fix up ipa-getcert role to be modular

This commit is contained in:
nazunalika 2020-12-19 18:12:34 -07:00
parent a17eec4193
commit b182a76df9
4 changed files with 78 additions and 47 deletions

View file

@ -1,17 +1,25 @@
---
# ansible default variables - most variables live here
ipa_getcert_key_location: /etc/pki/tls/private
ipa_getcert_cert_location: /etc/pki/tls/certs
ipa_getcert_key_default_location: /etc/pki/tls/private
ipa_getcert_cert_default_location: /etc/pki/tls/certs
ipa_getcert_owner_default: root
# List of hostnames that should be requested
ipa_getcert_requested_hostnames:
- "{{ ansible_fqdn }}"
- name: "{{ ansible_fqdn }}"
key_location: /etc/pki/tls/private
cert_location: /etc/pki/tls/certs
# If you need a different ownership, you can setup the above sort of like this:
# ipa_getcert_requested_hostnames:
# - name: name
# postcmd: "/bin/systemctl restart ejabberd"
# owner: ejabberd
# key_location: /opt/ejabberd/conf/pki
# cert_location: /opt/ejabberd/conf/pki
# This feature coming soon
#ipa_getcert_fqdn_symlink: true
ipa_getcert_fqdn_symlink: true
ipa_getcert_chain: false
ipa_getcert_chain_location: /etc/pki/tls/chains
# If an application user/service account needs to be able to
# view the certificate, set the group here. This is only needed
# for when chain is true.
ipa_getcert_group: root

View file

@ -6,34 +6,35 @@
register: ipacheck
ignore_errors: true
- name: Check certificate existence
stat:
path: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
register: cert_results
with_items: "{{ ipa_getcert_requested_hostnames }}"
ignore_errors: true
- name: Verify certificate existence
assert:
that:
- not item.stat.exists | mandatory
fail_msg: "Certificate already exists!"
success_msg: "Certificate doesn't exist, moving on"
quiet: true
with_items: "{{ cert_results.results }}"
- name: IPA Certificate Operations
block:
- name: Request Certificate
command: ipa-getcert request -r -w \
-I "{{ item }}" \
-N "CN={{ item }}" \
-D "{{ item }}" \
-k "{{ ipa_getcert_key_location }}" \
-f "{{ ipa_getcert_cert_location }}" \
-K "host/{{ item }}"
args:
creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
with_items: "{{ ipa_getcert_requested_hostnames }}"
register: ipa_cert_request
- name: Symlink the fqdn certificate as localhost
file:
state: link
force: true
src: "{{ item.src }}"
path: "{{ item.path }}"
- name: Deploy ipa-getcert script
template:
src: "get_cert.sh.j2"
dest: "/root/get_cert.sh"
owner: root
group: root
with_items:
- src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
path: "{{ ipa_getcert_cert_location }}/localhost.crt"
- src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
path: "{{ ipa_getcert_key_location }}/localhost.key"
mode: '0750'
- name: Request Certificate
raw: /root/get_cert.sh
register: ipa_cert_request
- name: Chain link certificates
block:
@ -48,29 +49,31 @@
- name: Chain link certs
file:
state: link
src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
owner: root
group: root
src: "{{ item.cert_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.crt"
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
with_items: "{{ ipa_getcert_requested_hostnames }}"
- name: Chain link keys
file:
state: link
src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
owner: root
group: root
src: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.key"
path: "{{ ipa_getcert_chain_location }}/{{ item.name }}.key"
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
with_items: "{{ ipa_getcert_requested_hostnames }}"
- name: Assemble the chain
assemble:
src: "{{ ipa_getcert_chain_location }}"
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
regexp: "^{{ item }}.(crt|key)$"
owner: root
group: "{{ ipa_getcert_group }}"
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.pem"
regexp: "^{{ item.name }}.(crt|key)$"
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
mode: '0640'
with_items: "{{ ipa_getcert_requested_hostnames }}"
when: ipa_getcert_chain
when: ipacheck.rc == 0
when:
- ipacheck.rc == 0
- ipa_cert_request.rc == 0

21
templates/get_cert.sh.j2 Normal file
View file

@ -0,0 +1,21 @@
#!/bin/bash
# This script will take care of the certificate process for IPA.
# There may be more than one request done based on the vars of the playbook.
{% for ipahosts in ipa_getcert_requested_hostnames %}
/usr/bin/ipa-getcert request -r -w \
-I "{{ ipahosts.name }}" \
-N "CN={{ ipahosts.name }}" \
-D "{{ ipahosts.name }}" \
-k "{{ ipahosts.key_location | default(ipa_getcert_key_default_location) }}" \
-f "{{ ipahosts.cert_location | default(ipa_getcert_cert_default_location) }}" \
{% if ipahosts.postcmd %}
-C "{{ ipahosts.postcmd }}" \
{% endif %}
{% if ipahosts.owner %}
-O "{{ ipahosts.owner }}" \
-o "{{ ipahosts.owner }}" \
{% endif %}
-K "host/{{ ipahosts.name }}"
{% endfor %}

View file

@ -1,3 +1,2 @@
---
# vars file - Nothing should really go here but dynamic imports
# and truely static items