openstack/ansible-role-pki
Code Issues Proposed changes

Auto-fix yaml rules

Browse Source 
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.

In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.

Change-Id: I2e7bdac26e914a62e9416d34381696ce3d2117dc
This commit is contained in:
Dmitriy Rabotyagov 2025-02-17 12:23:12 +01:00
parent d4ff35aa1c
commit 9bae6bfdb9
11 changed files with 48 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -45,6 +45,7 @@ logs/*
# OS generated files #
######################
._*
.ansible
.tox
*.egg-info
.eggs

4
defaults/main.yml
View File

@ -70,7 +70,7 @@ pki_install_ca: []
pki_search_install_ca_pattern: "pki_install_ca_"
# set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: ''
pki_regen_ca: ""
# locations of system trust stores to install CA certs to
pki_trust_store_location:
@ -104,7 +104,7 @@ pki_search_certificates_pattern: "pki_certificates_"
# signed_by: "SnakeRootIntermediate"
# set this to the name of the certificate to regenerate, or to 'true' to regenerate all
pki_regen_cert: ''
pki_regen_cert: ""
# host where the generated PKI files are kept
pki_setup_host: localhost

1
examples/playbook.yml
View File

@ -1,5 +1,4 @@
---
- name: Install PKI
hosts: all
tasks:

1
meta/main.yml
View File

@ -1,3 +1,4 @@
---
galaxy_info:
author: City Networks, BBC
description: Installation and configuration of PKI infrastructure

58
molecule/default/group_vars/all.yml
View File

@ -20,35 +20,35 @@ functional_ca_name_1: "ExampleCorpRoot"
# Example self-signed certificate authority
# Using the default variable
pki_authorities:
- name: "{{ functional_ca_name_1 }}"
provider: selfsigned
basic_constraints: "CA:TRUE"
cn: "Example Corp Root CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "ExampleCorpIntermediate"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
cn: "Example Corp Openstack Infrastructure Intermediate CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "ExampleCorpRoot"
- name: "{{ functional_ca_name_1 }}"
provider: selfsigned
basic_constraints: "CA:TRUE"
cn: "Example Corp Root CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "ExampleCorpIntermediate"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
cn: "Example Corp Openstack Infrastructure Intermediate CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "ExampleCorpRoot"
# Custom CA generation search pattern
pki_search_authorities_pattern: "foo_authorities_"

3
molecule/default/verify.yml
View File

@ -6,7 +6,6 @@
apt: /usr/local/share/ca-certificates/
dnf: /etc/pki/ca-trust/source/anchors/
tasks:
# Check that certificate authorities are installed (or absent) at the correct path
- stat:
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_1 }}.crt"
@ -81,4 +80,4 @@
- name: Validate server certificate against system trust store
command: certtool --verify --infile "{{ functional_install_chain_2_dest }}"
changed_when: false
changed_when: false

1
requirements.yml
View File

@ -1,3 +1,4 @@
---
collections:
- name: community.crypto
version: 2.0.2

6
tasks/main_ca.yml
View File

@ -28,7 +28,7 @@
- "{{ pki_ca_dirs }}"
- "{{ pki_cert_dirs }}"
delegate_to: "{{ pki_setup_host }}"
check_mode: no
check_mode: false
- name: Create certificate authorities
include_tasks: "{{ pki_method }}/create_ca.yml"
@ -36,6 +36,6 @@
loop_control:
loop_var: ca
vars:
ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}"
ca_cert_prefix: "{{ ca_dir ~ '/certs/' ~ ca.name }}"
ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}"
ca_cert_prefix: "{{ ca_dir ~ '/certs/' ~ ca.name }}"
when: pki_create_ca | bool

4
tasks/main_certs.yml
View File

@ -19,7 +19,7 @@
loop_control:
loop_var: cert
vars:
cert_dir: "{{ pki_dir }}/certs"
cert_dir: "{{ pki_dir }}/certs"
when:
- pki_create_certificates | default(true)
@ -44,7 +44,7 @@
loop_label:
path: "{{ install }}"
state: directory
mode: '0755'
mode: "0755"
- name: Install Server certificates to targets
copy:

15
tasks/standalone/create_ca.yml
View File

@ -19,7 +19,6 @@
ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}"
delegate_to: "{{ pki_setup_host }}"
block:
- name: Create directories for certificate authority {{ ca.name }}
file:
state: directory
@ -36,8 +35,8 @@
- path: "{{ ca_dir ~ '/certs' }}"
mode: "{{ pki_cert_dir_mode }}"
# NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as
# openssl_privatekey gets changed when harmonizing ownership/permissions
# NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as
# openssl_privatekey gets changed when harmonizing ownership/permissions
- name: Ensure private key has proper ownership
file:
state: file
@ -50,8 +49,8 @@
- name: Initialise the serial number for {{ ca.name }}
copy:
content: "999"
dest : "{{ ca_dir ~ '/serial' }}"
force: no
dest: "{{ ca_dir ~ '/serial' }}"
force: false
- name: Generate CA private key for {{ ca.name }}
community.crypto.openssl_privatekey:
@ -75,7 +74,7 @@
privatekey_path: "{{ ca_privkey.filename }}"
privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
common_name: "{{ ca.cn }}"
basic_constraints_critical: yes
basic_constraints_critical: true
basic_constraints: "{{ ca.basic_constraints }}"
key_usage: "{{ ca.key_usage }}"
country_name: "{{ ca.country_name | default(omit) }}"
@ -99,7 +98,7 @@
community.crypto.x509_certificate:
path: "{{ ca_cert_prefix ~ '-' ~ next_serial_no ~ '.crt' }}"
csr_path: "{{ ca_csr.filename }}"
provider: 'selfsigned'
provider: "selfsigned"
privatekey_path: "{{ ca_privkey.filename }}"
privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}"
selfsigned_not_after: "{{ ca.not_after }}"
@ -116,7 +115,7 @@
community.crypto.x509_certificate:
path: "{{ ca_cert_prefix ~ '-' ~ next_serial_no ~ '.crt' }}"
csr_path: "{{ ca_csr.filename }}"
provider: 'ownca'
provider: "ownca"
ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}"
ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}"
ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"

3
tasks/standalone/create_cert.yml
View File

@ -21,7 +21,6 @@
_ca_file: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/certs/' ~ cert.signed_by ~ '.crt' }}"
delegate_to: "{{ pki_setup_host }}"
block:
- name: Generate certificate private key for {{ cert.name }}
community.crypto.openssl_privatekey:
path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
@ -37,7 +36,7 @@
privatekey_path: "{{ cert_privkey.filename }}"
privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
common_name: "{{ cert.cn | default(omit) }}"
basic_constraints_critical: yes
basic_constraints_critical: true
basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
key_usage: "{{ cert.key_usage | default(omit) }}"
extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"