openstack/ansible-role-pki
Code Issues Proposed changes
39a320161a
ansible-role-pki/defaults/main.yml
Jonathan Rosser 9108a8953f Refactor conditional generation of CA and certificates 
This was previously spread around the code as 'when:' clauses on ansible
tasks.

This patch refactors the conditional code to be entirely within the
dynamic generation of variables in vars/main.yml. Any elements from
the default or discovered CA or certificate lists which have
condition=false are removed, so no conditionals are required elsewhere
in the code.

pki_authorities and pki_certificates are defined as empty lists in the
ansible defaults to further reduce the need for the use of default()
in the rest of the role.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/830806
Change-Id: Iea809406b1d4140b985fcb038663ae0257336463
2022-03-22 15:27:20 +00:00

153 lines
5.2 KiB
YAML
Raw Blame History

---
# Copyright 2021, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# CA certificates to create
pki_authorities: []
# Global enable/disable of CA generation
pki_create_ca: true
# Variable name pattern to search ansible vars for other authority definitions
pki_search_authorities_pattern: "pki_authorities_"
# Example variables defining a certificate authorities
# pki_authorities_roots:
# - name: "SnakeRoot"
# provider: selfsigned
# email_address: "pki@snakeoil.com"
# basic_constraints: "CA:TRUE"
# cn: "Snake Oil Corp Root CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+3650d"
#pki_authorities_intermediates:
# - name: "SnakeRootIntermediate"
# email_address: "pki@snakeoil.com"
# provider: ownca
# cn: "Snake Oil Corp Openstack Infrastructure Intermediate CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+365d"
# signed_by: "SnakeRoot"
# example variable of CA to install
# pki_install_ca:
# # CA created but the PKI role
# - name: SnakeRoot
#
# # user provided CA copied from the deploy host (src), to the target (filename)
# - src: /opt/my-ca/MyRoot.crt
# filename: /etc/ssl/certs/MyRoot.crt
#
pki_install_ca: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_ca_pattern: "pki_install_ca_"
# set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: ''
# locations of system trust stores to install CA certs to
pki_trust_store_location:
apt: /usr/local/share/ca-certificates/
dnf: /etc/pki/ca-trust/source/anchors/
# Server certificates to create
pki_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_certificates_pattern: "pki_certificates_"
# Example variable defining a server certificate
# pki_certificates_default:
# - name: "SnakeWeb"
# provider: ownca
# cn: "www.snakeoil.com"
# san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
# - name: "SnakeMail"
# signed_by: "SnakeRootIntermediate"
# provider: ownca
# cn: "imap.snakeoil.com"
# signed_by: "SnakeRootIntermediate"
# Example variable defining a server certificate from ansible host variables
# pki_certificates_default:
# - name: "myservice_{{ ansible_facts['hostname'] }}"
# cn: "{{ ansible_facts['hostname'] }}"
# provider: ownca
# san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
# signed_by: "SnakeRootIntermediate"
# set this to the name of the certificate to regenerate, or to 'true' to regenerate all
pki_regen_cert: ''
# host where the generated PKI files are kept
pki_setup_host: localhost
# Python interpreter that will be used during cert generation
pki_setup_host_python_interpreter: "{{ (pki_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}"
# base directory for the CA and server certificates
pki_dir: "/etc/pki"
# subdirectories to be created for holding CA certs/keys/csr
pki_ca_dirs: "{{ _pki_ca_dirs }}"
# subdirectories to be created for holding server certs/keys/csr
pki_cert_dirs: "{{ _pki_cert_dirs }}"
# certificates to install
pki_install_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_certificates_pattern: "pki_install_certificates_"
# Example variable for installation of server certificates with optional user supplied cert override
# pki_install_certificates:
# # server certificate
# - src: "{{ user_ssl_cert | default(pki_dir ~ '/certs/certs/myservice_' ~ ansible_facts['hostname'] ~ '.crt') }}"
# dest: "{{ myservice_ssl_cert }}"
# owner: "root"
# group: "root"
# mode: "0644"
# #private key
# - src: "{{ myservice_user_ssl_key | default(pki_dir ~ 'certs/keys/myservice_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
# dest: "{{ myservice_ssl_key }}"
# owner: "myservice"
# group: "myservice"
# mode: "0600"
# # intermediate CA
# - src: "{{ myservice_user_ssl_ca_cert | default(pki_dir ~ '/roots/SnakeRootIntermediate/certs/SnakeRootIntermediate.crt' }}"
# dest: "{{ myservice_ssl_ca_cert }}"
# owner: "myservice"
# group: "myservice"
# mode: "0644"
# method used to create the certificates
pki_method: standalone
View Git Blame Copy Permalink