getcert first push

2020-12-19 01:54:17 -07:00 · 2020-12-19 01:54:17 -07:00 · a17eec4193
parent 434dc5c93f
commit a17eec4193
4 changed files with 102 additions and 61 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,11 @@
 CI Badge

-# Ansible template role
-basic Role to use going forward because I forget pieces
+# ipa-getcert Ansible Role
+A very basic ipa-getcert role used for certificates issued for internal communication. This assumes the client is enrolled with FreeIPA.
+
+This is loosely based on another project on github with some heavy modifications and adapted for the Rocky Linux infrastructure. It may be used and copied.
+
+**Note**: Note that the certificates should auto-renew when requested via `ipa-getcert`. However. if you turn on the chain, you will have to renew that manually.

 ## Getting started
 Ensure all dependencies are installed and then follow the below process
@ -9,7 +13,7 @@ Ensure all dependencies are installed and then follow the below process
 2. `pre-commit install` Install the pre-commit hooks
 3. Make edits as explained in the customization section
 4. `pre-commit` Make sure existing code is good
-5. `do development` Dont ask me :D
+5. `do development` You know what to do
 6. `pre-commit` Make sure the edits are good to go
 7. `molecule converge`

@ -20,21 +24,14 @@ This repo expects 3 things installed on the local machine
 3. [yamllint](https://github.com/adrienverge/yamllint) Ensures all yaml is well formed

 ### Customization
-There are a few files that are required to be updated when using this template
-1. [molecule/requirements.yml](molecule/requirements.yml) - Update with any required  roles or collections
-2. [molecule/default/converge.yml](molecule/default/converge.yml) - update with new role name
-3. [molecule/default/molecule.yml](molecule/default/molecule.yml) - update with desired distributions and extra playbooks
-4. [github](github) - Rename to `.github` and push, this will set up yamllint, ansible-lint and a CI check job for the `main` branch
-   1. NOTE: If you are using a SAML token this may fail. You can created the files within the Github web app
+If you can come up with a customization to this, go for it!

 ### Optional
 The github actions are configured to automatically run the molecule tests but if you want to load them locally you will also need molecule installed on the development machine

 ## Advanced
-
 There are numerous other options within the [defaults/main.yml](./defaults/main.yml) that can change other parts of the behavior of the system

 ## Changelog
 The [changelog](./CHANGELOG.md) is stored externally

-
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,2 +1,17 @@
 ---
-# ansible default variables - most variables live here
+# ansible default variables - most variables live here
+ipa_getcert_key_location: /etc/pki/tls/private
+ipa_getcert_cert_location: /etc/pki/tls/certs
+
+# List of hostnames that should be requested
+ipa_getcert_requested_hostnames:
+  - "{{ ansible_fqdn }}"
+
+ipa_getcert_fqdn_symlink: true
+ipa_getcert_chain: false
+ipa_getcert_chain_location: /etc/pki/tls/chains
+
+# If an application user/service account needs to be able to
+# view the certificate, set the group here. This is only needed
+# for when chain is true.
+ipa_getcert_group: root
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,53 +1,8 @@
 galaxy_info:
-  author: your name
-  description: your role description
-  company: your company (optional)
-
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
+  author: Louis Abel
+  description: Basic ipa-getcert role
+  company: Rocky Linux Foundation
  license: MIT
-
  min_ansible_version: 2.8
-
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
-
  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
-
 dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
-  
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,76 @@
 ---
-# tasks
+# Request the certificate for the host from IPA
+# System must be enrolled as an IPA Client and must be ran as root
+- name: Check if host is IPA enrolled
+  shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured"
+  register: ipacheck
+  ignore_errors: true
+
+- name: IPA Certificate Operations
+  block:
+    - name: Request Certificate
+      command: ipa-getcert request -r -w \
+        -I "{{ item }}" \
+        -N "CN={{ item }}" \
+        -D "{{ item }}" \
+        -k "{{ ipa_getcert_key_location }}" \
+        -f "{{ ipa_getcert_cert_location }}" \
+        -K "host/{{ item }}"
+      args:
+        creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
+      with_items: "{{ ipa_getcert_requested_hostnames }}"
+      register: ipa_cert_request
+
+    - name: Symlink the fqdn certificate as localhost
+      file:
+        state: link
+        force: true
+        src: "{{ item.src }}"
+        path: "{{ item.path }}"
+        owner: root
+        group: root
+      with_items:
+        - src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
+          path: "{{ ipa_getcert_cert_location }}/localhost.crt"
+        - src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
+          path: "{{ ipa_getcert_key_location }}/localhost.key"
+
+    - name: Chain link certificates
+      block:
+        - name: Create chain directory
+          file:
+            state: directory
+            path: "{{ ipa_getcert_chain_location }}"
+            owner: root
+            group: "{{ ipa_getcert_group }}"
+            mode: '0750'
+
+        - name: Chain link certs
+          file:
+            state: link
+            src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
+            dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
+            owner: root
+            group: root
+          with_items: "{{ ipa_getcert_requested_hostnames }}"
+
+        - name: Chain link keys
+          file:
+            state: link
+            src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
+            path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
+            owner: root
+            group: root
+          with_items: "{{ ipa_getcert_requested_hostnames }}"
+
+        - name: Assemble the chain
+          assemble:
+            src: "{{ ipa_getcert_chain_location }}"
+            dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
+            regexp: "^{{ item }}.(crt|key)$"
+            owner: root
+            group: "{{ ipa_getcert_group }}"
+            mode: '0640'
+          with_items: "{{ ipa_getcert_requested_hostnames }}"
+      when: ipa_getcert_chain
+  when: ipacheck.rc == 0