Skip to content

Commit

Permalink
[step-ca] rework existing key role parameters
Browse files Browse the repository at this point in the history
  • Loading branch information
maxhoesel committed Jul 25, 2023
1 parent 0560b2f commit 34ccd12
Show file tree
Hide file tree
Showing 19 changed files with 331 additions and 142 deletions.
24 changes: 8 additions & 16 deletions roles/step_ca/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -148,21 +148,14 @@ This role will only decrypt the root key for as long as strictly neccessary.

---

##### `step_ca_existing_<root/key>`
- Whether to use an existing root certificate/key and if so from where to import it from
- Choices:
- `remote`: The root certificate/key is already present on the remote host
- `local`: The root certificate/key is read from the controller
- Note that both cert and key need to be either imported, **or** generated.
For example, you cannot import the key but generate the certificate
- Default: Not set.
- If unset and `_root/key_file` is also unset, a new certificate will be generated
- If unset and `_root/key_file` is set, the files are treated as `remote` to preserve backwards-compatibility to previous collection versions.
This behavior may be removed in a future release

##### `step_ca_existing_<root/key>_file`
- The path of an existing PEM file to be used as the root certificate/key
- Depending on the value of `step_ca_existing_<root/key>`, the file must either be on the remote host or the controller
- If the file is present on the controller instead of the target node, set `step_ca_existing_<root/key>_is_local`, to `true`.
- Default: not set (will generate a new certificate)

##### `step_ca_existing_<root/key>_is_local`
- Set to `true` if the file is present on the controller and needs to be copied
- Default: `false`

##### `step_ca_existing_key_password`
- Password to decrypt the existing key file
Expand All @@ -171,13 +164,12 @@ This role will only decrypt the root key for as long as strictly neccessary.
Example usage:

```yaml
# Select where to import the root certificate from. Can be `remote`, `local`, `false`
step_ca_existing_root: remote
# Import the root certificate from the target node
step_ca_existing_root_file: /tmp/existing-ca-root.crt

# Same for the key, except that the key is read from the controller
step_ca_existing_key: local
step_ca_existing_key_file: /home/controller/secret-ca-key.pem
step_ca_existing_key_is_local: true
# If your keyfile is password-protected, you can set the decryption password like so:
step_ca_existing_key_password: Very-secret-password
```
Expand Down
8 changes: 4 additions & 4 deletions roles/step_ca/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,14 @@ step_ca_path: /etc/step-ca
#step_ca_intermediate_password:
step_ca_dns: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address }}"
step_ca_address: ":443"
#step_ca_url:
step_ca_ssh: false

#step_ca_existing_root:
#step_ca_existing_key:
#step_ca_existing_root_file:
step_ca_existing_root_file_is_local: false
#step_ca_existing_key_file:
step_ca_existing_key_file_is_local: false
#step_ca_existing_key_password:
#step_ca_url:
step_ca_ssh: false

#step_ca_ra:
#step_ca_ra_issuer:
Expand Down
35 changes: 15 additions & 20 deletions roles/step_ca/meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,34 +115,29 @@ argument_specs:
default: no
description: Create keys to sign SSH certificates
# Existing cert options
step_ca_existing_root:
type: str
choices:
- remote
- local
description: Whether to use an existing root certificate and if so from where to import it from
step_ca_existing_key:
type: str
choices:
- remote
- local
description:
- Whether to use an existing root key and if so from where to import it from
- Note that both cert and key need to be either imported, B(or) generated. For example, you cannot import the key but generate the certificate
- Note that if this is unset and I(step_ca_existing_root/key_file) is set, the files are treated as C(remote) to preserve backwards-compatibility to previous collection versions. This behavior may be removed in a future release
step_ca_existing_key_password:
type: str
description: Password to decrypt the root key
step_ca_existing_root_file:
type: path
description:
- The path of an existing PEM file to be used as the root certificate authority
- Depending on the value of I(step_ca_existing_root), the file must either be on the remote host or the controller
- If the file is present on the controller instead of the target node, set I(step_ca_existing_root_file_is_local), to C(true).
step_ca_existing_key_file:
type: path
description:
- The path of an existing key file of the root certificate authority
- Depending on the value of I(step_ca_existing_key), the file must either be on the remote host or the controller
- If the file is present on the controller instead of the target node, set I(step_ca_existing_key_file_is_local), to C(true).
step_ca_existing_root_file_is_local:
type: bool
default: false
description:
- Set to C(true) if the file is present on the controller and needs to be copied
step_ca_existing_key_file_is_local:
type: bool
default: false
description:
- Set to C(true) if the file is present on the controller and needs to be copied
step_ca_existing_key_password:
type: str
description: Password to decrypt the root key
# RA options
step_ca_ra:
type: str
Expand Down
File renamed without changes.
11 changes: 0 additions & 11 deletions roles/step_ca/molecule/default/files/molecule-ca.crt

This file was deleted.

8 changes: 0 additions & 8 deletions roles/step_ca/molecule/default/files/molecule-ca.key

This file was deleted.

9 changes: 3 additions & 6 deletions roles/step_ca/molecule/default/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ platforms:


provisioner:
playbooks:
converge: ../converge.yml
verify: ../verify.yml
inventory:
group_vars:
ca:
Expand All @@ -82,9 +85,3 @@ provisioner:
step_ca_intermediate_password: molecule-intermediate
step_ca_path: /etc/step-ca-molecule
step_ca_ssh: yes

step_ca_existing_root: local
step_ca_existing_root_file: files/molecule-ca.crt
step_ca_existing_key: local
step_ca_existing_key_file: files/molecule-ca.key
step_ca_existing_key_password: molecule
93 changes: 93 additions & 0 deletions roles/step_ca/molecule/existing-local/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
platforms:
- name: step-ca-ubuntu-22
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu2204-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-ubuntu-20
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu2004-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-ubuntu-18
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu1804-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-debian-11
groups:
- debian
- ca
image: "docker.io/geerlingguy/docker-debian11-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-debian-10
groups:
- debian
- ca
image: "docker.io/geerlingguy/docker-debian10-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-rockylinux-9
groups:
- rockylinux
- ca
image: "docker.io/geerlingguy/docker-rockylinux9-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-rockylinux-8
groups:
- rockylinux
- ca
image: "docker.io/geerlingguy/docker-rockylinux8-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-fedora-36
groups:
- fedora
- ca
image: "docker.io/geerlingguy/docker-fedora36-ansible"
systemd: always
override_command: false
pre_build_image: true


provisioner:
playbooks:
converge: ../converge.yml
verify: ../verify.yml
inventory:
group_vars:
ca:
step_ca_name: Molecule Test CA
step_ca_user: step-ca-molecule
step_ca_root_password: molecule
step_ca_intermediate_password: molecule-intermediate
step_ca_path: /etc/step-ca-molecule
step_ca_ssh: yes

step_ca_existing_root_file_is_local: true
step_ca_existing_root_file: ../files/molecule-ca.crt
step_ca_existing_key_file_is_local: true
step_ca_existing_key_file: ../files/molecule-ca.key
step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9
12 changes: 12 additions & 0 deletions roles/step_ca/molecule/existing-local/prepare.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
- hosts: "ubuntu:debian"
tasks:
- name: Update apt cache
apt:
update_cache: yes

- hosts: rockylinux:fedora
tasks:
# Required to prevent issues with ansible_default_ipv4 missing
- name: Install iproute
package:
name: iproute
1 change: 1 addition & 0 deletions roles/step_ca/molecule/existing-local/requirements.txt
91 changes: 91 additions & 0 deletions roles/step_ca/molecule/existing-remote/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
platforms:
- name: step-ca-ubuntu-22
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu2204-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-ubuntu-20
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu2004-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-ubuntu-18
groups:
- ubuntu
- ca
image: "docker.io/geerlingguy/docker-ubuntu1804-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-debian-11
groups:
- debian
- ca
image: "docker.io/geerlingguy/docker-debian11-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-debian-10
groups:
- debian
- ca
image: "docker.io/geerlingguy/docker-debian10-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-rockylinux-9
groups:
- rockylinux
- ca
image: "docker.io/geerlingguy/docker-rockylinux9-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-rockylinux-8
groups:
- rockylinux
- ca
image: "docker.io/geerlingguy/docker-rockylinux8-ansible"
systemd: always
override_command: false
pre_build_image: true

- name: step-ca-fedora-36
groups:
- fedora
- ca
image: "docker.io/geerlingguy/docker-fedora36-ansible"
systemd: always
override_command: false
pre_build_image: true


provisioner:
playbooks:
converge: ../converge.yml
verify: ../verify.yml
inventory:
group_vars:
ca:
step_ca_name: Molecule Test CA
step_ca_user: step-ca-molecule
step_ca_root_password: molecule
step_ca_intermediate_password: molecule-intermediate
step_ca_path: /etc/step-ca-molecule
step_ca_ssh: yes

step_ca_existing_root_file: /tmp/molecule-ca.crt
step_ca_existing_key_file: /tmp/molecule-ca.key
step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9
29 changes: 29 additions & 0 deletions roles/step_ca/molecule/existing-remote/prepare.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
- hosts: "ubuntu:debian"
tasks:
- name: Update apt cache
apt:
update_cache: yes

- hosts: rockylinux:fedora
tasks:
# Required to prevent issues with ansible_default_ipv4 missing
- name: Install iproute
package:
name: iproute

- hosts: all
tasks:
- name: Root cert is present # noqa no-relative-paths
ansible.builtin.copy:
src: "../files/molecule-ca.crt"
dest: "{{ step_ca_existing_root_file }}"
owner: root
group: root
mode: "644"
- name: Root key is present # noqa no-relative-paths
ansible.builtin.copy:
src: "../files/molecule-ca.key"
dest: "{{ step_ca_existing_key_file }}"
owner: root
group: root
mode: "644"
1 change: 1 addition & 0 deletions roles/step_ca/molecule/existing-remote/requirements.txt
10 changes: 10 additions & 0 deletions roles/step_ca/molecule/files/molecule-ca.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBbzCCARWgAwIBAgIQCjUjHu6fX22br9bhuK4VhzAKBggqhkjOPQQDAjAWMRQw
EgYDVQQDEwttb2xlY3VsZS1jYTAeFw0yMzA3MjMxOTUwNTJaFw0zMzA3MjAxOTUw
NTJaMBYxFDASBgNVBAMTC21vbGVjdWxlLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAE+U7gQ9km5B5Q+1wl+Yf8kEse6ze1UqiH1W7KrkBCCZI2i/rhL4goffLY
oAOD4tnf81Jj2GF5egNxAdgTKrt01KNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFHY0q71xVuTRhW1pj4HL8bmSunnkMAoG
CCqGSM49BAMCA0gAMEUCIGCnGMfqV8pUfF3Olr6OpakuuvlsvDdgEqqL/45/O9aD
AiEAidGmtfwztdJ5b+cA8RTA9CVpPicKRZW7cdanpLU8CsE=
-----END CERTIFICATE-----
Loading

0 comments on commit 34ccd12

Please sign in to comment.