maxhoesel-ansible · maxhoesel · Jul 23, 2023 · maxhoesel · Aug 1, 2023
@@ -148,21 +148,14 @@ This role will only decrypt the root key for as long as strictly neccessary.
 
 ---
 
-##### `step_ca_existing_<root/key>`
-- Whether to use an existing root certificate/key and if so from where to import it from
-- Choices:
-    - `remote`: The root certificate/key is already present on the remote host
-    - `local`: The root certificate/key is read from the controller
-- Note that both cert and key need to be either imported, **or** generated.
-  For example, you cannot import the key but generate the certificate
-- Default: Not set.
-    - If unset and `_root/key_file` is also unset, a new certificate will be generated
-    - If unset and `_root/key_file` is set, the files are treated as `remote` to preserve backwards-compatibility to previous collection versions.
-      This behavior may be removed in a future release
-
 ##### `step_ca_existing_<root/key>_file`
 - The path of an existing PEM file to be used as the root certificate/key
-- Depending on the value of `step_ca_existing_<root/key>`, the file must either be on the remote host or the controller
+- If the file is present on the controller instead of the target node, set `step_ca_existing_<root/key>_is_local`, to `true`.
+- Default: not set (will generate a new certificate)
+
+##### `step_ca_existing_<root/key>_is_local`
+- Set to `true` if the file is present on the controller and needs to be copied
+- Default: `false`
 
 ##### `step_ca_existing_key_password`
 - Password to decrypt the existing key file
@@ -171,13 +164,12 @@ This role will only decrypt the root key for as long as strictly neccessary.
 Example usage:
 
 ```yaml
-# Select where to import the root certificate from. Can be `remote`, `local`, `false`
-step_ca_existing_root: remote
+# Import the root certificate from the target node
 step_ca_existing_root_file: /tmp/existing-ca-root.crt
 
 # Same for the key, except that the key is read from the controller
-step_ca_existing_key: local
 step_ca_existing_key_file: /home/controller/secret-ca-key.pem
+step_ca_existing_key_is_local: true
 # If your keyfile is password-protected, you can set the decryption password like so:
 step_ca_existing_key_password: Very-secret-password
 ```

@@ -11,14 +11,14 @@ step_ca_path: /etc/step-ca
 #step_ca_intermediate_password:
 step_ca_dns: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address }}"
 step_ca_address: ":443"
+#step_ca_url:
+step_ca_ssh: false
 
-#step_ca_existing_root:
-#step_ca_existing_key:
 #step_ca_existing_root_file:
+step_ca_existing_root_file_is_local: false
 #step_ca_existing_key_file:
+step_ca_existing_key_file_is_local: false
 #step_ca_existing_key_password:
-#step_ca_url:
-step_ca_ssh: false
 
 #step_ca_ra:
 #step_ca_ra_issuer:

@@ -115,34 +115,29 @@ argument_specs:
         default: no
         description: Create keys to sign SSH certificates
       # Existing cert options
-      step_ca_existing_root:
-        type: str
-        choices:
-          - remote
-          - local
-        description: Whether to use an existing root certificate and if so from where to import it from
-      step_ca_existing_key:
-        type: str
-        choices:
-          - remote
-          - local
-        description:
-          - Whether to use an existing root key and if so from where to import it from
-          - Note that both cert and key need to be either imported, B(or) generated. For example, you cannot import the key but generate the certificate
-          - Note that if this is unset and I(step_ca_existing_root/key_file) is set, the files are treated as C(remote) to preserve backwards-compatibility to previous collection versions. This behavior may be removed in a future release
-      step_ca_existing_key_password:
-        type: str
-        description: Password to decrypt the root key
       step_ca_existing_root_file:
         type: path
         description:
           - The path of an existing PEM file to be used as the root certificate authority
-          - Depending on the value of I(step_ca_existing_root), the file must either be on the remote host or the controller
+          - If the file is present on the controller instead of the target node, set I(step_ca_existing_root_file_is_local), to C(true).
       step_ca_existing_key_file:
         type: path
         description:
           - The path of an existing key file of the root certificate authority
-          - Depending on the value of I(step_ca_existing_key), the file must either be on the remote host or the controller
+          - If the file is present on the controller instead of the target node, set I(step_ca_existing_key_file_is_local), to C(true).
+      step_ca_existing_root_file_is_local:
+        type: bool
+        default: false
+        description:
+          - Set to C(true) if the file is present on the controller and needs to be copied
+      step_ca_existing_key_file_is_local:
+        type: bool
+        default: false
+        description:
+          - Set to C(true) if the file is present on the controller and needs to be copied
+      step_ca_existing_key_password:
+        type: str
+        description: Password to decrypt the root key
       # RA options
       step_ca_ra:
         type: str

@@ -73,6 +73,9 @@ platforms:
 
 
 provisioner:
+  playbooks:
+    converge: ../converge.yml
+    verify: ../verify.yml
   inventory:
     group_vars:
       ca:
@@ -82,9 +85,3 @@ provisioner:
         step_ca_intermediate_password: molecule-intermediate
         step_ca_path: /etc/step-ca-molecule
         step_ca_ssh: yes
-
-        step_ca_existing_root: local
-        step_ca_existing_root_file: files/molecule-ca.crt
-        step_ca_existing_key: local
-        step_ca_existing_key_file: files/molecule-ca.key
-        step_ca_existing_key_password: molecule
@@ -0,0 +1,93 @@
+platforms:
+  - name: step-ca-ubuntu-22
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu2204-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-ubuntu-20
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu2004-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-ubuntu-18
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu1804-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-debian-11
+    groups:
+      - debian
+      - ca
+    image: "docker.io/geerlingguy/docker-debian11-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-debian-10
+    groups:
+      - debian
+      - ca
+    image: "docker.io/geerlingguy/docker-debian10-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-rockylinux-9
+    groups:
+      - rockylinux
+      - ca
+    image: "docker.io/geerlingguy/docker-rockylinux9-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-rockylinux-8
+    groups:
+      - rockylinux
+      - ca
+    image: "docker.io/geerlingguy/docker-rockylinux8-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-fedora-36
+    groups:
+      - fedora
+      - ca
+    image: "docker.io/geerlingguy/docker-fedora36-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+
+provisioner:
+  playbooks:
+    converge: ../converge.yml
+    verify: ../verify.yml
+  inventory:
+    group_vars:
+      ca:
+        step_ca_name: Molecule Test CA
+        step_ca_user: step-ca-molecule
+        step_ca_root_password: molecule
+        step_ca_intermediate_password: molecule-intermediate
+        step_ca_path: /etc/step-ca-molecule
+        step_ca_ssh: yes
+
+        step_ca_existing_root_file_is_local: true
+        step_ca_existing_root_file: ../files/molecule-ca.crt
+        step_ca_existing_key_file_is_local: true
+        step_ca_existing_key_file: ../files/molecule-ca.key
+        step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9
@@ -0,0 +1,12 @@
+- hosts: "ubuntu:debian"
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+
+- hosts: rockylinux:fedora
+  tasks:
+    # Required to prevent issues with ansible_default_ipv4 missing
+    - name: Install iproute
+      package:
+        name: iproute
@@ -0,0 +1 @@
+../../../../tests/roles/requirements.txt
@@ -0,0 +1,91 @@
+platforms:
+  - name: step-ca-ubuntu-22
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu2204-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-ubuntu-20
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu2004-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-ubuntu-18
+    groups:
+      - ubuntu
+      - ca
+    image: "docker.io/geerlingguy/docker-ubuntu1804-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-debian-11
+    groups:
+      - debian
+      - ca
+    image: "docker.io/geerlingguy/docker-debian11-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-debian-10
+    groups:
+      - debian
+      - ca
+    image: "docker.io/geerlingguy/docker-debian10-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-rockylinux-9
+    groups:
+      - rockylinux
+      - ca
+    image: "docker.io/geerlingguy/docker-rockylinux9-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-rockylinux-8
+    groups:
+      - rockylinux
+      - ca
+    image: "docker.io/geerlingguy/docker-rockylinux8-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+  - name: step-ca-fedora-36
+    groups:
+      - fedora
+      - ca
+    image: "docker.io/geerlingguy/docker-fedora36-ansible"
+    systemd: always
+    override_command: false
+    pre_build_image: true
+
+
+provisioner:
+  playbooks:
+    converge: ../converge.yml
+    verify: ../verify.yml
+  inventory:
+    group_vars:
+      ca:
+        step_ca_name: Molecule Test CA
+        step_ca_user: step-ca-molecule
+        step_ca_root_password: molecule
+        step_ca_intermediate_password: molecule-intermediate
+        step_ca_path: /etc/step-ca-molecule
+        step_ca_ssh: yes
+
+        step_ca_existing_root_file: /tmp/molecule-ca.crt
+        step_ca_existing_key_file: /tmp/molecule-ca.key
+        step_ca_existing_key_password: wvTfbyADhoowLZp3RsJ9
@@ -0,0 +1,29 @@
+- hosts: "ubuntu:debian"
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+
+- hosts: rockylinux:fedora
+  tasks:
+    # Required to prevent issues with ansible_default_ipv4 missing
+    - name: Install iproute
+      package:
+        name: iproute
+
+- hosts: all
+  tasks:
+    - name: Root cert is present # noqa no-relative-paths
+      ansible.builtin.copy:
+        src: "../files/molecule-ca.crt"
+        dest: "{{ step_ca_existing_root_file }}"
+        owner: root
+        group: root
+        mode: "644"
+    - name: Root key is present # noqa no-relative-paths
+      ansible.builtin.copy:
+        src: "../files/molecule-ca.key"
+        dest: "{{ step_ca_existing_key_file }}"
+        owner: root
+        group: root
+        mode: "644"
@@ -0,0 +1 @@
+../../../../tests/roles/requirements.txt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARWgAwIBAgIQCjUjHu6fX22br9bhuK4VhzAKBggqhkjOPQQDAjAWMRQw
+EgYDVQQDEwttb2xlY3VsZS1jYTAeFw0yMzA3MjMxOTUwNTJaFw0zMzA3MjAxOTUw
+NTJaMBYxFDASBgNVBAMTC21vbGVjdWxlLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAE+U7gQ9km5B5Q+1wl+Yf8kEse6ze1UqiH1W7KrkBCCZI2i/rhL4goffLY
+oAOD4tnf81Jj2GF5egNxAdgTKrt01KNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
+EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFHY0q71xVuTRhW1pj4HL8bmSunnkMAoG
+CCqGSM49BAMCA0gAMEUCIGCnGMfqV8pUfF3Olr6OpakuuvlsvDdgEqqL/45/O9aD
+AiEAidGmtfwztdJ5b+cA8RTA9CVpPicKRZW7cdanpLU8CsE=
+-----END CERTIFICATE-----