openstack/ansible-role-pki
Code Issues Proposed changes

Refactor conditional generation of CA and certificates

Browse Source 
This was previously spread around the code as 'when:' clauses on ansible
tasks.

This patch refactors the conditional code to be entirely within the
dynamic generation of variables in vars/main.yml. Any elements from
the default or discovered CA or certificate lists which have
condition=false are removed, so no conditionals are required elsewhere
in the code.

pki_authorities and pki_certificates are defined as empty lists in the
ansible defaults to further reduce the need for the use of default()
in the rest of the role.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/830806
Change-Id: Iea809406b1d4140b985fcb038663ae0257336463
This commit is contained in:
Jonathan Rosser 2022-02-24 09:32:58 +00:00
parent ff358384af
commit 9108a8953f
6 changed files with 46 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
defaults/main.yml
View File

@ -14,8 +14,10 @@
# limitations under the License. # limitations under the License.
# CA certificates to create # CA certificates to create
# Setting this variable will disable searching for other vars containing authorities pki_authorities: []
# pki_authorities: []
# Global enable/disable of CA generation
pki_create_ca: true
# Variable name pattern to search ansible vars for other authority definitions # Variable name pattern to search ansible vars for other authority definitions
pki_search_authorities_pattern: "pki_authorities_" pki_search_authorities_pattern: "pki_authorities_"
@ -64,6 +66,9 @@ pki_search_authorities_pattern: "pki_authorities_"
# #
pki_install_ca: [] pki_install_ca: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_ca_pattern: "pki_install_ca_"
# set this to the name of a CA to regenerate, or to 'true' to regenerate all # set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: '' pki_regen_ca: ''
@ -73,8 +78,7 @@ pki_trust_store_location:
dnf: /etc/pki/ca-trust/source/anchors/ dnf: /etc/pki/ca-trust/source/anchors/
# Server certificates to create # Server certificates to create
# Setting this variable will disable searching for other vars containing certificates pki_certificates: []
# pki_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions # Variable name pattern to search ansible vars for other certificate definitions
pki_search_certificates_pattern: "pki_certificates_" pki_search_certificates_pattern: "pki_certificates_"
@ -120,6 +124,9 @@ pki_cert_dirs: "{{ _pki_cert_dirs }}"
# certificates to install # certificates to install
pki_install_certificates: [] pki_install_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_certificates_pattern: "pki_install_certificates_"
# Example variable for installation of server certificates with optional user supplied cert override # Example variable for installation of server certificates with optional user supplied cert override
# pki_install_certificates: # pki_install_certificates:
# # server certificate # # server certificate

2
tasks/main_ca.yml
View File

@ -30,7 +30,7 @@
- name: Create certificate authorities - name: Create certificate authorities
include_tasks: "{{ pki_method }}/create_ca.yml" include_tasks: "{{ pki_method }}/create_ca.yml"
loop: "{{ pki_ca_defs }}" loop: "{{ _pki_ca_defs }}"
loop_control: loop_control:
loop_var: ca loop_var: ca
vars: vars:

2
tasks/main_ca_install.yml
View File

@ -19,4 +19,4 @@
- name: Install certificate authorities - name: Install certificate authorities
include_tasks: "{{ pki_method }}/install_ca.yml" include_tasks: "{{ pki_method }}/install_ca.yml"
when: pki_install_ca | length > 0 when: _pki_install_ca_defs | length > 0

5
tasks/main_certs.yml
View File

@ -31,7 +31,7 @@
- name: Create Server certificates - name: Create Server certificates
include_tasks: "{{ pki_method }}/create_cert.yml" include_tasks: "{{ pki_method }}/create_cert.yml"
loop: "{{ pki_cert_defs }}" loop: "{{ _pki_certificates_defs }}"
loop_control: loop_control:
loop_var: cert loop_var: cert
vars: vars:
@ -44,8 +44,7 @@
slurp: slurp:
src: "{{ item.src }}" src: "{{ item.src }}"
register: _cert_slurp register: _cert_slurp
loop: "{{ pki_install_certificates | default([]) }}" loop: "{{ _pki_install_certificates_defs }}"
when: item.condition | default('True')
- name: Create certificate destination directories - name: Create certificate destination directories
file: file:

4
tasks/standalone/install_ca.yml
View File

@ -19,9 +19,7 @@
src: "{{ item.src | default(pki_dir ~ '/roots/' ~ item.name ~ '/certs/' ~ item.name ~ '.crt') }}" src: "{{ item.src | default(pki_dir ~ '/roots/' ~ item.name ~ '/certs/' ~ item.name ~ '.crt') }}"
register: _ca_slurp register: _ca_slurp
run_once: true run_once: true
when: loop: "{{ _pki_install_ca_defs }}"
- (item.condition is defined and item.condition | bool) or (item.condition is not defined)
loop: "{{ pki_install_ca }}"
- name: Copy CA certificates to target host - name: Copy CA certificates to target host
copy: copy:

50
vars/main.yml
View File

@ -14,27 +14,37 @@
# limitations under the License. # limitations under the License.
# Gather CA definitions from hostvars # Gather CA definitions from hostvars
pki_ca_defs: |- _pki_ca_defs: |-
{% if pki_authorities is defined %} {% set _cas = pki_authorities %}
{% set _cas = pki_authorities %} {% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %}
{% else %} {% for _ca in _ca_search_hits | default([]) %}
{% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %} {% set _ = _cas.extend(lookup('vars', _ca)) %}
{% set _cas = [] %} {% endfor %}
{% for _ca in _ca_search_hits | default([]) %} {{ _cas | rejectattr('condition', 'false') }}
{% set _ = _cas.extend(lookup('vars', _ca)) %}
{% endfor %} # Gather CA installation definitions from hostvars
{% endif %} _pki_install_ca_defs: |-
{% set _cas = pki_install_ca %}
{% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_ca_pattern ~ '.*') %}
{% for _ca in _ca_search_hits | default([]) %}
{% set _ = _cas.extend(lookup('vars', _ca)) %}
{% endfor %}
{{ _cas | rejectattr('condition', 'false') }} {{ _cas | rejectattr('condition', 'false') }}
# Gather certificate definitions from hostvars # Gather certificate definitions from hostvars
pki_cert_defs: |- _pki_certificates_defs: |
{% if pki_certificates is defined %} {% set _certs = pki_certificates %}
{% set _certs = pki_certificates %} {% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %}
{% else %} {% for _cert in _cert_search_hits | default([]) %}
{% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %} {% set _ = _certs.extend(lookup('vars', _cert)) %}
{% set _certs = [] %} {% endfor %}
{% for _cert in _cert_search_hits | default([]) %} {{ _certs | rejectattr('condition', 'false') }}
{% set _ = _certs.extend(lookup('vars', _cert)) %}
{% endfor %} # Gather certificate installation definitions from hostvars
{% endif %} _pki_install_certificates_defs: |
{% set _certs = pki_install_certificates %}
{% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_certificates_pattern ~ '.*') %}
{% for _cert in _cert_search_hits | default([]) %}
{% set _ = _certs.extend(lookup('vars', _cert)) %}
{% endfor %}
{{ _certs | rejectattr('condition', 'false') }} {{ _certs | rejectattr('condition', 'false') }}