summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ansible/roles/certificates/defaults/main.yml8
-rw-r--r--ansible/roles/certificates/handlers/main.yml2
-rw-r--r--ansible/roles/certificates/molecule/default/tests/test_default.py4
-rw-r--r--ansible/roles/certificates/molecule/default/tests/test_infrastructure.py8
-rw-r--r--ansible/roles/certificates/molecule/ubuntu/.gitignore1
l---------ansible/roles/certificates/molecule/ubuntu/group_vars1
l---------ansible/roles/certificates/molecule/ubuntu/host_vars1
-rw-r--r--ansible/roles/certificates/molecule/ubuntu/molecule.yml69
-rw-r--r--ansible/roles/certificates/tasks/upload_root_ca.yml2
9 files changed, 92 insertions, 4 deletions
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
index ad3422c9..a8bc1769 100644
--- a/ansible/roles/certificates/defaults/main.yml
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -2,3 +2,11 @@
# Generate certs to local current dir where ansible in run (= playbook_dir)
# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run
certificates_local_dir: "{{ playbook_dir }}/certs"
+root_ca_path:
+ RedHat: "/etc/pki/ca-trust/source/anchors/"
+ Debian: "/usr/local/share/ca-certificates/"
+extract_root_cert:
+ RedHat:
+ update_command: /usr/bin/update-ca-trust extract
+ Debian:
+ update_command: update-ca-certificates
diff --git a/ansible/roles/certificates/handlers/main.yml b/ansible/roles/certificates/handlers/main.yml
index 579b5228..ed80f53f 100644
--- a/ansible/roles/certificates/handlers/main.yml
+++ b/ansible/roles/certificates/handlers/main.yml
@@ -1,5 +1,5 @@
---
- name: Extract root certificate
- command: /usr/bin/update-ca-trust extract
+ command: "{{ extract_root_cert[ansible_os_family].update_command }}"
changed_when: true # this handler is executed just when there is a new cert
notify: Restart Docker
diff --git a/ansible/roles/certificates/molecule/default/tests/test_default.py b/ansible/roles/certificates/molecule/default/tests/test_default.py
index d4314e56..16931fb7 100644
--- a/ansible/roles/certificates/molecule/default/tests/test_default.py
+++ b/ansible/roles/certificates/molecule/default/tests/test_default.py
@@ -12,8 +12,10 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
])
def test_cert_file_installed(host, cert_file):
os = host.system_info.distribution
- if os == "centos":
+ if (os == "centos"):
f = host.file('/etc/pki/ca-trust/source/anchors/' + cert_file)
+ if (os == "ubuntu"):
+ f = host.file('/usr/local/share/ca-certificates/' + cert_file)
assert f.exists
assert f.user == 'root'
diff --git a/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py b/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
index 56b12935..6a0aec03 100644
--- a/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
+++ b/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
@@ -27,7 +27,13 @@ def test_generated_cert_files_copied_to_infra(host, cert_file, group_vars):
assert f.user == 'root'
assert f.group == 'root'
+ os = host.system_info.distribution
+ if (os == "centos"):
+ node_directory = "certs/"
+ elif (os == "ubuntu"):
+ node_directory = "../default/certs/"
+
# Verify cert files content locally is as in node
- with open("certs/" + cert_file) as local_cert_file:
+ with open(node_directory + cert_file) as local_cert_file:
local_content = local_cert_file.read().strip()
assert local_content == f.content_string
diff --git a/ansible/roles/certificates/molecule/ubuntu/.gitignore b/ansible/roles/certificates/molecule/ubuntu/.gitignore
new file mode 100644
index 00000000..df912870
--- /dev/null
+++ b/ansible/roles/certificates/molecule/ubuntu/.gitignore
@@ -0,0 +1 @@
+certs/
diff --git a/ansible/roles/certificates/molecule/ubuntu/group_vars b/ansible/roles/certificates/molecule/ubuntu/group_vars
new file mode 120000
index 00000000..5ce8257f
--- /dev/null
+++ b/ansible/roles/certificates/molecule/ubuntu/group_vars
@@ -0,0 +1 @@
+../default/group_vars/ \ No newline at end of file
diff --git a/ansible/roles/certificates/molecule/ubuntu/host_vars b/ansible/roles/certificates/molecule/ubuntu/host_vars
new file mode 120000
index 00000000..a7046132
--- /dev/null
+++ b/ansible/roles/certificates/molecule/ubuntu/host_vars
@@ -0,0 +1 @@
+../default/host_vars/ \ No newline at end of file
diff --git a/ansible/roles/certificates/molecule/ubuntu/molecule.yml b/ansible/roles/certificates/molecule/ubuntu/molecule.yml
new file mode 100644
index 00000000..051379df
--- /dev/null
+++ b/ansible/roles/certificates/molecule/ubuntu/molecule.yml
@@ -0,0 +1,69 @@
+---
+dependency:
+ name: galaxy
+driver:
+ name: docker
+lint:
+ name: yamllint
+platforms:
+ - name: infrastructure-server
+ image: molecule-${PREBUILD_PLATFORM_DISTRO:-ubuntu}:${PREBUILD_DISTRO_VERSION:-18.04}
+ pre_build_image: true
+ privileged: true
+ command: ${MOLECULE_DOCKER_COMMAND:-""}
+ groups:
+ - infrastructure
+ - name: kubernetes-node-1
+ image: molecule-${PREBUILD_PLATFORM_DISTRO:-ubuntu}:${PREBUILD_DISTRO_VERSION:-18.04}
+ pre_build_image: true
+ privileged: true
+ command: ${MOLECULE_DOCKER_COMMAND:-""}
+ groups:
+ - kubernetes
+provisioner:
+ name: ansible
+ log: true
+ lint:
+ name: ansible-lint
+ env:
+ ANSIBLE_ROLES_PATH: ../../../../test/roles
+ ANSIBLE_LIBRARY: ../../../../library
+ playbooks:
+ converge: ../default/playbook.yml
+ inventory:
+ links:
+ group_vars: ../../../../group_vars/
+scenario:
+ name: ubuntu
+ test_sequence:
+ - lint
+ - cleanup
+ - destroy
+ - dependency
+ - syntax
+ - create
+ - prepare
+ - converge
+ # - idempotence
+ # --> Action: 'idempotence'
+ # ERROR: Idempotence test failed because of the following tasks:
+ # * [infrastructure-server -> localhost] => certificates : Generate an OpenSSL CSR.
+ # * [infrastructure-server -> localhost] => certificates : Generate root CA certificate
+ # * [infrastructure-server] => certificates : Upload certificates to infrastructure server
+ # * [infrastructure-server] => certificates : Copy root certificate
+ # * [infrastructure-server] => certificates : Extract root certificate
+ # * [infrastructure-server] => docker : Setup docker dns settings
+ # * [kubernetes-node-1] => certificates : Copy root certificate
+ # * [kubernetes-node-1] => certificates : Extract root certificate
+ # * [kubernetes-node-1] => certificates : Extract root certificate
+ - side_effect
+ - verify
+ - cleanup
+ - destroy
+verifier:
+ name: testinfra
+ options:
+ verbose: true
+ lint:
+ name: flake8
+ directory: ../default/tests
diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml
index df50b693..d73446b4 100644
--- a/ansible/roles/certificates/tasks/upload_root_ca.yml
+++ b/ansible/roles/certificates/tasks/upload_root_ca.yml
@@ -2,6 +2,6 @@
- name: Copy root certificate
copy:
src: "{{ certificates_local_dir }}/rootCA.crt"
- dest: /etc/pki/ca-trust/source/anchors/
+ dest: "{{ root_ca_path[ansible_os_family] }}"
notify: # handler is triggered just when file is changed
- Extract root certificate