openstack/ansible-role-pki
Code Issues Proposed changes

Auto-fix usage of modules via FQCN

Browse Source 
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I562d88a1fef85053cc32d69488ebea92c6fe9fc4
This commit is contained in:
Dmitriy Rabotyagov
2025-02-17 12:26:05 +01:00
parent 9bae6bfdb9
commit 83fb106afd
9 changed files with 50 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
handlers/main.yml
View File

@@ -15,15 +15,15 @@
# when the created CA certificates are changed
- name: "{{ pki_handler_ca_changed }}"
meta: noop
ansible.builtin.meta: noop
when: false
# when the created server certificates are changed
- name: "{{ pki_handler_cert_changed }}"
meta: noop
ansible.builtin.meta: noop
when: false
# when a certificate is installed onto a server
- name: "{{ pki_handler_cert_installed }}"
meta: noop
ansible.builtin.meta: noop
when: false

32
molecule/default/verify.yml
View File

@@ -7,62 +7,62 @@
dnf: /etc/pki/ca-trust/source/anchors/
tasks:
# Check that certificate authorities are installed (or absent) at the correct path
- stat:
- ansible.builtin.stat:
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_1 }}.crt"
register: ca_1_stat
- stat:
- ansible.builtin.stat:
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_2 }}.crt"
register: ca_2_stat
- stat:
- ansible.builtin.stat:
path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_3 }}.crt"
register: ca_3_stat
- assert:
- ansible.builtin.assert:
that:
- ca_1_stat.stat.exists
- not ca_2_stat.stat.exists
- ca_3_stat.stat.exists
# Check that certificates are installed (or absent) at the correct path
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_cert_1_dest }}"
register: cert_1_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_chain_1_dest }}"
register: chain_1_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_key_1_dest }}"
register: key_1_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_cert_2_dest }}"
register: cert_2_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_chain_2_dest }}"
register: chain_2_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_key_2_dest }}"
register: key_2_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_cert_3_dest }}"
register: cert_3_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_chain_3_dest }}"
register: chain_3_stat
- stat:
- ansible.builtin.stat:
path: "{{ functional_install_key_3_dest }}"
register: key_3_stat
- assert:
- ansible.builtin.assert:
that:
- cert_1_stat.stat.exists
- chain_1_stat.stat.exists
@@ -75,9 +75,9 @@
# Check that certificates can validate against the installed CA
- name: Validate server certificate against system trust store
command: certtool --verify --infile "{{ functional_install_chain_1_dest }}"
ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_1_dest }}"
changed_when: false
- name: Validate server certificate against system trust store
command: certtool --verify --infile "{{ functional_install_chain_2_dest }}"
ansible.builtin.command: certtool --verify --infile "{{ functional_install_chain_2_dest }}"
changed_when: false

11
tasks/main.yml
View File

@@ -13,6 +13,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: main_ca.yml
- include_tasks: main_ca_install.yml
- include_tasks: main_certs.yml
- name: Including main_ca tasks
ansible.builtin.include_tasks: main_ca.yml
- name: Including main_ca_install tasks
ansible.builtin.include_tasks: main_ca_install.yml
- name: Including main_certs tasks
ansible.builtin.include_tasks: main_certs.yml

6
tasks/main_ca.yml
View File

@@ -14,11 +14,11 @@
# limitations under the License.
- name: Include {{ pki_method }} CA variables
include_vars:
ansible.builtin.include_vars:
file: "{{ pki_method ~ '_ca.yml' }}"
- name: Create PKI directories
file:
ansible.builtin.file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
@@ -31,7 +31,7 @@
check_mode: false
- name: Create certificate authorities
include_tasks: "{{ pki_method }}/create_ca.yml"
ansible.builtin.include_tasks: "{{ pki_method }}/create_ca.yml"
loop: "{{ _pki_ca_defs }}"
loop_control:
loop_var: ca

4
tasks/main_ca_install.yml
View File

@@ -14,9 +14,9 @@
# limitations under the License.
- name: Include {{ pki_method }} CA variables
include_vars:
ansible.builtin.include_vars:
file: "{{ pki_method ~ '_ca.yml' }}"
- name: Install certificate authorities
include_tasks: "{{ pki_method }}/install_ca.yml"
ansible.builtin.include_tasks: "{{ pki_method }}/install_ca.yml"
when: _pki_install_ca_defs | length > 0

8
tasks/main_certs.yml
View File

@@ -14,7 +14,7 @@
# limitations under the License.
- name: Create Server certificates
include_tasks: "{{ pki_method }}/create_cert.yml"
ansible.builtin.include_tasks: "{{ pki_method }}/create_cert.yml"
loop: "{{ _pki_certificates_defs }}"
loop_control:
loop_var: cert
@@ -25,14 +25,14 @@
- name: Slurp up server certificates from pki setup host ({{ pki_setup_host }})
delegate_to: "{{ pki_setup_host }}"
slurp:
ansible.builtin.slurp:
src: "{{ item.src }}"
register: _cert_slurp
loop: "{{ _pki_install_certificates_defs }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: Create certificate destination directories
file:
ansible.builtin.file:
path: "{{ install }}"
state: directory
mode: "0755"
@@ -47,7 +47,7 @@
mode: "0755"
- name: Install Server certificates to targets
copy:
ansible.builtin.copy:
content: "{{ install.content | b64decode }}"
dest: "{{ install.item.dest }}"
owner: "{{ install.item.owner | default(omit) }}"

18
tasks/standalone/create_ca.yml
View File

@@ -20,7 +20,7 @@
delegate_to: "{{ pki_setup_host }}"
block:
- name: Create directories for certificate authority {{ ca.name }}
file:
ansible.builtin.file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner | default(pki_owner) | default(omit) }}"
@@ -38,7 +38,7 @@
# NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as
# openssl_privatekey gets changed when harmonizing ownership/permissions
- name: Ensure private key has proper ownership
file:
ansible.builtin.file:
state: file
path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}"
mode: "{{ ca.key_mode | default(pki_key_mode) }}"
@@ -47,7 +47,7 @@
failed_when: false
- name: Initialise the serial number for {{ ca.name }}
copy:
ansible.builtin.copy:
content: "999"
dest: "{{ ca_dir ~ '/serial' }}"
force: false
@@ -64,7 +64,7 @@
register: ca_privkey
- name: Read the serial number for {{ ca.name }}
slurp:
ansible.builtin.slurp:
src: "{{ pki_dir ~ '/roots/' ~ ca.name ~ '/serial' }}"
register: serial_no
@@ -89,7 +89,7 @@
- ca_privkey is changed or pki_regen_ca == ca.name or (pki_regen_ca | lower) == 'true'
- name: Write out the new serial number for {{ ca.name }}
copy:
ansible.builtin.copy:
content: "{{ next_serial_no }}"
dest: "{{ ca_dir }}/serial"
when: ca_csr is changed
@@ -129,7 +129,7 @@
- "{{ pki_handler_ca_changed }}"
- name: Symlink the certificate name to the most recently generated
file:
ansible.builtin.file:
src: "{{ (ca_selfsigned_crt.filename | default(ca_ownca_crt.filename)) | basename }}"
dest: "{{ ca_cert_prefix ~ '.crt' }}"
state: link
@@ -142,13 +142,13 @@
when: ca_ownca_crt is changed or ca_selfsigned_crt is changed
- name: Save certificate info for {{ ca.name }}
copy:
ansible.builtin.copy:
content: "{{ ca_cert_info | to_nice_yaml }}"
dest: "{{ (ca_selfsigned_crt.filename | default(ca_ownca_crt.filename)) ~ '.info' }}"
when: ca_ownca_crt is changed or ca_selfsigned_crt is changed
- name: Check if intermediate certificate chain exists
stat:
ansible.builtin.stat:
path: "{{ ca_cert_prefix ~ '-chain.crt' }}"
register: chain_result
when:
@@ -159,7 +159,7 @@
ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}"
cert_path: "{{ ca_cert_prefix ~ '.crt' }}"
cert_chain_path: "{{ ca_cert_prefix ~ '-chain.crt' }}"
shell:
ansible.builtin.shell:
cmd: "cat {{ cert_path }} {{ ownca_path }} > {{ cert_chain_path }}"
when:
- ca_ownca_crt is changed or not (chain_result.stat.exists | default(true))

4
tasks/standalone/create_cert.yml
View File

@@ -74,12 +74,12 @@
when: cert_crt is changed
- name: Save certificate info for {{ cert.name }}
copy:
ansible.builtin.copy:
content: "{{ cert_info | to_nice_yaml }}"
dest: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '.info' }}"
when: cert_crt is changed
- name: Create certificate chain for {{ cert.name }}
shell:
ansible.builtin.shell:
cmd: "cat {{ _cert_file }} {{ _ca_file }} > {{ _cert_chain_file }}"
creates: "{{ (cert_crt is not changed) | ternary(_cert_chain_file, omit) }}"

6
tasks/standalone/install_ca.yml
View File

@@ -15,7 +15,7 @@
- name: Slurp up CA certificates from pki setup host ({{ pki_setup_host }})
delegate_to: "{{ pki_setup_host }}"
slurp:
ansible.builtin.slurp:
src: "{{ item.src | default(pki_dir ~ '/roots/' ~ item.name ~ '/certs/' ~ item.name ~ '.crt') }}"
register: _ca_slurp
run_once: true
@@ -23,7 +23,7 @@
ignore_errors: "{{ ansible_check_mode }}"
- name: Copy CA certificates to target host
copy:
ansible.builtin.copy:
content: "{{ item.content | b64decode }}"
dest: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ item.item.filename | default(item.item.name ~ '.crt') }}"
register: ca_copy
@@ -37,6 +37,6 @@
ignore_errors: "{{ ansible_check_mode }}"
- name: Update CA store
command: "{{ pki_ca_install_command[ansible_facts['pkg_mgr']] }}"
ansible.builtin.command: "{{ pki_ca_install_command[ansible_facts['pkg_mgr']] }}"
when:
- ca_copy is changed