Fix lint errors
This patch fixes all lint errors to get the linter gate passing again. Change-Id: I13b1f3fbffae4b75472ef3edae73a701b4d4972d
This commit is contained in:
Douglas Mendizábal
parent
26da379c3a
commit
60bc79198d
@ -1,41 +1,42 @@
|
||||
---
|
||||
- name: Create working directory
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ lunasa_client_working_dir }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
mode: '755'
|
||||
|
||||
- name: Download Lunasa client tarball
|
||||
get_url:
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ lunasa_client_tarball_location }}"
|
||||
dest: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}"
|
||||
force: no
|
||||
mode: '644'
|
||||
force: false
|
||||
|
||||
- name: Unpack tarball to working directory # noqa 208
|
||||
unarchive:
|
||||
- name: Unpack tarball to working directory
|
||||
ansible.builtin.unarchive:
|
||||
src: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}"
|
||||
dest: "{{ lunasa_client_working_dir }}"
|
||||
creates: "{{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }}"
|
||||
remote_src: yes
|
||||
mode: '644'
|
||||
remote_src: true
|
||||
|
||||
- name: Run the install.sh script
|
||||
shell: |
|
||||
set -o pipefail && echo y | {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} \
|
||||
-p sa -c sdk
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail && echo y | {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} -p sa -c sdk
|
||||
args:
|
||||
creates: /usr/lib/libCryptoki2_64.so
|
||||
become: true
|
||||
|
||||
- name: set client facts for fqdn
|
||||
set_fact:
|
||||
- name: Set client facts for fqdn
|
||||
ansible.builtin.set_fact:
|
||||
client_name: "{{ ansible_facts['fqdn'] }}"
|
||||
client_reg_opt: "-hostname"
|
||||
client_host: "{{ ansible_facts['fqdn'] }}"
|
||||
client_cert_cn: "{{ inventory_hostname }}"
|
||||
when: lunasa_client_ip is undefined
|
||||
|
||||
- name: set client facts for IP override
|
||||
set_fact:
|
||||
- name: Set client facts for IP override
|
||||
ansible.builtin.set_fact:
|
||||
client_name: "{{ ansible_facts['fqdn'] }}"
|
||||
client_reg_opt: "-ip"
|
||||
client_host: "{{ lunasa_client_ip }}"
|
||||
@ -43,46 +44,47 @@
|
||||
when: lunasa_client_ip is defined
|
||||
|
||||
- name: Check for existing client cert
|
||||
stat:
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem"
|
||||
register: client_cert
|
||||
|
||||
- name: Generate a new client cert for NTL
|
||||
command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_cert_cn }}"
|
||||
ansible.builtin.command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_cert_cn }}"
|
||||
become: true
|
||||
register: created_cert
|
||||
when: not client_cert.stat.exists or lunasa_client_rotate_cert
|
||||
|
||||
- name: Note when a new cert is created
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
client_new_cert: "{{ created_cert.changed }}"
|
||||
|
||||
- name: register the client on each HSM
|
||||
include_tasks: register_client.yaml
|
||||
- name: Register the client on each HSM
|
||||
ansible.builtin.include_tasks: register_client.yaml
|
||||
vars:
|
||||
hsm_hostname: "{{ item.hostname }}"
|
||||
hsm_admin_password: "{{ item.admin_password }}"
|
||||
hsm_partition: "{{ item.partition }}"
|
||||
loop: "{{ lunasa_hsms }}"
|
||||
|
||||
- name: verify the NTL connection
|
||||
command: /usr/safenet/lunaclient/bin/vtl verify
|
||||
- name: Verify the NTL connection
|
||||
ansible.builtin.command: /usr/safenet/lunaclient/bin/vtl verify
|
||||
become: true
|
||||
register: vtl_verify
|
||||
|
||||
- name: Fail if NTL connection doesn't verify
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: >
|
||||
ERROR: 'vtl verify' failed. This is commonly due to network NAT between
|
||||
the client and the HSM. Try disabling client IP checking in the HSM
|
||||
when: "'Error: Unable to find any Luna SA slots/partitions' in vtl_verify.stdout"
|
||||
|
||||
- name: create hsm ha partition
|
||||
- name: Create hsm ha partition
|
||||
when: lunasa_hsms | length > 1
|
||||
become: true
|
||||
block:
|
||||
- name: create ha partition
|
||||
shell: |
|
||||
- name: Create ha partition
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup createGroup \
|
||||
-label {{ lunasa_ha_label }} \
|
||||
-serialNumber {{ lunasa_hsms[0].partition_serial }} \
|
||||
@ -92,15 +94,16 @@
|
||||
- "'Command Result : No Error' not in result.stdout"
|
||||
- "'for the new group has already been used' not in result.stdout"
|
||||
|
||||
- name: add other hsms to the ha group
|
||||
shell: |
|
||||
- name: Add other hsms to the ha group
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \
|
||||
-group {{ lunasa_ha_label }} \
|
||||
-serialNumber {{ item.partition_serial }} \
|
||||
-password {{ lunasa_client_pin }}
|
||||
loop: "{{ lunasa_hsms }}"
|
||||
loop_control:
|
||||
extended: yes
|
||||
extended: true
|
||||
when: not ansible_loop.first
|
||||
register: result
|
||||
failed_when:
|
||||
@ -108,7 +111,7 @@
|
||||
- "'The member you specified is already part of an' not in result.stdout"
|
||||
|
||||
- name: Check the HA group
|
||||
expect:
|
||||
ansible.builtin.expect:
|
||||
command: /usr/safenet/lunaclient/bin/lunacm -c hagroup listgroups
|
||||
responses:
|
||||
password: "\r"
|
||||
@ -116,14 +119,14 @@
|
||||
failed_when: "'Command Result : No Error' not in result.stdout"
|
||||
|
||||
- name: Register the HA Slot ID
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail && echo "{{ result.stdout }}" | grep 'HA Group Slot ID' | awk '{ print $NF }'
|
||||
register: slot_result
|
||||
|
||||
- name: Set HA Slot fact for use by the playbook calling this role
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
lunasa_ha_slot: "{{ slot_result.stdout }}"
|
||||
|
||||
- name: Log the HA Slot ID used
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
var: lunasa_ha_slot
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
---
|
||||
- name: Log when client is being registered to HSM
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "Registering client: {{ client_name }} [host: {{ client_host }}, CN: {{ client_cert_cn }}] with HSM: {{ hsm_hostname }}"
|
||||
|
||||
- name: Get the hsm server cert from the hsm_server
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ hsm_admin_password }}'
|
||||
scp -o StrictHostKeyChecking=false -c aes256-cbc
|
||||
admin@{{ hsm_hostname }}:server.pem
|
||||
@ -14,7 +14,7 @@
|
||||
become: true
|
||||
|
||||
- name: Register the HSM server cert with the client
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
/usr/safenet/lunaclient/bin/vtl addServer -n {{ hsm_hostname }}
|
||||
-c /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
|
||||
register: add_server
|
||||
@ -24,14 +24,14 @@
|
||||
- '"This server is already registered" not in add_server.stdout'
|
||||
|
||||
- name: Check for existing clients
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ hsm_admin_password }}'
|
||||
ssh -o StrictHostKeyChecking=false -c aes256-cbc admin@{{ hsm_hostname }}
|
||||
-C client list
|
||||
register: client_list
|
||||
|
||||
- name: Fail if client is already registered, but we don't have that cert
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Client: {{ client_name }} is already registered, but the client cert is missing!"
|
||||
when:
|
||||
- client_name in client_list.stdout
|
||||
@ -39,7 +39,7 @@
|
||||
- not lunasa_client_rotate_cert
|
||||
|
||||
- name: Delete existing client when rotating certs
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }}
|
||||
-C "client delete -f -c {{ client_name }}"
|
||||
when:
|
||||
@ -47,26 +47,26 @@
|
||||
- lunasa_client_rotate_cert
|
||||
|
||||
- name: Register the client certificate on the hsm_server
|
||||
become: true
|
||||
when: client_name not in client_list.stdout or lunasa_client_rotate_cert
|
||||
block:
|
||||
- name: Copy the NTL client cert to the HSM
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ hsm_admin_password }}' scp -c aes256-cbc
|
||||
/usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem
|
||||
admin@{{ hsm_hostname }}:{{ client_host }}.pem
|
||||
|
||||
- name: Register the client
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }}
|
||||
-C "client register -c {{ client_name }} {{ client_reg_opt }} {{ client_host }}"
|
||||
register: client_register
|
||||
failed_when:
|
||||
- client_register.rc != 0
|
||||
- "'client with the same IP address has already been registered' not in client_register.stdout"
|
||||
become: true
|
||||
when: client_name not in client_list.stdout or lunasa_client_rotate_cert
|
||||
|
||||
- name: Assign client to an HSM partition
|
||||
shell: |
|
||||
ansible.builtin.shell: |
|
||||
sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }} \
|
||||
-C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}"
|
||||
register: assign_partition
|
||||
@ -74,4 +74,3 @@
|
||||
- assign_partition.rc != 0
|
||||
- "'client already has access' not in assign_partition.stdout"
|
||||
become: true
|
||||
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
---
|
||||
- name: Delete clients from HSM
|
||||
shell: >
|
||||
ansible.builtin.shell: >
|
||||
sshpass -p '{{ item.admin_password }}' ssh -o StrictHostKeyChecking=false
|
||||
-c aes256-cbc admin@{{ item.hostname }}
|
||||
-C "client delete -f -c {{ client_name }}"
|
||||
loop: "{{ lunasa_hsms }}"
|
||||
ignore_errors: true
|
||||
register: ignore_errors_register
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user