From 23b04161bf5cd073a3e01fd715e844dec66eb62c Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 19:48:41 +0300 Subject: [PATCH 1/7] Update vcert to test version --- library/venafi_certificate.py | 8 ++++++++ molecule/default/playbook.yml | 2 +- requirements.txt | 2 +- tasks/local-certificate.yml | 3 ++- tasks/remote-certificate.yml | 1 + 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py index 05b7f96..a51f7dd 100644 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -294,7 +294,15 @@ def __init__(self, module): self.privatekey_filename = module.params['privatekey_path'] self.certificate_filename = module.params['cert_path'] self.privatekey_type = module.params['privatekey_type'] + if module.params['privatekey_curve']: + if not module.params['privatekey_type']: + module.fail_json( + msg="privatekey_type should be set if privatekey_curve configured") self.privatekey_curve = module.params['privatekey_curve'] + if module.params['privatekey_size']: + if not module.params['privatekey_type']: + module.fail_json( + msg="privatekey_type should be set if privatekey_size configured") self.privatekey_size = module.params['privatekey_size'] self.privatekey_passphrase = module.params['privatekey_passphrase'] self.privatekey_reuse = module.params['privatekey_reuse'] diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index 32ccf1d..b592f36 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -15,7 +15,7 @@ certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}" certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem" - certificate_privatekey_size: "4096" + certificate_privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key" certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr" diff --git a/requirements.txt b/requirements.txt index 35e0bbb..e3425aa 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -vcert>=0.6.8 +git+https://github.com/Venafi/vcert-python.git@fix-tpp-zone-configuration-parser ansible cryptography \ No newline at end of file diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml index a410a63..eaa575e 100644 --- a/tasks/local-certificate.yml +++ b/tasks/local-certificate.yml @@ -22,7 +22,8 @@ cert_path: "{{ certificate_cert_path }}" chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}" privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}" - privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 4096 }}" + privatekey_type: "{{ certificate_privatekey_type if certificate_privatekey_type is defined else None }}" + privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" common_name: "{{ certificate_common_name }}" alt_name: "{{ certificate_alt_name | default([]) }}" before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else 72 }}" diff --git a/tasks/remote-certificate.yml b/tasks/remote-certificate.yml index 69853f7..4aca99e 100644 --- a/tasks/remote-certificate.yml +++ b/tasks/remote-certificate.yml @@ -12,6 +12,7 @@ cert_path: "{{ certificate_cert_path }}" chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}" privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}" + privatekey_type: "{{ certificate_privatekey_type if certificate_privatekey_type is defined else None }}" privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" common_name: "{{ certificate_common_name }}" alt_name: "{{ certificate_alt_name | default([]) }}" From 47cd6bec3aa39c4f1f6c9320a8d8be527caad5de Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 19:54:47 +0300 Subject: [PATCH 2/7] Fixing second enroll --- library/venafi_certificate.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py index a51f7dd..7ab6018 100644 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -691,7 +691,8 @@ def main(): vcert.enroll() else: module.exit_json(**change_dump) - vcert.enroll() + else: + vcert.enroll() elif module.params['force']: vcert.enroll() vcert.validate() From a45197e8506ab7840dfaf62906be9d3d060ede55 Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 19:57:16 +0300 Subject: [PATCH 3/7] Fixing lint --- library/venafi_certificate.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py index 7ab6018..a8e6360 100644 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -297,12 +297,14 @@ def __init__(self, module): if module.params['privatekey_curve']: if not module.params['privatekey_type']: module.fail_json( - msg="privatekey_type should be set if privatekey_curve configured") + msg="privatekey_type should be " + "set if privatekey_curve configured") self.privatekey_curve = module.params['privatekey_curve'] if module.params['privatekey_size']: if not module.params['privatekey_type']: module.fail_json( - msg="privatekey_type should be set if privatekey_size configured") + msg="privatekey_type should be set if " + "privatekey_size configured") self.privatekey_size = module.params['privatekey_size'] self.privatekey_passphrase = module.params['privatekey_passphrase'] self.privatekey_reuse = module.params['privatekey_reuse'] From 38263faad1f25d242b68abcac54b6d3fe06e4a08 Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 20:22:42 +0300 Subject: [PATCH 4/7] use default(omit) structure for undefined variables --- molecule/default/playbook.yml | 36 ++++++++--------- tasks/local-certificate.yml | 20 +++++----- tasks/remote-certificate.yml | 22 +++++------ tests/venafi-playbook-example.yml | 54 +++++++++++++------------- tests/venafi-role-playbook-example.yml | 36 ++++++++--------- 5 files changed, 84 insertions(+), 84 deletions(-) diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index b592f36..a7ae12f 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -42,13 +42,13 @@ - name: "Verify Venafi certificate on remote host" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -62,13 +62,13 @@ - name: "Example verification which will always fail with debug message" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -87,13 +87,13 @@ - name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml index eaa575e..d532872 100644 --- a/tasks/local-certificate.yml +++ b/tasks/local-certificate.yml @@ -12,18 +12,18 @@ - name: "Enroll Venafi certificate on local host" local_action: module: venafi_certificate - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_cert_path }}" - chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}" - privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}" - privatekey_type: "{{ certificate_privatekey_type if certificate_privatekey_type is defined else None }}" - privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" + chain_path: "{{ certificate_chain_path | default(omit) }}" + privatekey_path: "{{ certificate_privatekey_path | default(omit) }}" + privatekey_type: "{{ certificate_privatekey_type | default(omit) }}" + privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" common_name: "{{ certificate_common_name }}" alt_name: "{{ certificate_alt_name | default([]) }}" before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else 72 }}" diff --git a/tasks/remote-certificate.yml b/tasks/remote-certificate.yml index 4aca99e..9ad86d6 100644 --- a/tasks/remote-certificate.yml +++ b/tasks/remote-certificate.yml @@ -2,21 +2,21 @@ --- - name: "Enroll Venafi certificate on remote host" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_cert_path }}" - chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}" - privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}" - privatekey_type: "{{ certificate_privatekey_type if certificate_privatekey_type is defined else None }}" - privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" + chain_path: "{{ certificate_chain_path | default(omit) }}" + privatekey_path: "{{ certificate_privatekey_path | default(omit) }}" + privatekey_type: "{{ certificate_privatekey_type | default(omit) }}" + privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" common_name: "{{ certificate_common_name }}" alt_name: "{{ certificate_alt_name | default([]) }}" - before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else None }}" + before_expired_hours: "{{ certificate_before_expired_hours | default(omit) }}" force: "{{ certificate_force if certificate_force is defined else false }}" register: certout - name: "dump test output" diff --git a/tests/venafi-playbook-example.yml b/tests/venafi-playbook-example.yml index 3c1867b..768f02f 100644 --- a/tests/venafi-playbook-example.yml +++ b/tests/venafi-playbook-example.yml @@ -64,17 +64,17 @@ - name: "Enroll Venafi certificate on local host" local_action: module: venafi_certificate - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_cert_path }}" - chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}" - privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}" - privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else None }}" + chain_path: "{{ certificate_chain_path | default(omit) }}" + privatekey_path: "{{ certificate_privatekey_path | default(omit) }}" + privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" common_name: "{{ certificate_common_name }}" register: certout - name: "Certificate is in following state:" @@ -106,13 +106,13 @@ - name: "Verify Venafi certificate on remote host" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -126,13 +126,13 @@ - name: "Example verification which will always fail with debug message" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -151,13 +151,13 @@ - name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" diff --git a/tests/venafi-role-playbook-example.yml b/tests/venafi-role-playbook-example.yml index 1458468..57f7699 100644 --- a/tests/venafi-role-playbook-example.yml +++ b/tests/venafi-role-playbook-example.yml @@ -49,13 +49,13 @@ - vcert - name: "Verify Venafi certificate on remote host" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -70,13 +70,13 @@ - name: "Example verification which will always fail with debug message" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" @@ -91,13 +91,13 @@ - name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid" venafi_certificate: - url: "{{ venafi.url if venafi.url is defined else None }}" - token: "{{ venafi.token if venafi.token is defined else None }}" - zone: "{{ venafi.zone if venafi.zone is defined else None }}" + url: "{{ venafi.url | default(omit) }}" + token: "{{ venafi.token | default(omit) }}" + zone: "{{ venafi.zone | default(omit) }}" test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}" - user: "{{ venafi.user if venafi.user is defined else None }}" - password: "{{ venafi.password if venafi.password is defined else None }}" - trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}" + user: "{{ venafi.user | default(omit) }}" + password: "{{ venafi.password | default(omit) }}" + trust_bundle: "{{ venafi.trust_bundle | default(omit) }}" cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}" chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}" privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}" From 01da45fcdecbb7422f9c9bbbeab7afb7dc38d4be Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 20:36:57 +0300 Subject: [PATCH 5/7] finixg "{{ certificate_privatekey_size | default(omit) }}" varibales --- molecule/default/playbook.yml | 4 +++- tasks/local-certificate.yml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index a7ae12f..005b18a 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -15,7 +15,9 @@ certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}" certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem" - certificate_privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}" + certificate_privatekey_type: "{{ certificate_privatekey_type | default(omit) }}" + certificate_privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" + certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key" certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr" diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml index d532872..d802f1b 100644 --- a/tasks/local-certificate.yml +++ b/tasks/local-certificate.yml @@ -24,6 +24,7 @@ privatekey_path: "{{ certificate_privatekey_path | default(omit) }}" privatekey_type: "{{ certificate_privatekey_type | default(omit) }}" privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" + privatekey_curve: "{{ certificate_privatekey_curve | default(omit) }}" common_name: "{{ certificate_common_name }}" alt_name: "{{ certificate_alt_name | default([]) }}" before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else 72 }}" From bbb547dea6a30b593cabd5401b3005f58434dafb Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 20:46:32 +0300 Subject: [PATCH 6/7] do not need this variables in molecule playbook --- molecule/default/playbook.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index 005b18a..e11cf97 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -15,9 +15,6 @@ certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}" certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem" - certificate_privatekey_type: "{{ certificate_privatekey_type | default(omit) }}" - certificate_privatekey_size: "{{ certificate_privatekey_size | default(omit) }}" - certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key" certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr" From 2996674059943c08bbf5914643cc06f88a0b7ff9 Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Tue, 19 Nov 2019 21:08:23 +0300 Subject: [PATCH 7/7] different alt names for tpp and cloud --- molecule/default/playbook.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index e11cf97..af6f9eb 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -10,8 +10,10 @@ - name: Converge hosts: all vars: + tpp_alt_names: "email:e@venafi.com,IP:192.168.0.15,DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com" + cloud_alt_names: "DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com" certificate_common_name: "{{ ansible_fqdn }}-{{ cn }}.venafi.example.com" - certificate_alt_name: "IP:192.168.0.15,DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com" + certificate_alt_name: "{{ cloud_alt_names if venafi.token is defined else tpp_alt_names }}" certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}" certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem"