Add defaults for owner/group/mode on pki_install_host

Reverts the default user/group from I4a90479261b2721c08e9034fbae0d56de9308676 Adds global default options so user/group etc can be overridden on the setup host Some cases of 'omit' for file modes are changed to a role-defined default which will override any system umask preferences. Related-Bug: #2029253 Change-Id: Id999ccf5f42ee7f6b6b08db67276bb77bc9a21d8 (cherry picked from commit 307c1feb50)
2023-08-08 14:05:02 +01:00 · 2023-08-08 14:05:02 +01:00 · a7e919fee7
parent 39f8654cd4
commit a7e919fee7
5 changed files with 30 additions and 20 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -155,3 +155,11 @@ pki_method: standalone
 pki_handler_ca_changed: "ca cert changed"
 pki_handler_cert_changed: "cert changed"
 pki_handler_cert_installed: "cert installed"
+
+# Default permissions used on pki_setup_host
+# pki_owner: "root"
+# pki_group: "root"
+pki_cert_mode: "0644"
+pki_cert_dir_mode: "0755"
+pki_key_mode: "0600"
+pki_key_dir_mode: "0700"
--- a/tasks/main_ca.yml
+++ b/tasks/main_ca.yml
@ -21,8 +21,9 @@
  file:
    state: directory
    path: "{{ item.path }}"
-    owner: "{{ item.owner | default(omit) }}"
-    mode: "{{ item.mode | default(omit) }}"
+    owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+    group: "{{ item.group | default(pki_group) | default(omit) }}"
+    mode: "{{ item.mode | default('0755') }}"
  with_items:
    - "{{ pki_ca_dirs }}"
  delegate_to: "{{ pki_setup_host }}"
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@ -21,8 +21,9 @@
  file:
    state: directory
    path: "{{ item.path }}"
-    owner: "{{ item.owner | default(omit) }}"
-    mode: "{{ item.mode | default(omit) }}"
+    owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+    group: "{{ item.group | default(pki_group) | default(omit) }}"
+    mode: "{{ item.mode | default('0755') }}"
  with_items:
    - "{{ pki_cert_dirs }}"
  when: pki_create_certificates | default(true)
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@ -24,17 +24,17 @@
      file:
        state: directory
        path: "{{ item.path }}"
-        owner: "{{ item.owner | default(omit) }}"
-        mode: "{{ item.mode | default(omit) }}"
+        owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
+        group: "{{ item.group | default(pki_group) | default(omit) }}"
+        mode: "{{ item.mode | default('0755') }}"
      with_items:
        - path: "{{ ca_dir }}"
-          mode: "0755"
        - path: "{{ ca_dir ~ '/csr' }}"
-          mode: "0700"
+          mode: "{{ pki_key_dir_mode }}"
        - path: "{{ ca_dir ~ '/private' }}"
-          mode: "0700"
+          mode: "{{ pki_key_dir_mode }}"
        - path: "{{ ca_dir ~ '/certs' }}"
-          mode: "0755"
+          mode: "{{ pki_cert_dir_mode }}"

      # NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as
      #                      openssl_privatekey gets changed when harmonizing ownership/permissions
@ -42,9 +42,9 @@
      file:
        state: file
        path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
-        mode: "{{ ca.key_mode | default('0600') }}"
-        owner: "{{ ca.key_owner | default('root') }}"
-        group: "{{ ca.key_group | default('root') }}"
+        mode: "{{ ca.key_mode | default(pki_key_mode) }}"
+        owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}"
+        group: "{{ ca.key_group | default(pki_group) | default(omit) }}"
      failed_when: false

    - name: Initialise the serial number for {{ ca.name }}
@ -59,9 +59,9 @@
        passphrase: "{{ ca.key_passphrase | default(omit) }}"
        cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
        backup: "{{ ca.backup | default(True) }}"
-        mode: "{{ ca.key_mode | default('0600') }}"
-        owner: "{{ ca.key_owner | default('root') }}"
-        group: "{{ ca.key_group | default('root') }}"
+        mode: "{{ ca.key_mode | default(pki_key_mode) }}"
+        owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}"
+        group: "{{ ca.key_group | default(pki_group) | default(omit) }}"
      register: ca_privkey

    - name: Read the serial number for {{ ca.name }}
--- a/vars/standalone_cert.yml
+++ b/vars/standalone_cert.yml
@ -17,10 +17,10 @@
 _pki_cert_dirs:
  - path: "{{ pki_dir }}"
  - path: "{{ pki_dir ~ '/certs' }}"
-    mode: "0755"
+    mode: "{{ pki_cert_dir_mode }}"
  - path: "{{ pki_dir ~ '/certs/csr' }}"
-    mode: "0700"
+    mode: "{{ pki_key_dir_mode }}"
  - path: "{{ pki_dir ~ '/certs/private' }}"
-    mode: "0700"
+    mode: "{{ pki_key_dir_mode }}"
  - path: "{{ pki_dir ~ '/certs/certs' }}"
-    mode: "0755"
+    mode: "{{ pki_cert_dir_mode }}"