Allow certificates to be installed by specifying them by name

Previously the full path to the certificate on the PKI host was required to be in the `src` parameter to the pki role. This means that internal knowledge about the implementation of the PKI role was needed in the code using the role. This change allows the certificate to be installed to be specified by name, in exactly the same way that the name can be specificed when the certificate is created with the standalone backend. The `src` parameter is now reserved for when the user wants to pass in a path to their own certificate, and install directly from that instead. Change-Id: Ib38cc344ac42783af5c4f7a0d74a9bb310b879ff Signed-off-by: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
2025-07-07 13:39:40 +01:00
parent a53ec1ef63
commit fc7db02074
3 changed files with 70 additions and 2 deletions
--- a/molecule/default/group_vars/all.yml
+++ b/molecule/default/group_vars/all.yml
@@ -123,12 +123,18 @@ foo_certificates_variable:
    signed_by: "ExampleCorpIntermediate"
    condition: false

-# Certificates to install from the default variable
+# Certificates to install from the default variable, specifying "src"
 functional_install_cert_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_1.crt' }}"
 functional_install_chain_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_1-chain.crt' }}"
 functional_install_ca_bundle_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_1-ca_bundle.crt' }}"
 functional_install_key_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_1.key.pem' }}"

+# Certificates to install from the default variable, specifying "name" and "type"
+functional_install_cert_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_name_1.crt' }}"
+functional_install_chain_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_name_1-chain.crt' }}"
+functional_install_ca_bundle_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_name_1-ca_bundle.crt' }}"
+functional_install_key_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_name_1.key.pem' }}"
+
 pki_install_certificates:
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1.crt' }}"
    dest: "{{ functional_install_cert_1_dest }}"
@@ -150,6 +156,30 @@ pki_install_certificates:
    owner: "root"
    group: "root"
    mode: "0640"
+  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
+    dest: "{{ functional_install_cert_name_1_dest }}"
+    type: "certificate"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
+    dest: "{{ functional_install_chain_name_1_dest }}"
+    type: "certificate_chain"
+    owner: "root"
+    group: "root"
+    mode: "0640"
+  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
+    dest: "{{ functional_install_ca_bundle_name_1_dest }}"
+    type: "ca_bundle"
+    owner: "root"
+    group: "root"
+    mode: "0640"
+  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
+    dest: "{{ functional_install_key_name_1_dest }}"
+    type: "private_key"
+    owner: "root"
+    group: "root"
+    mode: "0640"

 # Custom certificate installation search pattern
 pki_search_install_certificates_pattern: "foo_install_certificates_"
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -26,6 +26,7 @@
          - ca_3_stat.stat.exists

    # Check that certificates are installed (or absent) at the correct path
+    # 1 installed via "src"
    - ansible.builtin.stat:
        path: "{{ functional_install_cert_1_dest }}"
      register: cert_1_stat
@@ -42,6 +43,24 @@
        path: "{{ functional_install_key_1_dest }}"
      register: key_1_stat

+    # 1 installed via "name" and "type"
+    - ansible.builtin.stat:
+        path: "{{ functional_install_cert_name_1_dest }}"
+      register: cert_name_1_stat
+
+    - ansible.builtin.stat:
+        path: "{{ functional_install_chain_name_1_dest }}"
+      register: chain_name_1_stat
+
+    - ansible.builtin.stat:
+        path: "{{ functional_install_ca_bundle_name_1_dest }}"
+      register: chain_name_1_stat
+
+    - ansible.builtin.stat:
+        path: "{{ functional_install_key_name_1_dest }}"
+      register: key_name_1_stat
+
+    # others
    - ansible.builtin.stat:
        path: "{{ functional_install_cert_2_dest }}"
      register: cert_2_stat
@@ -76,6 +95,9 @@
          - chain_1_stat.stat.exists
          - ca_bundle_1_stat.stat.exists
          - key_1_stat.stat.exists
+          - cert_name_1_stat.stat.exists
+          - chain_name_1_stat.stat.exists
+          - key_name_1_stat.stat.exists
          - cert_2_stat.stat.exists
          - chain_2_stat.stat.exists
          - ca_bundle_2_stat.stat.exists
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@@ -24,9 +24,25 @@
    - pki_create_certificates | default(true)

 - name: Slurp up server certificates from pki setup host ({{ pki_setup_host }})
+  vars:
+    # location for the certificates on the PKI host
+    cert_dir: "{{ pki_dir }}/certs"
+
+    # construct the path to the source when "name" is specified
+    _source_files:
+      "certificate": "{{ cert_dir ~ '/certs/' ~ item.name ~ '.crt' }}"
+      "certificate_chain": "{{ cert_dir ~ '/certs/' ~ item.name ~ '-chain.crt' }}"
+      "ca_bundle": "{{ cert_dir ~ '/certs/' ~ item.name ~ '-ca_bundle.crt' }}"
+      "private_key": "{{ cert_dir ~ '/private/' ~ item.name ~ '.key.pem' }}"
+
+    # pick the source based on the type
+    _source: "{{ _source_files[item.type | default('certificate')] }}"
+
+    # detect a valid value of "src"
+    _use_src: "{{ item.src is defined and item.src is truthy }}"
  delegate_to: "{{ pki_setup_host }}"
  ansible.builtin.slurp:
-    src: "{{ item.src }}"
+    src: "{{ _use_src | ternary(item.src, _source) }}"
  register: _cert_slurp
  loop: "{{ _pki_install_certificates_defs }}"
  ignore_errors: "{{ ansible_check_mode }}"