From 9108a8953f9d216d4e65d86e794a33805d08c966 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Thu, 24 Feb 2022 09:32:58 +0000 Subject: [PATCH] Refactor conditional generation of CA and certificates This was previously spread around the code as 'when:' clauses on ansible tasks. This patch refactors the conditional code to be entirely within the dynamic generation of variables in vars/main.yml. Any elements from the default or discovered CA or certificate lists which have condition=false are removed, so no conditionals are required elsewhere in the code. pki_authorities and pki_certificates are defined as empty lists in the ansible defaults to further reduce the need for the use of default() in the rest of the role. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/830806 Change-Id: Iea809406b1d4140b985fcb038663ae0257336463 --- defaults/main.yml | 15 +++++++--- tasks/main_ca.yml | 2 +- tasks/main_ca_install.yml | 2 +- tasks/main_certs.yml | 5 ++-- tasks/standalone/install_ca.yml | 4 +-- vars/main.yml | 50 ++++++++++++++++++++------------- 6 files changed, 46 insertions(+), 32 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 102402b..29c7cb3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,8 +14,10 @@ # limitations under the License. # CA certificates to create -# Setting this variable will disable searching for other vars containing authorities -# pki_authorities: [] +pki_authorities: [] + +# Global enable/disable of CA generation +pki_create_ca: true # Variable name pattern to search ansible vars for other authority definitions pki_search_authorities_pattern: "pki_authorities_" @@ -64,6 +66,9 @@ pki_search_authorities_pattern: "pki_authorities_" # pki_install_ca: [] +# Variable name pattern to search ansible vars for other certificate definitions +pki_search_install_ca_pattern: "pki_install_ca_" + # set this to the name of a CA to regenerate, or to 'true' to regenerate all pki_regen_ca: '' @@ -73,8 +78,7 @@ pki_trust_store_location: dnf: /etc/pki/ca-trust/source/anchors/ # Server certificates to create -# Setting this variable will disable searching for other vars containing certificates -# pki_certificates: [] +pki_certificates: [] # Variable name pattern to search ansible vars for other certificate definitions pki_search_certificates_pattern: "pki_certificates_" @@ -120,6 +124,9 @@ pki_cert_dirs: "{{ _pki_cert_dirs }}" # certificates to install pki_install_certificates: [] +# Variable name pattern to search ansible vars for other certificate definitions +pki_search_install_certificates_pattern: "pki_install_certificates_" + # Example variable for installation of server certificates with optional user supplied cert override # pki_install_certificates: # # server certificate diff --git a/tasks/main_ca.yml b/tasks/main_ca.yml index 2dfb5fc..60a389e 100644 --- a/tasks/main_ca.yml +++ b/tasks/main_ca.yml @@ -30,7 +30,7 @@ - name: Create certificate authorities include_tasks: "{{ pki_method }}/create_ca.yml" - loop: "{{ pki_ca_defs }}" + loop: "{{ _pki_ca_defs }}" loop_control: loop_var: ca vars: diff --git a/tasks/main_ca_install.yml b/tasks/main_ca_install.yml index 741faee..b2b8f19 100644 --- a/tasks/main_ca_install.yml +++ b/tasks/main_ca_install.yml @@ -19,4 +19,4 @@ - name: Install certificate authorities include_tasks: "{{ pki_method }}/install_ca.yml" - when: pki_install_ca | length > 0 + when: _pki_install_ca_defs | length > 0 diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml index 97fb34f..f43b470 100644 --- a/tasks/main_certs.yml +++ b/tasks/main_certs.yml @@ -31,7 +31,7 @@ - name: Create Server certificates include_tasks: "{{ pki_method }}/create_cert.yml" - loop: "{{ pki_cert_defs }}" + loop: "{{ _pki_certificates_defs }}" loop_control: loop_var: cert vars: @@ -44,8 +44,7 @@ slurp: src: "{{ item.src }}" register: _cert_slurp - loop: "{{ pki_install_certificates | default([]) }}" - when: item.condition | default('True') + loop: "{{ _pki_install_certificates_defs }}" - name: Create certificate destination directories file: diff --git a/tasks/standalone/install_ca.yml b/tasks/standalone/install_ca.yml index 2d4bd29..d12f285 100644 --- a/tasks/standalone/install_ca.yml +++ b/tasks/standalone/install_ca.yml @@ -19,9 +19,7 @@ src: "{{ item.src | default(pki_dir ~ '/roots/' ~ item.name ~ '/certs/' ~ item.name ~ '.crt') }}" register: _ca_slurp run_once: true - when: - - (item.condition is defined and item.condition | bool) or (item.condition is not defined) - loop: "{{ pki_install_ca }}" + loop: "{{ _pki_install_ca_defs }}" - name: Copy CA certificates to target host copy: diff --git a/vars/main.yml b/vars/main.yml index c69f54a..dd9ea8c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -14,27 +14,37 @@ # limitations under the License. # Gather CA definitions from hostvars -pki_ca_defs: |- - {% if pki_authorities is defined %} - {% set _cas = pki_authorities %} - {% else %} - {% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %} - {% set _cas = [] %} - {% for _ca in _ca_search_hits | default([]) %} - {% set _ = _cas.extend(lookup('vars', _ca)) %} - {% endfor %} - {% endif %} +_pki_ca_defs: |- + {% set _cas = pki_authorities %} + {% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_authorities_pattern ~ '.*') %} + {% for _ca in _ca_search_hits | default([]) %} + {% set _ = _cas.extend(lookup('vars', _ca)) %} + {% endfor %} + {{ _cas | rejectattr('condition', 'false') }} + +# Gather CA installation definitions from hostvars +_pki_install_ca_defs: |- + {% set _cas = pki_install_ca %} + {% set _ca_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_ca_pattern ~ '.*') %} + {% for _ca in _ca_search_hits | default([]) %} + {% set _ = _cas.extend(lookup('vars', _ca)) %} + {% endfor %} {{ _cas | rejectattr('condition', 'false') }} # Gather certificate definitions from hostvars -pki_cert_defs: |- - {% if pki_certificates is defined %} - {% set _certs = pki_certificates %} - {% else %} - {% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %} - {% set _certs = [] %} - {% for _cert in _cert_search_hits | default([]) %} - {% set _ = _certs.extend(lookup('vars', _cert)) %} - {% endfor %} - {% endif %} +_pki_certificates_defs: | + {% set _certs = pki_certificates %} + {% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_certificates_pattern ~ '.*') %} + {% for _cert in _cert_search_hits | default([]) %} + {% set _ = _certs.extend(lookup('vars', _cert)) %} + {% endfor %} + {{ _certs | rejectattr('condition', 'false') }} + +# Gather certificate installation definitions from hostvars +_pki_install_certificates_defs: | + {% set _certs = pki_install_certificates %} + {% set _cert_search_hits = vars.keys() | select('match', '^' ~ pki_search_install_certificates_pattern ~ '.*') %} + {% for _cert in _cert_search_hits | default([]) %} + {% set _ = _certs.extend(lookup('vars', _cert)) %} + {% endfor %} {{ _certs | rejectattr('condition', 'false') }}