Merge "Change the format of 'san' parameter in pki_certificates variable"

2025-09-26 14:56:43 +00:00
parent 465fc7ae99 fb216d16bd
commit 678ca5e479
3 changed files with 28 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -83,7 +83,10 @@ pki_search_certificates_pattern: "pki_certificates_"
 #   - name: "SnakeWeb"
 #     provider: ownca
 #     cn: "www.snakeoil.com"
-#     san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
+#     san:
+#       dns:
+#         - www.snakeoil.com
+#         - snakeoil.com
 #   - name: "SnakeMail"
 #     signed_by: "SnakeRootIntermediate"
 #     provider: ownca
@@ -95,7 +98,12 @@ pki_search_certificates_pattern: "pki_certificates_"
 #   - name: "myservice_{{ ansible_facts['hostname'] }}"
 #     cn: "{{ ansible_facts['hostname'] }}"
 #     provider: ownca
-#     san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
+#     san:
+#       dns:
+#         - "{{ ansible_facts['hostname'] }}"
+#         - "{{ ansible_facts['fqdn'] }}"
+#       ip:
+#         - "{{ ansible_facts['default_ipv4'] }}"
 #     signed_by: "SnakeRootIntermediate"

 # set this to the name of the certificate to regenerate, or to 'true' to regenerate all
--- a/releasenotes/notes/change_san_format-bc67fffcfb4cd5ab.yaml
+++ b/releasenotes/notes/change_san_format-bc67fffcfb4cd5ab.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    The format of `san` parameter in a ``pki_certificates`` variable was
+    changed from a string to the dictonary of lists. New dict can
+    contain following keys: dns, ip, uri, other. These keys should
+    contain a list with all SANs that should be a part of the
+    certificate.
--- a/tasks/standalone/sign_cert.yml
+++ b/tasks/standalone/sign_cert.yml
@@ -33,6 +33,13 @@
      register: cert_privkey

    - name: Create the CSR for {{ cert.name }}
+      vars:
+        generated_san: >-
+          {{
+            ['DNS:' + (cert.san.dns | unique | join(',DNS:')) if cert.san.dns | default([]) else '',
+             'IP:' + (cert.san.ip | unique | join(',IP:')) if cert.san.ip | default([]) else '']
+            | select() | join(',')
+          }}
      community.crypto.openssl_csr:
        path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
        privatekey_path: "{{ cert_privkey.filename }}"
@@ -42,7 +49,9 @@
        basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
        key_usage: "{{ cert.key_usage | default(omit) }}"
        extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"
-        subject_alt_name: "{{ cert.san | default(omit) }}"
+        # NOTE(damiandabrowski) After 2026.1 switch to just:
+        #                       subject_alt_name: "{{ generated_san | default(omit) }}"
+        subject_alt_name: "{{ (cert.san is defined and cert.san is not string) | ternary(generated_san, cert.san | default(omit)) }}"
        country_name: "{{ cert.country_name | default(omit) }}"
        state_or_province_name: "{{ cert.state_or_province_name | default(omit) }}"
        locality_name: "{{ cert.locality_name | default(omit) }}"