getcert first push

2024-11-24 04:51:23 +00:00 · 2020-12-19 01:54:17 -07:00 · 2020-12-19 01:54:17 -07:00 · a17eec4193
commit a17eec4193
parent 434dc5c93f
4 changed files with 102 additions and 61 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,11 @@
 CI Badge
-# Ansible template role
+# ipa-getcert Ansible Role
-basic Role to use going forward because I forget pieces
+A very basic ipa-getcert role used for certificates issued for internal communication. This assumes the client is enrolled with FreeIPA.
 This is loosely based on another project on github with some heavy modifications and adapted for the Rocky Linux infrastructure. It may be used and copied.
 **Note**: Note that the certificates should auto-renew when requested via `ipa-getcert`. However. if you turn on the chain, you will have to renew that manually.
 ## Getting started
 Ensure all dependencies are installed and then follow the below process
@ -9,7 +13,7 @@ Ensure all dependencies are installed and then follow the below process
 2. `pre-commit install` Install the pre-commit hooks
 3. Make edits as explained in the customization section
 4. `pre-commit` Make sure existing code is good
-5. `do development` Dont ask me :D
+5. `do development` You know what to do
 6. `pre-commit` Make sure the edits are good to go
 7. `molecule converge`
@ -20,21 +24,14 @@ This repo expects 3 things installed on the local machine
 3. [yamllint](https://github.com/adrienverge/yamllint) Ensures all yaml is well formed
 ### Customization
-There are a few files that are required to be updated when using this template
+If you can come up with a customization to this, go for it!
 1. [molecule/requirements.yml](molecule/requirements.yml) - Update with any required  roles or collections
 2. [molecule/default/converge.yml](molecule/default/converge.yml) - update with new role name
 3. [molecule/default/molecule.yml](molecule/default/molecule.yml) - update with desired distributions and extra playbooks
 4. [github](github) - Rename to `.github` and push, this will set up yamllint, ansible-lint and a CI check job for the `main` branch
   1. NOTE: If you are using a SAML token this may fail. You can created the files within the Github web app
 ### Optional
 The github actions are configured to automatically run the molecule tests but if you want to load them locally you will also need molecule installed on the development machine
 ## Advanced
 There are numerous other options within the [defaults/main.yml](./defaults/main.yml) that can change other parts of the behavior of the system
 ## Changelog
 The [changelog](./CHANGELOG.md) is stored externally
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,2 +1,17 @@
 ---
-# ansible default variables - most variables live here
+# ansible default variables - most variables live here
 ipa_getcert_key_location: /etc/pki/tls/private
 ipa_getcert_cert_location: /etc/pki/tls/certs
 # List of hostnames that should be requested
 ipa_getcert_requested_hostnames:
  - "{{ ansible_fqdn }}"
 ipa_getcert_fqdn_symlink: true
 ipa_getcert_chain: false
 ipa_getcert_chain_location: /etc/pki/tls/chains
 # If an application user/service account needs to be able to
 # view the certificate, set the group here. This is only needed
 # for when chain is true.
 ipa_getcert_group: root
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,53 +1,8 @@
 galaxy_info:
-  author: your name
+  author: Louis Abel
-  description: your role description
+  description: Basic ipa-getcert role
-  company: your company (optional)
+  company: Rocky Linux Foundation
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: MIT
  min_ansible_version: 2.8
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,76 @@
 ---
-# tasks
+# Request the certificate for the host from IPA
 # System must be enrolled as an IPA Client and must be ran as root
 - name: Check if host is IPA enrolled
  shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured"
  register: ipacheck
  ignore_errors: true
 - name: IPA Certificate Operations
  block:
    - name: Request Certificate
      command: ipa-getcert request -r -w \
        -I "{{ item }}" \
        -N "CN={{ item }}" \
        -D "{{ item }}" \
        -k "{{ ipa_getcert_key_location }}" \
        -f "{{ ipa_getcert_cert_location }}" \
        -K "host/{{ item }}"
      args:
        creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
      with_items: "{{ ipa_getcert_requested_hostnames }}"
      register: ipa_cert_request
    - name: Symlink the fqdn certificate as localhost
      file:
        state: link
        force: true
        src: "{{ item.src }}"
        path: "{{ item.path }}"
        owner: root
        group: root
      with_items:
        - src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
          path: "{{ ipa_getcert_cert_location }}/localhost.crt"
        - src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
          path: "{{ ipa_getcert_key_location }}/localhost.key"
    - name: Chain link certificates
      block:
        - name: Create chain directory
          file:
            state: directory
            path: "{{ ipa_getcert_chain_location }}"
            owner: root
            group: "{{ ipa_getcert_group }}"
            mode: '0750'
        - name: Chain link certs
          file:
            state: link
            src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
            dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
            owner: root
            group: root
          with_items: "{{ ipa_getcert_requested_hostnames }}"
        - name: Chain link keys
          file:
            state: link
            src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
            path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
            owner: root
            group: root
          with_items: "{{ ipa_getcert_requested_hostnames }}"
        - name: Assemble the chain
          assemble:
            src: "{{ ipa_getcert_chain_location }}"
            dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
            regexp: "^{{ item }}.(crt|key)$"
            owner: root
            group: "{{ ipa_getcert_group }}"
            mode: '0640'
          with_items: "{{ ipa_getcert_requested_hostnames }}"
      when: ipa_getcert_chain
  when: ipacheck.rc == 0