Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

role should be usable via include_role, vars should be possible via loop #145

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

role should be usable via include_role, vars should be possible via loop #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
df23549
role should be usable via include_role, vars should be possible via loop
michaelamattes Sep 5, 2024
61f22c5
role should be usable via include_role, vars should be possible via loop
michaelamattes Sep 5, 2024
75a08c0
check if a acme_domain is set
michaelamattes Sep 6, 2024
27cf1d7
Merge branch 'make_role_vars_loop' of https://github.com/telekom-mms/…
michaelamattes Sep 6, 2024
2346612
add test cases
michaelamattes Sep 6, 2024
61b1464
fix linting
michaelamattes Sep 6, 2024
583f514
add tests to test pipeline
michaelamattes Sep 6, 2024
ff59062
fix test
michaelamattes Sep 6, 2024
86cd535
add feedback
michaelamattes Sep 9, 2024
541861e
add feedback
michaelamattes Sep 9, 2024
9a34769
linting
michaelamattes Sep 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions docs/http-challenge/azbs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,43 @@ rewrite \.well-known/acme-challenge/(.*) https://your-storage-account-name.blob.
...
acme_azbs_tenant_id: "2132184-3534543-54354-3543"
```

```yaml
---
- name: Lets Encrypt certificates
hosts: localhost
vars:
acme_account_email: "ssl-admin@example.com"
acme_challenge_provider: "azbs"
acme_use_live_directory: true
acme_convert_cert_to: pfx
acme_azbs_resource_group: "my-resource-group"
acme_azbs_storage_account_name: "my-storage-account-name"
acme_azbs_container_name: "my-container"
acme_azbs_subscription_id: "0000-11111-2222-3333-444444"
acme_azbs_tenant_id: "2132184-3534543-54354-3543"
acme_azbs_client_id: "1234-21231-14152-1231"
acme_azbs_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
...
az_acme_certificates:
example-com:
zone: example.com
subject_alt_name: [ example.com, domain1.example.com, domain2.example.com ]
example2-com:
zone: example2.com
subject_alt_name: [ example2.com, domain1.example2.com, domain2.example2.com ]
tasks:
- name: Create and upload Lets Encrypt certificates
ansible.builtin.include_role:
name: telekom_mms.acme.acme
vars:
acme_domain:
email_address: "ssl-admin@example.com"
certificate_name: "{{ certificate.key }}"
zone: "{{ certificate.value.zone }}"
subject_alt_name: "{{ certificate.value.subject_alt_name }}"
loop: "{{ az_acme_certificates | dict2items }}"
loop_control:
loop_var: certificate
```
1 change: 1 addition & 0 deletions roles/acme/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
---
### global
acme_domain: []
acme_conf_dir: "{{ lookup('env', 'HOME') }}/letsencrypt"
acme_cert_dir: "{{ acme_conf_dir }}/certs"
acme_prerequisites_packagemanager: yum
Expand Down
7 changes: 7 additions & 0 deletions roles/acme/tasks/preconditions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@
- acme_challenge_provider != ""
fail_msg: You need to set acme_challenge_provider with a provider. See documentation for a list of possible providers.

- name: Check if a acme_domain is set
ansible.builtin.assert:
that:
- acme_domain is defined
- acme_domain != []
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: acme_domain is used as a hash, here the check is looking for an empty array. This is clone enough, that there is no missmatch in Ansible, but I think it would be cleaner to handle it as a {}.

Also applies to the defaults.

fail_msg: You need to set acme_domain. See documentation for a list of possibilities.

- name: Set fact for acme_directory depending on what is set in acme_use_live_directory
ansible.builtin.set_fact:
acme_directory: "{{ acme_use_live_directory | ternary(acme_live_directory, acme_staging_directory) }}"
Expand Down
38 changes: 38 additions & 0 deletions tests/integration/targets/acme_letsencrypt/dns-challenge-include-role.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
- name: Test if include_role is working
hosts: localhost
tasks:
- name: Create and upload Lets Encrypt certificates
ansible.builtin.include_role:
name: telekom_mms.acme.acme
public: true
vars:
acme_domain:
certificate_name: dns-pebble.example.com
zone: example.com
email_address: ssl-admin@example.com
subject_alt_name:
- example.com
acme_challenge_provider: pebble
acme_use_live_directory: false
acme_account_email: ssl-admin@example.com
acme_staging_directory: https://localhost:14000/dir
acme_validate_certs: false
post_tasks:
- name: Validate certs
vars:
acme_domain:
certificate_name: dns-pebble.example.com
community.crypto.x509_certificate_info:
path: "{{ acme_cert_path }}"
register: result

- name: Print the certificate
ansible.builtin.debug:
msg: "{{ result }}"

- name: Check if the certificate is correct
ansible.builtin.assert:
that:
- "'DNS:example.com' in result.subject_alt_name"
- "'Pebble Intermediate CA' in result.issuer.commonName"
12 changes: 12 additions & 0 deletions tests/integration/targets/acme_letsencrypt/dns-challenge-missing-acme-domain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
- name: Test role if acme_domain is not set
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think checking for errors from a role is a bit more complcated and this seems like a good approach:
https://stackoverflow.com/questions/55521078/how-to-deal-with-errors-coming-from-ansible-roles

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to add this with 541861e

hosts: localhost
roles:
- telekom_mms.acme.acme
vars:
acme_challenge_provider: pebble
acme_use_live_directory: false
acme_account_email: ssl-admin@example.com
acme_staging_directory: https://localhost:14000/dir
acme_validate_certs: false
ignore_errors: true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that way this will always succeed. We need to include some tasks at the end, that verify the response of the role.

2 changes: 2 additions & 0 deletions tests/integration/targets/acme_letsencrypt/runme.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ set -eux

ansible-playbook dns-challenge-pebble.yml
ansible-playbook http-challenge-local.yml
ansible-playbook dns-challenge-include-role.yml
ansible-playbook dns-challenge-missing-acme-domain.yml