Addition of ECS_Certificate Module #60883
Conversation
|
@ctrufan this PR contains the following merge commits: Please rebase your branch to remove these commits. |
ansibot
added
WIP
ctrufan
force-pushed
the
ecs_certificate_module
branch
from
c1466f2
to
eb0593d
Compare
ansibot
removed
merge_commit
|
The test The test The test The test The test |
ansibot
added
ci_verified
|
The test The test |
ansibot
added
ci_verified
|
The test |
ansibot
added
ci_verified
sivel
removed
the
needs_triage
ctrufan
force-pushed
the
ecs_certificate_module
branch
from
68da153
to
2691e49
Compare
|
The test The test The test |
ansibot
added
ci_verified
ansibot
removed
the
ci_verified
ansibot
added
core_review
|
@felixfontein |
No worries, that's totally fine! (Well, at least as long as you're very sure the comment is really addressed. If you're not sure, don't resolve it.) |
Co-Authored-By: Felix Fontein <felix@fontein.de>
|
For running the integration tests, I couldn't for the life of me get it to pick up on an integration_config.yml file - since I figured it was likely a config issue and not something that would require code changes, I ran tests with: cat integration_config.yml >> test/integration/targets/ecs_certificate/vars/main.yml Contents of integration_config are: Attached is the file output: |
|
In case the tests modify the system, you want to add |
I was running in a VM already, so there were no worries there. This does bring up an issue with the integration tests though - these ones can't run with --docker, because they need access to the cert/key files, and since the entire playbook runs from within the docker container, there's no way to get them to it (our internal molecule tests solve this by copying from the host to the docker VMs, as well as doing API calls delegated to localhost). Unless I'm missing something in the docker behavior, there's no way to push data from the host to the container, so I might have to refactor the variable to take in the full PEM string of cert/key, then write them to disk. |
|
Ah, in that case, don't ;-) |
|
@ctrufan thanks for contributing this module! |
|
Thank you for the reviews and input! Very appreciated, especially getting it in before 2.8. |
* Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file.
* Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file.
SUMMARY
Addition of a module to submit certificate requests to the Entrust Certificate Services API.
Supports various entrust specific parameters, such as specifying client ID or tracking information such as additional emails or custom fields.
If the certificate in 'path' is present but not an entrust certificate, it will be treated as not valid - expectation is that this allows for transitioning from self-signed/etc to Entrust issued certificates.
If the certificate present in path but is an Entrust certificate, whether or not a new one is requested is based on the days remaining and the value of 'force', similarly to how both openssl_certificate and acme_certificate behave.
The "tracking_id" parameter is the value to uniquely identify certificates in the ECS system, and is something customers would be familiar with if they needed to use it.
The ECS API supports two operations on existing certificates, 'RENEW' and 'REISSUE'. If the tracking_id parameter is used, this module can be used to 'adopt' an existing ECS certificate for management under Ansible - specifying a tracking_id means that it will download that certificate to path if it is a valid certificate, and if it is within remaining_days of expiration or the 'force' command is used, it can be reissued or renewed. This design decision was made to make it easier to migrate existing infrastructure to ansible, as many customers have internal setups that already keep track of the tracking_id of existing certificates that they could pass to an ansible playbook.
ISSUE TYPE
COMPONENT NAME
crypto
ecs_certificate
entrust/api
ADDITIONAL INFORMATION
Integration Tests
Tests run against VMs set up with Python 2.7 and Python 3.6. The reason the attached playbook doesn't run as 'localhost' was specifically to test behavior on different endpoint environments.
Attached are the results of the following integration tests running against our QA environment. Once merged these tests will run nightly against both ansible/devel and any baseline releases that include this module, against both our "next release" of ECS and the "current release". If needed I can try to adapt them (e.g. remove any sensitive values) for inclusion in ansible code base, though I'll note that customers and other ansible developers cannot access our internal QA environment, they can only submit against our actual CA, so testing would need to involve owned domains and actual ECS accounts, and unless the account was configured otherwise, would issue genuine publicly trusted certificates.
I am going to clean up the integration tests additionally (migrate the 'fail' calls into distinct pytest methods that check data against our database as well).
Integration Tests:
ecs_certificate_playbook.txt
ecs_certificate_output.txt