getcert first push

This commit is contained in:
nazunalika 2020-12-19 01:54:17 -07:00
parent 434dc5c93f
commit a17eec4193
4 changed files with 102 additions and 61 deletions

View File

@ -1,7 +1,11 @@
CI Badge
# Ansible template role
basic Role to use going forward because I forget pieces
# ipa-getcert Ansible Role
A very basic ipa-getcert role used for certificates issued for internal communication. This assumes the client is enrolled with FreeIPA.
This is loosely based on another project on github with some heavy modifications and adapted for the Rocky Linux infrastructure. It may be used and copied.
**Note**: Note that the certificates should auto-renew when requested via `ipa-getcert`. However. if you turn on the chain, you will have to renew that manually.
## Getting started
Ensure all dependencies are installed and then follow the below process
@ -9,7 +13,7 @@ Ensure all dependencies are installed and then follow the below process
2. `pre-commit install` Install the pre-commit hooks
3. Make edits as explained in the customization section
4. `pre-commit` Make sure existing code is good
5. `do development` Dont ask me :D
5. `do development` You know what to do
6. `pre-commit` Make sure the edits are good to go
7. `molecule converge`
@ -20,21 +24,14 @@ This repo expects 3 things installed on the local machine
3. [yamllint](https://github.com/adrienverge/yamllint) Ensures all yaml is well formed
### Customization
There are a few files that are required to be updated when using this template
1. [molecule/requirements.yml](molecule/requirements.yml) - Update with any required roles or collections
2. [molecule/default/converge.yml](molecule/default/converge.yml) - update with new role name
3. [molecule/default/molecule.yml](molecule/default/molecule.yml) - update with desired distributions and extra playbooks
4. [github](github) - Rename to `.github` and push, this will set up yamllint, ansible-lint and a CI check job for the `main` branch
1. NOTE: If you are using a SAML token this may fail. You can created the files within the Github web app
If you can come up with a customization to this, go for it!
### Optional
The github actions are configured to automatically run the molecule tests but if you want to load them locally you will also need molecule installed on the development machine
## Advanced
There are numerous other options within the [defaults/main.yml](./defaults/main.yml) that can change other parts of the behavior of the system
## Changelog
The [changelog](./CHANGELOG.md) is stored externally

View File

@ -1,2 +1,17 @@
---
# ansible default variables - most variables live here
ipa_getcert_key_location: /etc/pki/tls/private
ipa_getcert_cert_location: /etc/pki/tls/certs
# List of hostnames that should be requested
ipa_getcert_requested_hostnames:
- "{{ ansible_fqdn }}"
ipa_getcert_fqdn_symlink: true
ipa_getcert_chain: false
ipa_getcert_chain_location: /etc/pki/tls/chains
# If an application user/service account needs to be able to
# view the certificate, set the group here. This is only needed
# for when chain is true.
ipa_getcert_group: root

View File

@ -1,53 +1,8 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
author: Louis Abel
description: Basic ipa-getcert role
company: Rocky Linux Foundation
license: MIT
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -1,2 +1,76 @@
---
# tasks
# Request the certificate for the host from IPA
# System must be enrolled as an IPA Client and must be ran as root
- name: Check if host is IPA enrolled
shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured"
register: ipacheck
ignore_errors: true
- name: IPA Certificate Operations
block:
- name: Request Certificate
command: ipa-getcert request -r -w \
-I "{{ item }}" \
-N "CN={{ item }}" \
-D "{{ item }}" \
-k "{{ ipa_getcert_key_location }}" \
-f "{{ ipa_getcert_cert_location }}" \
-K "host/{{ item }}"
args:
creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
with_items: "{{ ipa_getcert_requested_hostnames }}"
register: ipa_cert_request
- name: Symlink the fqdn certificate as localhost
file:
state: link
force: true
src: "{{ item.src }}"
path: "{{ item.path }}"
owner: root
group: root
with_items:
- src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
path: "{{ ipa_getcert_cert_location }}/localhost.crt"
- src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
path: "{{ ipa_getcert_key_location }}/localhost.key"
- name: Chain link certificates
block:
- name: Create chain directory
file:
state: directory
path: "{{ ipa_getcert_chain_location }}"
owner: root
group: "{{ ipa_getcert_group }}"
mode: '0750'
- name: Chain link certs
file:
state: link
src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
owner: root
group: root
with_items: "{{ ipa_getcert_requested_hostnames }}"
- name: Chain link keys
file:
state: link
src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
owner: root
group: root
with_items: "{{ ipa_getcert_requested_hostnames }}"
- name: Assemble the chain
assemble:
src: "{{ ipa_getcert_chain_location }}"
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
regexp: "^{{ item }}.(crt|key)$"
owner: root
group: "{{ ipa_getcert_group }}"
mode: '0640'
with_items: "{{ ipa_getcert_requested_hostnames }}"
when: ipa_getcert_chain
when: ipacheck.rc == 0