Merge "Change the format of 'san' parameter in pki_certificates variable"

defaults/main.yml

@@ -83,7 +83,10 @@ pki_search_certificates_pattern: "pki_certificates_"
 #   - name: "SnakeWeb"
 #     provider: ownca
 #     cn: "www.snakeoil.com"
-#     san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
+#     san:
+#       dns:
+#         - www.snakeoil.com
+#         - snakeoil.com
 #   - name: "SnakeMail"
 #     signed_by: "SnakeRootIntermediate"
 #     provider: ownca
@@ -95,7 +98,12 @@ pki_search_certificates_pattern: "pki_certificates_"
 #   - name: "myservice_{{ ansible_facts['hostname'] }}"
 #     cn: "{{ ansible_facts['hostname'] }}"
 #     provider: ownca
-#     san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
+#     san:
+#       dns:
+#         - "{{ ansible_facts['hostname'] }}"
+#         - "{{ ansible_facts['fqdn'] }}"
+#       ip:
+#         - "{{ ansible_facts['default_ipv4'] }}"
 #     signed_by: "SnakeRootIntermediate"
 
 # set this to the name of the certificate to regenerate, or to 'true' to regenerate all

releasenotes/notes/change_san_format-bc67fffcfb4cd5ab.yaml

@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    The format of `san` parameter in a ``pki_certificates`` variable was
+    changed from a string to the dictonary of lists. New dict can
+    contain following keys: dns, ip, uri, other. These keys should
+    contain a list with all SANs that should be a part of the
+    certificate.

tasks/standalone/sign_cert.yml

@@ -33,6 +33,13 @@
       register: cert_privkey
 
     - name: Create the CSR for {{ cert.name }}
+      vars:
+        generated_san: >-
+          {{
+            ['DNS:' + (cert.san.dns | unique | join(',DNS:')) if cert.san.dns | default([]) else '',
+             'IP:' + (cert.san.ip | unique | join(',IP:')) if cert.san.ip | default([]) else '']
+            | select() | join(',')
+          }}
       community.crypto.openssl_csr:
         path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
         privatekey_path: "{{ cert_privkey.filename }}"
@@ -42,7 +49,9 @@
         basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
         key_usage: "{{ cert.key_usage | default(omit) }}"
         extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"
-        subject_alt_name: "{{ cert.san | default(omit) }}"
+        # NOTE(damiandabrowski) After 2026.1 switch to just:
+        #                       subject_alt_name: "{{ generated_san | default(omit) }}"
+        subject_alt_name: "{{ (cert.san is defined and cert.san is not string) | ternary(generated_san, cert.san | default(omit)) }}"
         country_name: "{{ cert.country_name | default(omit) }}"
         state_or_province_name: "{{ cert.state_or_province_name | default(omit) }}"
         locality_name: "{{ cert.locality_name | default(omit) }}"