: ipa-getcert request -r -w \
|
||||
-I "{{ item }}" \
|
||||
-N "CN={{ item }}" \
|
||||
-D "{{ item }}" \
|
||||
-k "{{ ipa_getcert_key_location }}" \
|
||||
-f "{{ ipa_getcert_cert_location }}" \
|
||||
-K "host/{{ item }}"
|
||||
args:
|
||||
creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
|
||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||
register: ipa_cert_request
|
||||
|
||||
- name: Symlink the fqdn certificate as localhost
|
||||
file:
|
||||
state: link
|
||||
force: true
|
||||
src: "{{ item.src }}"
|
||||
path: "{{ item.path }}"
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
|
||||
path: "{{ ipa_getcert_cert_location }}/localhost.crt"
|
||||
- src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
|
||||
path: "{{ ipa_getcert_key_location }}/localhost.key"
|
||||
|
||||
- name: Chain link certificates
|
||||
block:
|
||||
- name: Create chain directory
|
||||
file:
|
||||
state: directory
|
||||
path: "{{ ipa_getcert_chain_location }}"
|
||||
owner: root
|
||||
group: "{{ ipa_getcert_group }}"
|
||||
mode: '0750'
|
||||
|
||||
- name: Chain link certs
|
||||
file:
|
||||
state: link
|
||||
src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
|
||||
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
|
||||
owner: root
|
||||
group: root
|
||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||
|
||||
- name: Chain link keys
|
||||
file:
|
||||
state: link
|
||||
src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
|
||||
path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
|
||||
owner: root
|
||||
group: root
|
||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||
|
||||
- name: Assemble the chain
|
||||
assemble:
|
||||
src: "{{ ipa_getcert_chain_location }}"
|
||||
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
|
||||
regexp: "^{{ item }}.(crt|key)$"
|
||||
owner: root
|
||||
group: "{{ ipa_getcert_group }}"
|
||||
mode: '0640'
|
||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||
when: ipa_getcert_chain
|
||||
when: ipacheck.rc == 0
|
||||
|
|
Loading…
Reference in a new issue