From 34ccd129badf5c372ad680fce88b13bc8855a257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20H=C3=B6sel?= Date: Sun, 23 Jul 2023 22:51:36 +0200 Subject: [PATCH] [step-ca] rework existing key role parameters --- roles/step_ca/README.md | 24 ++--- roles/step_ca/defaults/main.yml | 8 +- roles/step_ca/meta/argument_specs.yml | 35 +++---- .../molecule/{default => }/converge.yml | 0 .../molecule/default/files/molecule-ca.crt | 11 --- .../molecule/default/files/molecule-ca.key | 8 -- roles/step_ca/molecule/default/molecule.yml | 9 +- .../molecule/existing-local/molecule.yml | 93 +++++++++++++++++ .../molecule/existing-local/prepare.yml | 12 +++ .../molecule/existing-local/requirements.txt | 1 + .../molecule/existing-remote/molecule.yml | 91 +++++++++++++++++ .../molecule/existing-remote/prepare.yml | 29 ++++++ .../molecule/existing-remote/requirements.txt | 1 + roles/step_ca/molecule/files/molecule-ca.crt | 10 ++ roles/step_ca/molecule/files/molecule-ca.key | 8 ++ .../step_ca/molecule/{default => }/verify.yml | 0 roles/step_ca/tasks/check.yml | 32 +----- roles/step_ca/tasks/init.yml | 99 ++++++++++--------- roles/step_cli/tasks/install.yml | 2 +- 19 files changed, 331 insertions(+), 142 deletions(-) rename roles/step_ca/molecule/{default => }/converge.yml (100%) delete mode 100644 roles/step_ca/molecule/default/files/molecule-ca.crt delete mode 100644 roles/step_ca/molecule/default/files/molecule-ca.key create mode 100644 roles/step_ca/molecule/existing-local/molecule.yml create mode 100644 roles/step_ca/molecule/existing-local/prepare.yml create mode 120000 roles/step_ca/molecule/existing-local/requirements.txt create mode 100644 roles/step_ca/molecule/existing-remote/molecule.yml create mode 100644 roles/step_ca/molecule/existing-remote/prepare.yml create mode 120000 roles/step_ca/molecule/existing-remote/requirements.txt create mode 100644 roles/step_ca/molecule/files/molecule-ca.crt create mode 100644 roles/step_ca/molecule/files/molecule-ca.key rename roles/step_ca/molecule/{default => }/verify.yml (100%) diff --git a/roles/step_ca/README.md b/roles/step_ca/README.md index d51e190a..07975810 100644 --- a/roles/step_ca/README.md +++ b/roles/step_ca/README.md @@ -148,21 +148,14 @@ This role will only decrypt the root key for as long as strictly neccessary. --- -##### `step_ca_existing_` -- Whether to use an existing root certificate/key and if so from where to import it from -- Choices: - - `remote`: The root certificate/key is already present on the remote host - - `local`: The root certificate/key is read from the controller -- Note that both cert and key need to be either imported, **or** generated. - For example, you cannot import the key but generate the certificate -- Default: Not set. - - If unset and `_root/key_file` is also unset, a new certificate will be generated - - If unset and `_root/key_file` is set, the files are treated as `remote` to preserve backwards-compatibility to previous collection versions. - This behavior may be removed in a future release - ##### `step_ca_existing__file` - The path of an existing PEM file to be used as the root certificate/key -- Depending on the value of `step_ca_existing_`, the file must either be on the remote host or the controller +- If the file is present on the controller instead of the target node, set `step_ca_existing__is_local`, to `true`. +- Default: not set (will generate a new certificate) + +##### `step_ca_existing__is_local` +- Set to `true` if the file is present on the controller and needs to be copied +- Default: `false` ##### `step_ca_existing_key_password` - Password to decrypt the existing key file @@ -171,13 +164,12 @@ This role will only decrypt the root key for as long as strictly neccessary. Example usage: ```yaml -# Select where to import the root certificate from. Can be `remote`, `local`, `false` -step_ca_existing_root: remote +# Import the root certificate from the target node step_ca_existing_root_file: /tmp/existing-ca-root.crt # Same for the key, except that the key is read from the controller -step_ca_existing_key: local step_ca_existing_key_file: /home/controller/secret-ca-key.pem +step_ca_existing_key_is_local: true # If your keyfile is password-protected, you can set the decryption password like so: step_ca_existing_key_password: Very-secret-password ``` diff --git a/roles/step_ca/defaults/main.yml b/roles/step_ca/defaults/main.yml index f0bbf46c..fd330ac9 100644 --- a/roles/step_ca/defaults/main.yml +++ b/roles/step_ca/defaults/main.yml @@ -11,14 +11,14 @@ step_ca_path: /etc/step-ca #step_ca_intermediate_password: step_ca_dns: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address }}" step_ca_address: ":443" +#step_ca_url: +step_ca_ssh: false -#step_ca_existing_root: -#step_ca_existing_key: #step_ca_existing_root_file: +step_ca_existing_root_file_is_local: false #step_ca_existing_key_file: +step_ca_existing_key_file_is_local: false #step_ca_existing_key_password: -#step_ca_url: -step_ca_ssh: false #step_ca_ra: #step_ca_ra_issuer: diff --git a/roles/step_ca/meta/argument_specs.yml b/roles/step_ca/meta/argument_specs.yml index f6695dc6..6864e8f8 100644 --- a/roles/step_ca/meta/argument_specs.yml +++ b/roles/step_ca/meta/argument_specs.yml @@ -115,34 +115,29 @@ argument_specs: default: no description: Create keys to sign SSH certificates # Existing cert options - step_ca_existing_root: - type: str - choices: - - remote - - local - description: Whether to use an existing root certificate and if so from where to import it from - step_ca_existing_key: - type: str - choices: - - remote - - local - description: - - Whether to use an existing root key and if so from where to import it from - - Note that both cert and key need to be either imported, B(or) generated. For example, you cannot import the key but generate the certificate - - Note that if this is unset and I(step_ca_existing_root/key_file) is set, the files are treated as C(remote) to preserve backwards-compatibility to previous collection versions. This behavior may be removed in a future release - step_ca_existing_key_password: - type: str - description: Password to decrypt the root key step_ca_existing_root_file: type: path description: - The path of an existing PEM file to be used as the root certificate authority - - Depending on the value of I(step_ca_existing_root), the file must either be on the remote host or the controller + - If the file is present on the controller instead of the target node, set I(step_ca_existing_root_file_is_local), to C(true). step_ca_existing_key_file: type: path description: - The path of an existing key file of the root certificate authority - - Depending on the value of I(step_ca_existing_key), the file must either be on the remote host or the controller + - If the file is present on the controller instead of the target node, set I(step_ca_existing_key_file_is_local), to C(true). + step_ca_existing_root_file_is_local: + type: bool + default: false + description: + - Set to C(true) if the file is present on the controller and needs to be copied + step_ca_existing_key_file_is_local: + type: bool + default: false + description: + - Set to C(true) if the file is present on the controller and needs to be copied + step_ca_existing_key_password: + type: str + description: Password to decrypt the root key # RA options step_ca_ra: type: str diff --git a/roles/step_ca/molecule/default/converge.yml b/roles/step_ca/molecule/converge.yml similarity index 100% rename from roles/step_ca/molecule/default/converge.yml rename to roles/step_ca/molecule/converge.yml diff --git a/roles/step_ca/molecule/default/files/molecule-ca.crt b/roles/step_ca/molecule/default/files/molecule-ca.crt deleted file mode 100644 index cf3e7853..00000000 --- a/roles/step_ca/molecule/default/files/molecule-ca.crt +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBfzCCASWgAwIBAgIQJN1QoYKaqU/KmTWSy1UFqjAKBggqhkjOPQQDAjAeMRww -GgYDVQQDExNzdGVwLWNhLmxvY2FsZG9tYWluMB4XDTIyMDgxMTE2NDEwN1oXDTMy -MDgwODE2NDEwN1owHjEcMBoGA1UEAxMTc3RlcC1jYS5sb2NhbGRvbWFpbjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABF8Kbr0GWEAq4bP+AwqMuc1F/OKBgB1MA/Lp -B+NxIWOFZMmZqyLc67MIlSJk37UC0sl/ejoT5Rg8uTepjoo4nmKjRTBDMA4GA1Ud -DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQuz9HWRWvK -LTORHkgSxFR8yW2tWDAKBggqhkjOPQQDAgNIADBFAiEAo7ZmxTvmriuexlJqA8nP -nCFzw02oGVa5f23WgxJ7XeQCIEynfdvu6NrGG4hVv0YggxzSLFuaXq4L7zxUMcbF -3Ydj ------END CERTIFICATE----- diff --git a/roles/step_ca/molecule/default/files/molecule-ca.key b/roles/step_ca/molecule/default/files/molecule-ca.key deleted file mode 100644 index 45607f3a..00000000 --- a/roles/step_ca/molecule/default/files/molecule-ca.key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,1a5da2d5ab6e618cd0167b285812b6da - -53LaszcAsi96AxwMj2tYSC2SqYksLWAs7VBoOFTTPcmHLGqoIUyclaocP2/RFsUa -cBl1AY4h49lD8RdAei4vzdXQz9PG6IYjUGiLV87SeTaD+osfVUbO4GPglUayW3h7 -dXReQk4uG6Ios828KV7cdO+XRK2s7YEF1VSrimrXJNo= ------END EC PRIVATE KEY----- diff --git a/roles/step_ca/molecule/default/molecule.yml b/roles/step_ca/molecule/default/molecule.yml index fba82461..1efd3e22 100644 --- a/roles/step_ca/molecule/default/molecule.yml +++ b/roles/step_ca/molecule/default/molecule.yml @@ -73,6 +73,9 @@ platforms: provisioner: + playbooks: + converge: ../converge.yml + verify: ../verify.yml inventory: group_vars: ca: @@ -82,9 +85,3 @@ provisioner: step_ca_intermediate_password: molecule-intermediate step_ca_path: /etc/step-ca-molecule step_ca_ssh: yes - - step_ca_existing_root: local - step_ca_existing_root_file: files/molecule-ca.crt - step_ca_existing_key: local - step_ca_existing_key_file: files/molecule-ca.key - step_ca_existing_key_password: molecule diff --git a/roles/step_ca/molecule/existing-local/molecule.yml b/roles/step_ca/molecule/existing-local/molecule.yml new file mode 100644 index 00000000..ee2ef5ca --- /dev/null +++ b/roles/step_ca/molecule/existing-local/molecule.yml @@ -0,0 +1,93 @@ +platforms: + - name: step-ca-ubuntu-22 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu2204-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-ubuntu-20 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu2004-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-ubuntu-18 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu1804-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-debian-11 + groups: + - debian + - ca + image: "docker.io/geerlingguy/docker-debian11-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-debian-10 + groups: + - debian + - ca + image: "docker.io/geerlingguy/docker-debian10-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-rockylinux-9 + groups: + - rockylinux + - ca + image: "docker.io/geerlingguy/docker-rockylinux9-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-rockylinux-8 + groups: + - rockylinux + - ca + image: "docker.io/geerlingguy/docker-rockylinux8-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-fedora-36 + groups: + - fedora + - ca + image: "docker.io/geerlingguy/docker-fedora36-ansible" + systemd: always + override_command: false + pre_build_image: true + + +provisioner: + playbooks: + converge: ../converge.yml + verify: ../verify.yml + inventory: + group_vars: + ca: + step_ca_name: Molecule Test CA + step_ca_user: step-ca-molecule + step_ca_root_password: molecule + step_ca_intermediate_password: molecule-intermediate + step_ca_path: /etc/step-ca-molecule + step_ca_ssh: yes + + step_ca_existing_root_file_is_local: true + step_ca_existing_root_file: ../files/molecule-ca.crt + step_ca_existing_key_file_is_local: true + step_ca_existing_key_file: ../files/molecule-ca.key + step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9 diff --git a/roles/step_ca/molecule/existing-local/prepare.yml b/roles/step_ca/molecule/existing-local/prepare.yml new file mode 100644 index 00000000..ebf94e78 --- /dev/null +++ b/roles/step_ca/molecule/existing-local/prepare.yml @@ -0,0 +1,12 @@ +- hosts: "ubuntu:debian" + tasks: + - name: Update apt cache + apt: + update_cache: yes + +- hosts: rockylinux:fedora + tasks: + # Required to prevent issues with ansible_default_ipv4 missing + - name: Install iproute + package: + name: iproute diff --git a/roles/step_ca/molecule/existing-local/requirements.txt b/roles/step_ca/molecule/existing-local/requirements.txt new file mode 120000 index 00000000..0bd8d018 --- /dev/null +++ b/roles/step_ca/molecule/existing-local/requirements.txt @@ -0,0 +1 @@ +../../../../tests/roles/requirements.txt \ No newline at end of file diff --git a/roles/step_ca/molecule/existing-remote/molecule.yml b/roles/step_ca/molecule/existing-remote/molecule.yml new file mode 100644 index 00000000..53979811 --- /dev/null +++ b/roles/step_ca/molecule/existing-remote/molecule.yml @@ -0,0 +1,91 @@ +platforms: + - name: step-ca-ubuntu-22 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu2204-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-ubuntu-20 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu2004-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-ubuntu-18 + groups: + - ubuntu + - ca + image: "docker.io/geerlingguy/docker-ubuntu1804-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-debian-11 + groups: + - debian + - ca + image: "docker.io/geerlingguy/docker-debian11-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-debian-10 + groups: + - debian + - ca + image: "docker.io/geerlingguy/docker-debian10-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-rockylinux-9 + groups: + - rockylinux + - ca + image: "docker.io/geerlingguy/docker-rockylinux9-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-rockylinux-8 + groups: + - rockylinux + - ca + image: "docker.io/geerlingguy/docker-rockylinux8-ansible" + systemd: always + override_command: false + pre_build_image: true + + - name: step-ca-fedora-36 + groups: + - fedora + - ca + image: "docker.io/geerlingguy/docker-fedora36-ansible" + systemd: always + override_command: false + pre_build_image: true + + +provisioner: + playbooks: + converge: ../converge.yml + verify: ../verify.yml + inventory: + group_vars: + ca: + step_ca_name: Molecule Test CA + step_ca_user: step-ca-molecule + step_ca_root_password: molecule + step_ca_intermediate_password: molecule-intermediate + step_ca_path: /etc/step-ca-molecule + step_ca_ssh: yes + + step_ca_existing_root_file: /tmp/molecule-ca.crt + step_ca_existing_key_file: /tmp/molecule-ca.key + step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9 diff --git a/roles/step_ca/molecule/existing-remote/prepare.yml b/roles/step_ca/molecule/existing-remote/prepare.yml new file mode 100644 index 00000000..15597f95 --- /dev/null +++ b/roles/step_ca/molecule/existing-remote/prepare.yml @@ -0,0 +1,29 @@ +- hosts: "ubuntu:debian" + tasks: + - name: Update apt cache + apt: + update_cache: yes + +- hosts: rockylinux:fedora + tasks: + # Required to prevent issues with ansible_default_ipv4 missing + - name: Install iproute + package: + name: iproute + +- hosts: all + tasks: + - name: Root cert is present # noqa no-relative-paths + ansible.builtin.copy: + src: "../files/molecule-ca.crt" + dest: "{{ step_ca_existing_root_file }}" + owner: root + group: root + mode: "644" + - name: Root key is present # noqa no-relative-paths + ansible.builtin.copy: + src: "../files/molecule-ca.key" + dest: "{{ step_ca_existing_key_file }}" + owner: root + group: root + mode: "644" diff --git a/roles/step_ca/molecule/existing-remote/requirements.txt b/roles/step_ca/molecule/existing-remote/requirements.txt new file mode 120000 index 00000000..0bd8d018 --- /dev/null +++ b/roles/step_ca/molecule/existing-remote/requirements.txt @@ -0,0 +1 @@ +../../../../tests/roles/requirements.txt \ No newline at end of file diff --git a/roles/step_ca/molecule/files/molecule-ca.crt b/roles/step_ca/molecule/files/molecule-ca.crt new file mode 100644 index 00000000..8673928d --- /dev/null +++ b/roles/step_ca/molecule/files/molecule-ca.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARWgAwIBAgIQCjUjHu6fX22br9bhuK4VhzAKBggqhkjOPQQDAjAWMRQw +EgYDVQQDEwttb2xlY3VsZS1jYTAeFw0yMzA3MjMxOTUwNTJaFw0zMzA3MjAxOTUw +NTJaMBYxFDASBgNVBAMTC21vbGVjdWxlLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAE+U7gQ9km5B5Q+1wl+Yf8kEse6ze1UqiH1W7KrkBCCZI2i/rhL4goffLY +oAOD4tnf81Jj2GF5egNxAdgTKrt01KNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud +EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFHY0q71xVuTRhW1pj4HL8bmSunnkMAoG +CCqGSM49BAMCA0gAMEUCIGCnGMfqV8pUfF3Olr6OpakuuvlsvDdgEqqL/45/O9aD +AiEAidGmtfwztdJ5b+cA8RTA9CVpPicKRZW7cdanpLU8CsE= +-----END CERTIFICATE----- diff --git a/roles/step_ca/molecule/files/molecule-ca.key b/roles/step_ca/molecule/files/molecule-ca.key new file mode 100644 index 00000000..9dcd67a3 --- /dev/null +++ b/roles/step_ca/molecule/files/molecule-ca.key @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,3232c140b77ec974a024556a397280e0 + +Oo2Y9BkmT9YkZ5+fnKOsz+XkgtxakEmiLY52LXHnXqp0aaH+nfmVIArPf0chSM9K +H6Zga55syCgCRpELzvFVqUHOntYvVAhavVlBZLxw72EFxQQFVn8irv2IEPC6SpJ0 +WLmcPnsCtHuhc2VxvrZQNcaHHyA1MKa5gEojwpZB5OM= +-----END EC PRIVATE KEY----- diff --git a/roles/step_ca/molecule/default/verify.yml b/roles/step_ca/molecule/verify.yml similarity index 100% rename from roles/step_ca/molecule/default/verify.yml rename to roles/step_ca/molecule/verify.yml diff --git a/roles/step_ca/tasks/check.yml b/roles/step_ca/tasks/check.yml index 91d0a1a2..0fb76bbd 100644 --- a/roles/step_ca/tasks/check.yml +++ b/roles/step_ca/tasks/check.yml @@ -1,37 +1,15 @@ --- -- name: Verify that step_ca_name and step_ca_root_password are set # noqa no-log-password - assert: - that: - - step_ca_name is defined - - step_ca_name | length > 0 - - step_ca_root_password is defined - - step_ca_root_password | length > 0 - fail_msg: step_ca_name and step_ca_root_password must both be set - when: ansible_version.string is version('2.11.1', '<') - -# Kept for backwards-compatibility with older collection versions. -# Can be combined with the explicit check below when the backwards-compatibile existing keyfile logic is removed -- name: Verify existing root cert/key parameters +- name: Verify explicit root cert/key parameters assert: that: + - step_ca_existing_key_file is defined + - step_ca_existing_root_file is defined - step_ca_existing_root_file | length > 0 - step_ca_existing_key_file | length > 0 fail_msg: existing_key/cert_file variables must be passed as a group when: > - step_ca_existing_root_file is defined or - step_ca_existing_key_file is defined - -- name: Verify explicit root cert/key positions - assert: - that: - - step_ca_existing_key - - step_ca_existing_root - - step_ca_existing_root_file | length > 0 - - step_ca_existing_key_file | length > 0 - fail_msg: existing_key/cert and existing_key/cert_file variables must be passed as a group - when: > - step_ca_existing_key is defined or - step_ca_existing_root is defined + step_ca_existing_key_file is defined or + step_ca_existing_root_file is defined - name: Verify existing root key/password assert: diff --git a/roles/step_ca/tasks/init.yml b/roles/step_ca/tasks/init.yml index 1e134944..3bd6a3fb 100644 --- a/roles/step_ca/tasks/init.yml +++ b/roles/step_ca/tasks/init.yml @@ -16,6 +16,54 @@ - name: Initialize CA block: + - name: Set up existing root and key file + when: + - step_ca_existing_key_file is defined + - step_ca_existing_root_file is defined + block: + - name: Set root and key file paths + set_fact: + _step_ca_resolved_root_file: "{{ step_ca_existing_root_file_is_local | ternary(step_ca_root_temp_file, step_ca_existing_root_file) }}" + _step_ca_resolved_key_file: "{{ step_ca_existing_key_file_is_local | ternary(step_ca_key_temp_file, step_ca_existing_key_file) }}" + - name: Copy root cert from controller + block: + - name: Copy cert file + copy: + src: "{{ step_ca_existing_root_file }}" + dest: "{{ step_ca_root_temp_file }}" + owner: "{{ step_ca_user }}" + mode: 0600 + group: "{{ step_ca_user }}" + when: step_ca_existing_root_file_is_local + - name: Copy root key from controller + block: + - name: Copy key file + copy: + src: "{{ step_ca_existing_key_file }}" + dest: "{{ step_ca_key_temp_file }}" + owner: "{{ step_ca_user }}" + mode: 0600 + group: "{{ step_ca_user }}" + when: step_ca_existing_key_file_is_local + - name: Decrypt existing key file + block: + - name: Copy password to temporary file + copy: + content: "{{ step_ca_existing_key_password }}" + dest: "{{ step_ca_existing_key_password_file }}" + owner: "{{ step_ca_user }}" + mode: 0600 + group: "{{ step_ca_user }}" + no_log: yes + - name: Decrypt temporary root key # noqa no-changed-when + command: >- + {{ step_cli_executable }} crypto change-pass + {{ _step_ca_resolved_key_file }} + --out={{ _step_ca_resolved_key_file }} + --password-file={{ step_ca_existing_key_password_file }} + --insecure --no-password --force + when: step_ca_existing_key_password is defined + - name: Create root key password file # noqa no-changed-when copy: content: "{{ step_ca_root_password }}" @@ -24,53 +72,6 @@ mode: 0600 group: "{{ step_ca_user }}" no_log: yes - - name: Copy root cert from controller - block: - - name: Copy cert file - copy: - src: "{{ step_ca_existing_root_file }}" - dest: "{{ step_ca_root_temp_file }}" - owner: "{{ step_ca_user }}" - mode: 0600 - group: "{{ step_ca_user }}" - - name: Use the temp file as remote root cert - set_fact: - step_ca_existing_root_file: "{{ step_ca_root_temp_file }}" - when: step_ca_existing_root|d('') == 'local' - - name: Copy root key from controller - block: - - name: Copy key file - copy: - src: "{{ step_ca_existing_key_file }}" - dest: "{{ step_ca_key_temp_file }}" - owner: "{{ step_ca_user }}" - mode: 0600 - group: "{{ step_ca_user }}" - - name: Use the temp file as remote root key - set_fact: - step_ca_existing_key_file: "{{ step_ca_key_temp_file }}" - when: step_ca_existing_key|d('') == 'local' - - name: Decrypt root key - block: - - name: Copy password to temporary file - copy: - content: "{{ step_ca_existing_key_password }}" - dest: "{{ step_ca_existing_key_password_file }}" - owner: "{{ step_ca_user }}" - mode: 0600 - group: "{{ step_ca_user }}" - no_log: yes - - name: Decrypt temporary root key # noqa no-changed-when - command: >- - {{ step_cli_executable }} crypto change-pass - {{ step_ca_existing_key_file }} - --out={{ step_ca_key_temp_file }} - --password-file={{ step_ca_existing_key_password_file }} - --insecure --no-password --force - - name: Use the temp file as remote root key - set_fact: - step_ca_existing_key_file: "{{ step_ca_key_temp_file }}" - when: step_ca_existing_key_password is defined - name: Initialize CA # noqa no-changed-when command: >- {{ step_cli_executable }} ca init @@ -82,8 +83,8 @@ --provisioner-password-file={{ step_ca_root_password_file | quote }} {% if step_ca_url is defined %} --with-ca-url={{ step_ca_url | quote }}{% endif %} {% if step_ca_ssh %} --ssh{% endif %} - {% if step_ca_existing_root_file is defined %} --root={{ step_ca_existing_root_file | quote }}{% endif %} - {% if step_ca_existing_key_file is defined %} --key={{ step_ca_existing_key_file | quote }}{% endif %} + {% if step_ca_existing_root_file is defined %} --root={{ _step_ca_resolved_root_file | quote }}{% endif %} + {% if step_ca_existing_key_file is defined %} --key={{ _step_ca_resolved_key_file | quote }}{% endif %} {% if step_ca_ra is defined %} --ra={{ step_ca_ra | quote }}{% endif %} {% if step_ca_ra_issuer is defined %} --issuer={{ step_ca_ra_issuer | quote }}{% endif %} {% if step_ca_ra_credentials_file is defined %} --credentials-file={{ step_ca_ra_credentials_file | quote }}{% endif %} diff --git a/roles/step_cli/tasks/install.yml b/roles/step_cli/tasks/install.yml index 31d95cbb..d29b9141 100644 --- a/roles/step_cli/tasks/install.yml +++ b/roles/step_cli/tasks/install.yml @@ -35,7 +35,7 @@ args: executable: /bin/bash # mv does not automatically set selinux labels, so we have to do it ourselves - - name: Restore SELinux context for binary + - name: Restore SELinux context for binary # noqa no-changed-when command: "restorecon -v {{ _step_cli_install_path }}" when: ansible_selinux is defined and ansible_selinux and ansible_selinux.status == 'enabled' always: