fix up ipa-getcert role to be modular
This commit is contained in:
nazunalika
parent
a17eec4193
commit
b182a76df9
|
|
@ -1,17 +1,25 @@
|
||||||
---
|
---
|
||||||
# ansible default variables - most variables live here
|
# ansible default variables - most variables live here
|
||||||
ipa_getcert_key_location: /etc/pki/tls/private
|
ipa_getcert_key_default_location: /etc/pki/tls/private
|
||||||
ipa_getcert_cert_location: /etc/pki/tls/certs
|
ipa_getcert_cert_default_location: /etc/pki/tls/certs
|
||||||
|
ipa_getcert_owner_default: root
|
||||||
|
|
||||||
# List of hostnames that should be requested
|
# List of hostnames that should be requested
|
||||||
ipa_getcert_requested_hostnames:
|
ipa_getcert_requested_hostnames:
|
||||||
- "{{ ansible_fqdn }}"
|
- name: "{{ ansible_fqdn }}"
|
||||||
|
key_location: /etc/pki/tls/private
|
||||||
|
cert_location: /etc/pki/tls/certs
|
||||||
|
|
||||||
|
# If you need a different ownership, you can setup the above sort of like this:
|
||||||
|
# ipa_getcert_requested_hostnames:
|
||||||
|
# - name: name
|
||||||
|
# postcmd: "/bin/systemctl restart ejabberd"
|
||||||
|
# owner: ejabberd
|
||||||
|
# key_location: /opt/ejabberd/conf/pki
|
||||||
|
# cert_location: /opt/ejabberd/conf/pki
|
||||||
|
|
||||||
|
# This feature coming soon
|
||||||
|
#ipa_getcert_fqdn_symlink: true
|
||||||
|
|
||||||
ipa_getcert_fqdn_symlink: true
|
|
||||||
ipa_getcert_chain: false
|
ipa_getcert_chain: false
|
||||||
ipa_getcert_chain_location: /etc/pki/tls/chains
|
ipa_getcert_chain_location: /etc/pki/tls/chains
|
||||||
|
|
||||||
# If an application user/service account needs to be able to
|
|
||||||
# view the certificate, set the group here. This is only needed
|
|
||||||
# for when chain is true.
|
|
||||||
ipa_getcert_group: root
|
|
||||||
|
|
|
||||||
|
|
@ -6,34 +6,35 @@
|
||||||
register: ipacheck
|
register: ipacheck
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Check certificate existence
|
||||||
|
stat:
|
||||||
|
path: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
|
||||||
|
register: cert_results
|
||||||
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Verify certificate existence
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- not item.stat.exists | mandatory
|
||||||
|
fail_msg: "Certificate already exists!"
|
||||||
|
success_msg: "Certificate doesn't exist, moving on"
|
||||||
|
quiet: true
|
||||||
|
with_items: "{{ cert_results.results }}"
|
||||||
|
|
||||||
- name: IPA Certificate Operations
|
- name: IPA Certificate Operations
|
||||||
block:
|
block:
|
||||||
- name: Request Certificate
|
- name: Deploy ipa-getcert script
|
||||||
command: ipa-getcert request -r -w \
|
template:
|
||||||
-I "{{ item }}" \
|
src: "get_cert.sh.j2"
|
||||||
-N "CN={{ item }}" \
|
dest: "/root/get_cert.sh"
|
||||||
-D "{{ item }}" \
|
|
||||||
-k "{{ ipa_getcert_key_location }}" \
|
|
||||||
-f "{{ ipa_getcert_cert_location }}" \
|
|
||||||
-K "host/{{ item }}"
|
|
||||||
args:
|
|
||||||
creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
|
|
||||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
|
||||||
register: ipa_cert_request
|
|
||||||
|
|
||||||
- name: Symlink the fqdn certificate as localhost
|
|
||||||
file:
|
|
||||||
state: link
|
|
||||||
force: true
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
with_items:
|
mode: '0750'
|
||||||
- src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
|
|
||||||
path: "{{ ipa_getcert_cert_location }}/localhost.crt"
|
- name: Request Certificate
|
||||||
- src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key"
|
raw: /root/get_cert.sh
|
||||||
path: "{{ ipa_getcert_key_location }}/localhost.key"
|
register: ipa_cert_request
|
||||||
|
|
||||||
- name: Chain link certificates
|
- name: Chain link certificates
|
||||||
block:
|
block:
|
||||||
|
|
@ -48,29 +49,31 @@
|
||||||
- name: Chain link certs
|
- name: Chain link certs
|
||||||
file:
|
file:
|
||||||
state: link
|
state: link
|
||||||
src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt"
|
src: "{{ item.cert_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt"
|
||||||
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt"
|
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.crt"
|
||||||
owner: root
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
group: root
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||||
|
|
||||||
- name: Chain link keys
|
- name: Chain link keys
|
||||||
file:
|
file:
|
||||||
state: link
|
state: link
|
||||||
src: "{{ ipa_getcert_key_location }}/{{ item }}.key"
|
src: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.key"
|
||||||
path: "{{ ipa_getcert_chain_location }}/{{ item }}.key"
|
path: "{{ ipa_getcert_chain_location }}/{{ item.name }}.key"
|
||||||
owner: root
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
group: root
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||||
|
|
||||||
- name: Assemble the chain
|
- name: Assemble the chain
|
||||||
assemble:
|
assemble:
|
||||||
src: "{{ ipa_getcert_chain_location }}"
|
src: "{{ ipa_getcert_chain_location }}"
|
||||||
dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem"
|
dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.pem"
|
||||||
regexp: "^{{ item }}.(crt|key)$"
|
regexp: "^{{ item.name }}.(crt|key)$"
|
||||||
owner: root
|
owner: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
group: "{{ ipa_getcert_group }}"
|
group: "{{ item.owner | default(ipa_getcert_owner_default) }}"
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
with_items: "{{ ipa_getcert_requested_hostnames }}"
|
||||||
when: ipa_getcert_chain
|
when: ipa_getcert_chain
|
||||||
when: ipacheck.rc == 0
|
when:
|
||||||
|
- ipacheck.rc == 0
|
||||||
|
- ipa_cert_request.rc == 0
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# This script will take care of the certificate process for IPA.
|
||||||
|
# There may be more than one request done based on the vars of the playbook.
|
||||||
|
|
||||||
|
{% for ipahosts in ipa_getcert_requested_hostnames %}
|
||||||
|
/usr/bin/ipa-getcert request -r -w \
|
||||||
|
-I "{{ ipahosts.name }}" \
|
||||||
|
-N "CN={{ ipahosts.name }}" \
|
||||||
|
-D "{{ ipahosts.name }}" \
|
||||||
|
-k "{{ ipahosts.key_location | default(ipa_getcert_key_default_location) }}" \
|
||||||
|
-f "{{ ipahosts.cert_location | default(ipa_getcert_cert_default_location) }}" \
|
||||||
|
{% if ipahosts.postcmd %}
|
||||||
|
-C "{{ ipahosts.postcmd }}" \
|
||||||
|
{% endif %}
|
||||||
|
{% if ipahosts.owner %}
|
||||||
|
-O "{{ ipahosts.owner }}" \
|
||||||
|
-o "{{ ipahosts.owner }}" \
|
||||||
|
{% endif %}
|
||||||
|
-K "host/{{ ipahosts.name }}"
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
|
@ -1,3 +1,2 @@
|
||||||
---
|
---
|
||||||
# vars file - Nothing should really go here but dynamic imports
|
# vars file - Nothing should really go here but dynamic imports
|
||||||
# and truely static items
|
|
||||||
Loading…
Reference in New Issue