Refactor conditional generation of CA and certificates

This was previously spread around the code as 'when:' clauses on ansible tasks. This patch refactors the conditional code to be entirely within the dynamic generation of variables in vars/main.yml. Any elements from the default or discovered CA or certificate lists which have condition=false are removed, so no conditionals are required elsewhere in the code. pki_authorities and pki_certificates are defined as empty lists in the ansible defaults to further reduce the need for the use of default() in the rest of the role. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/830806 Change-Id: Iea809406b1d4140b985fcb038663ae0257336463
2022-02-24 09:32:58 +00:00 · 2022-02-24 09:32:58 +00:00 · 9108a8953f
commit 9108a8953f
parent ff358384af
6 changed files with 46 additions and 32 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -14,8 +14,10 @@
 # limitations under the License.

 # CA certificates to create
-# Setting this variable will disable searching for other vars containing authorities
-# pki_authorities: []
+pki_authorities: []
+
+# Global enable/disable of CA generation
+pki_create_ca: true

 # Variable name pattern to search ansible vars for other authority definitions
 pki_search_authorities_pattern: "pki_authorities_"
@ -64,6 +66,9 @@ pki_search_authorities_pattern: "pki_authorities_"
 #
 pki_install_ca: []

+# Variable name pattern to search ansible vars for other certificate definitions
+pki_search_install_ca_pattern: "pki_install_ca_"
+
 # set this to the name of a CA to regenerate, or to 'true' to regenerate all
 pki_regen_ca: ''

@ -73,8 +78,7 @@ pki_trust_store_location:
  dnf: /etc/pki/ca-trust/source/anchors/

 # Server certificates to create
-# Setting this variable will disable searching for other vars containing certificates
-# pki_certificates: []
+pki_certificates: []

 # Variable name pattern to search ansible vars for other certificate definitions
 pki_search_certificates_pattern: "pki_certificates_"
@ -120,6 +124,9 @@ pki_cert_dirs: "{{ _pki_cert_dirs }}"
 # certificates to install
 pki_install_certificates: []

+# Variable name pattern to search ansible vars for other certificate definitions
+pki_search_install_certificates_pattern: "pki_install_certificates_"
+
 # Example variable for installation of server certificates with optional user supplied cert override
 # pki_install_certificates:
 #     # server certificate
--- a/tasks/main_ca.yml
+++ b/tasks/main_ca.yml
@ -30,7 +30,7 @@

 - name: Create certificate authorities
  include_tasks: "{{ pki_method }}/create_ca.yml"
-  loop: "{{ pki_ca_defs }}"
+  loop: "{{ _pki_ca_defs }}"
  loop_control:
    loop_var: ca
  vars:
--- a/tasks/main_ca_install.yml
+++ b/tasks/main_ca_install.yml
@ -19,4 +19,4 @@

 - name: Install certificate authorities
  include_tasks: "{{ pki_method }}/install_ca.yml"
-  when: pki_install_ca | length > 0
+  when: _pki_install_ca_defs | length > 0
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@ -31,7 +31,7 @@

 - name: Create Server certificates
  include_tasks: "{{ pki_method }}/create_cert.yml"
-  loop: "{{ pki_cert_defs }}"
+  loop: "{{ _pki_certificates_defs }}"
  loop_control:
    loop_var: cert
  vars:
@ -44,8 +44,7 @@
  slurp:
    src: "{{ item.src }}"
  register: _cert_slurp
-  loop: "{{ pki_install_certificates | default([]) }}"
-  when: item.condition | default('True')
+  loop: "{{ _pki_install_certificates_defs }}"

 - name: Create certificate destination directories
  file:
--- a/tasks/standalone/install_ca.yml
+++ b/tasks/standalone/install_ca.yml
@ -19,9 +19,7 @@
    src: "{{ item.src | default(pki_dir ~ '/roots/' ~ item.name ~ '/certs/' ~ item.name ~ '.crt') }}"
  register: _ca_slurp
  run_once: true
-  when:
-    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)
-  loop: "{{ pki_install_ca }}"
+  loop: "{{ _pki_install_ca_defs }}"

 - name: Copy CA certificates to target host
  copy:
--- a/vars/main.yml
+++ b/vars/main.yml
@ -14,27 +14,37 @@
 # limitations under the License.

 # Gather CA definitions from hostvars
-pki_ca_defs: |-
-  {% if pki_authorities is defined %}
-  {%   set _cas = pki_authorities %}
-  {% else %}
-  {%   set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %}
-  {%   set _cas = [] %}
-  {%   for _ca in _ca_search_hits | default([]) %}
-  {%     set _ = _cas.extend(lookup('vars', _ca)) %}
-  {%   endfor %}
-  {% endif %}
+_pki_ca_defs: |-
+  {%  set _cas = pki_authorities %}
+  {%  set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %}
+  {%  for _ca in _ca_search_hits | default([]) %}
+  {%    set _ = _cas.extend(lookup('vars', _ca)) %}
+  {%  endfor %}
+  {{ _cas | rejectattr('condition', 'false') }}
+
+# Gather CA installation definitions from hostvars
+_pki_install_ca_defs: |-
+  {%  set _cas = pki_install_ca %}
+  {%  set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_ca_pattern ~ '.*') %}
+  {%  for _ca in _ca_search_hits | default([]) %}
+  {%    set _ = _cas.extend(lookup('vars', _ca)) %}
+  {%  endfor %}
  {{ _cas | rejectattr('condition', 'false') }}

 # Gather certificate definitions from hostvars
-pki_cert_defs: |-
-  {% if pki_certificates is defined %}
-  {%   set _certs = pki_certificates %}
-  {% else %}
-  {%   set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %}
-  {%   set _certs = [] %}
-  {%   for _cert in _cert_search_hits | default([]) %}
-  {%     set _ = _certs.extend(lookup('vars', _cert)) %}
-  {%   endfor %}
-  {% endif %}
+_pki_certificates_defs: |
+  {%  set _certs = pki_certificates %}
+  {%  set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %}
+  {%  for _cert in _cert_search_hits | default([]) %}
+  {%    set _ = _certs.extend(lookup('vars', _cert)) %}
+  {%  endfor %}
+  {{ _certs | rejectattr('condition', 'false') }}
+
+# Gather certificate installation definitions from hostvars
+_pki_install_certificates_defs: |
+  {%  set _certs = pki_install_certificates %}
+  {%  set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_certificates_pattern ~ '.*') %}
+  {%  for _cert in _cert_search_hits | default([]) %}
+  {%    set _ = _certs.extend(lookup('vars', _cert)) %}
+  {%  endfor %}
  {{ _certs | rejectattr('condition', 'false') }}