Refactor role to support CRL #5
Conversation
Previous design was assuming you were storing a CA in ansible vault and just spinning off CSRs remotely, pulling those back and signing them, then ignoring the local environment completely (besides private CA key purge). This was all well and good but does not play nicely with an environment where you are tracking CA attributes such as serial numbers and MORE importantly revocation data. This big commit tries to rework the tasks to allow such a scenario. It doesn't set that up but if it detects you are trying to run under a long-running CA folder (by looking for a crl.pem ), a different task will kick off that will allow you to sign a CSR and also continue track that data locally. PHEW isn't openssl fun!!? :|
Helps when you are trying to utilize tags to call out specific bits for testing.
tasks/main.yml
Outdated
| content: "{{ openssl_node_ca_cert_sign.ca_pub_key }}" | ||
| register: copy_ca_certs | ||
|
|
||
| - name: Update system CA store | ||
| command: update-ca-certificates | ||
| when: copy_ca_certs.changed | ||
| when: | ||
| - copy_ca_certs.changed |
There was a problem hiding this comment.
Nit: should be copy_ca_certs|changed
There was a problem hiding this comment.
Clean implementation and good documentation of changes. Requested edit for |changed filter use.
Also consider using the tempfile Ansible module for managing the temporary directories. Not blocking merge for that, though.
I've made this good a few times in the past where it comes to bite me. The changed filter provides better error handling in say, the situation where the changed field doesnt even exist :)
✔️ Addressed that in
That's a good call. I made a ticket to address that in #7. Thanks for not blocking on that yet. I'd like to get CI wired up ( #6 ) before I do that to make sure I don't have any regressions. |
I ❤️ rainy-day issues! |
Did some tweaking to allow running this role under a persistent CA environment which is necessary to support things like CRL, and serial number tracking.
Previous design was assuming you were storing a CA in ansible vault and
just spinning off CSRs remotely, pulling those back and signing them, then
ignoring the local environment completely (besides private CA key purge).
This was all well and good but does not play nicely with an environment
where you are tracking CA attributes such as serial numbers and MORE
importantly revocation data.
This big commit tries to rework the tasks to allow such a scenario. It
doesn't set that up but if it detects you are trying to run under a
long-running CA folder (by looking for a crl.pem ), a different task will
kick off that will allow you to sign a CSR and also continue track that
data locally.