openstack/ansible-role-pki
Code Issues Proposed changes
Files
f03bcc19d585f0e5fc67146015c44b9650b2fe13
ansible-role-pki/tasks/main_certs.yml
Jonathan Rosser f03bcc19d5 Add defaults for ownership of installed files on the target 
These are currently specified many times in the input data for the
pki role leading to repeated values for each file when in most
cases the ownership is always the same.

This change allows a default owner/group to be set for all installed
files that can be overidden per-certificate if needed.

Change-Id: Ic2cb44e7e28eefcc6afb96e05dd2fcac6e5a7efa
Signed-off-by: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
2025-08-19 15:39:01 +01:00

88 lines
3.1 KiB
YAML
Raw Blame History

---
# Copyright 2021, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create Server certificates
ansible.builtin.include_tasks: "{{ pki_method }}/create_cert.yml"
loop: "{{ _pki_certificates_defs }}"
loop_control:
loop_var: cert
vars:
cert_dir: "{{ pki_dir }}/certs"
when:
- pki_create_certificates | default(true)
- name: Slurp up server certificates from pki setup host ({{ pki_setup_host }})
vars:
# location for the certificates on the PKI host
cert_dir: "{{ pki_dir }}/certs"
# construct the path to the source when "name" is specified
_source_files:
"certificate": "{{ cert_dir ~ '/certs/' ~ item.name ~ '.crt' }}"
"certificate_chain": "{{ cert_dir ~ '/certs/' ~ item.name ~ '-chain.crt' }}"
"ca_bundle": "{{ cert_dir ~ '/certs/' ~ item.name ~ '-ca_bundle.crt' }}"
"private_key": "{{ cert_dir ~ '/private/' ~ item.name ~ '.key.pem' }}"
# pick the source based on the type
_source: "{{ _source_files[item.type | default('certificate')] }}"
# detect a valid value of "src"
_use_src: "{{ item.src is defined and item.src is truthy }}"
delegate_to: "{{ pki_setup_host }}"
ansible.builtin.slurp:
src: "{{ _use_src | ternary(item.src, _source) }}"
register: _cert_slurp
loop: "{{ _pki_install_certificates_defs }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: Create certificate destination directories
ansible.builtin.file:
path: "{{ install }}"
state: directory
mode: "{{ pki_cert_dir_mode }}"
loop: "{{ _cert_slurp.results | map(attribute='item') | map(attribute='dest') | map('dirname') | unique }}"
loop_control:
loop_var: install
label: "{{ loop_label | to_json }}"
vars:
loop_label:
path: "{{ install }}"
state: directory
mode: "{{ pki_cert_dir_mode }}"
- name: Install Server certificates to targets
ansible.builtin.copy:
content: "{{ install.content | b64decode }}"
dest: "{{ install.item.dest }}"
owner: "{{ _owner }}"
group: "{{ _group }}"
mode: "{{ _mode }}"
loop: "{{ _cert_slurp.results }}"
loop_control:
loop_var: install
label: "{{ loop_label | to_json }}"
vars:
_mode : "{{ install.item.mode | d(pki_file_mode[install.item.type | d('certificate')]) }}"
_owner: "{{ install.item.owner | default(pki_install_owner) }}"
_group: "{{ install.item.group | default(pki_install_group) }}"
loop_label:
dest: "{{ install.item.dest }}"
owner: "{{ _owner }}"
group: "{{ _group }}"
mode: "{{ _mode }}"
ignore_errors: "{{ ansible_check_mode }}"
notify:
- "{{ pki_handler_cert_installed }}"
View Git Blame Copy Permalink