Merge "Support adding a trusted CA certificate in ansible"
This commit is contained in:
commit
7a9bc2f330
|
@ -130,6 +130,22 @@ docker_registries:
|
||||||
|
|
||||||
#is_secure_registry: True
|
#is_secure_registry: True
|
||||||
|
|
||||||
|
# Certificates
|
||||||
|
# =================
|
||||||
|
#
|
||||||
|
# These values provide a means to install certificates onto the system.
|
||||||
|
# For example the ssl_ca_cert parameter may be used to install a trusted CA to
|
||||||
|
# the system. A trusted CA certificate will be required if the end user
|
||||||
|
# configures a private docker registry that is signed by an unknown Certificate
|
||||||
|
# Authority.
|
||||||
|
#
|
||||||
|
# The certificate value is the absolute path of the certificate file.
|
||||||
|
# The certificate must be in PEM format.
|
||||||
|
# The supported certificates are:
|
||||||
|
# - ssl_ca_cert
|
||||||
|
#
|
||||||
|
#ssl_ca_cert: /path/to/ssl_ca_cert_file
|
||||||
|
|
||||||
# ADMIN CREDENTIALS
|
# ADMIN CREDENTIALS
|
||||||
# =================
|
# =================
|
||||||
#
|
#
|
||||||
|
|
|
@ -186,6 +186,34 @@
|
||||||
|
|
||||||
when: save_config
|
when: save_config
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Copy ssl_ca certificate
|
||||||
|
copy:
|
||||||
|
src: "{{ ssl_ca_cert }}"
|
||||||
|
dest: "{{ temp_ssl_ca }}"
|
||||||
|
|
||||||
|
- name: Remove ssl_ca complete flag
|
||||||
|
file:
|
||||||
|
path: "{{ ssl_ca_complete_flag }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Add ssl_ca certificate
|
||||||
|
shell: source /etc/platform/openrc; system certificate-install -m ssl_ca {{ temp_ssl_ca }}
|
||||||
|
|
||||||
|
- name: Wait for certificate install
|
||||||
|
wait_for:
|
||||||
|
path: "{{ ssl_ca_complete_flag }}"
|
||||||
|
state: present
|
||||||
|
timeout: 360
|
||||||
|
msg: Timeout waiting for ssl_ca certificate install
|
||||||
|
|
||||||
|
- name: Cleanup temporary certificate
|
||||||
|
file:
|
||||||
|
path: "{{ temp_ssl_ca }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
when: ssl_ca_cert is defined and ssl_ca_cert
|
||||||
|
|
||||||
# PXE boot files
|
# PXE boot files
|
||||||
- name: Set pxeboot files source if address allocation is dynamic
|
- name: Set pxeboot files source if address allocation is dynamic
|
||||||
set_fact:
|
set_fact:
|
||||||
|
|
|
@ -3,3 +3,5 @@ keyring_workdir: /tmp/python_keyring
|
||||||
docker_proxy_conf: /etc/systemd/system/docker.service.d/http-proxy.conf
|
docker_proxy_conf: /etc/systemd/system/docker.service.d/http-proxy.conf
|
||||||
minimum_root_disk_size: 240
|
minimum_root_disk_size: 240
|
||||||
default_security_feature: "nopti nospectre_v2"
|
default_security_feature: "nopti nospectre_v2"
|
||||||
|
temp_ssl_ca: /tmp/ca_cert.pem
|
||||||
|
ssl_ca_complete_flag: /etc/platform/.ssl_ca_complete
|
||||||
|
|
|
@ -389,6 +389,12 @@
|
||||||
(docker_images_archive_source is not none)
|
(docker_images_archive_source is not none)
|
||||||
|
|
||||||
|
|
||||||
|
- name: Check for ssl_ca_cert file
|
||||||
|
fail:
|
||||||
|
msg: "ssl_ca_cert file not found. ({{ ssl_ca_cert }})"
|
||||||
|
when: ssl_ca_cert is defined and (not ssl_ca_cert is file)
|
||||||
|
|
||||||
|
|
||||||
# bootstrap_config ini file generation
|
# bootstrap_config ini file generation
|
||||||
- block:
|
- block:
|
||||||
- name: Create config workdir
|
- name: Create config workdir
|
||||||
|
|
Loading…
Reference in New Issue