-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Addition of ECS_Certificate Module #60883
Addition of ECS_Certificate Module #60883
Conversation
@ctrufan this PR contains the following merge commits: Please rebase your branch to remove these commits. |
c1466f2
to
eb0593d
Compare
The test
The test
The test
The test
The test
|
The test
The test
|
The test
|
68da153
to
2691e49
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't look at the implementation, just at the documentation so far.
BTW, all new modules should have tests of some kind (either unit tests, or integration tests, even if they are marked as unsupported
, i.e. they are not run via CI).
The test
The test
The test
|
@felixfontein |
No worries, that's totally fine! (Well, at least as long as you're very sure the comment is really addressed. If you're not sure, don't resolve it.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found a few nits, besides that, I think everything is fine!
The only thing that is missing are tests (integration tests marked as unsupported
are also fine).
If you can add them today, we should be able to get this new module in for Ansible 2.9.
Co-Authored-By: Felix Fontein <felix@fontein.de>
For running the integration tests, I couldn't for the life of me get it to pick up on an integration_config.yml file - since I figured it was likely a config issue and not something that would require code changes, I ran tests with: cat integration_config.yml >> test/integration/targets/ecs_certificate/vars/main.yml Contents of integration_config are:
Attached is the file output: |
In case the tests modify the system, you want to add |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just a few minor optional points. Also, tests for check mode would be nice. But I'm totally fine with adding them in a later PR.
I was running in a VM already, so there were no worries there. This does bring up an issue with the integration tests though - these ones can't run with --docker, because they need access to the cert/key files, and since the entire playbook runs from within the docker container, there's no way to get them to it (our internal molecule tests solve this by copying from the host to the docker VMs, as well as doing API calls delegated to localhost). Unless I'm missing something in the docker behavior, there's no way to push data from the host to the container, so I might have to refactor the variable to take in the full PEM string of cert/key, then write them to disk. |
Ah, in that case, don't ;-) |
@ctrufan thanks for contributing this module! |
Thank you for the reviews and input! Very appreciated, especially getting it in before 2.8. |
* Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file.
* Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file.
SUMMARY
Addition of a module to submit certificate requests to the Entrust Certificate Services API.
Supports various entrust specific parameters, such as specifying client ID or tracking information such as additional emails or custom fields.
If the certificate in 'path' is present but not an entrust certificate, it will be treated as not valid - expectation is that this allows for transitioning from self-signed/etc to Entrust issued certificates.
If the certificate present in path but is an Entrust certificate, whether or not a new one is requested is based on the days remaining and the value of 'force', similarly to how both openssl_certificate and acme_certificate behave.
The "tracking_id" parameter is the value to uniquely identify certificates in the ECS system, and is something customers would be familiar with if they needed to use it.
The ECS API supports two operations on existing certificates, 'RENEW' and 'REISSUE'. If the tracking_id parameter is used, this module can be used to 'adopt' an existing ECS certificate for management under Ansible - specifying a tracking_id means that it will download that certificate to path if it is a valid certificate, and if it is within remaining_days of expiration or the 'force' command is used, it can be reissued or renewed. This design decision was made to make it easier to migrate existing infrastructure to ansible, as many customers have internal setups that already keep track of the tracking_id of existing certificates that they could pass to an ansible playbook.
ISSUE TYPE
COMPONENT NAME
crypto
ecs_certificate
entrust/api
ADDITIONAL INFORMATION
Integration Tests
Tests run against VMs set up with Python 2.7 and Python 3.6. The reason the attached playbook doesn't run as 'localhost' was specifically to test behavior on different endpoint environments.
Attached are the results of the following integration tests running against our QA environment. Once merged these tests will run nightly against both ansible/devel and any baseline releases that include this module, against both our "next release" of ECS and the "current release". If needed I can try to adapt them (e.g. remove any sensitive values) for inclusion in ansible code base, though I'll note that customers and other ansible developers cannot access our internal QA environment, they can only submit against our actual CA, so testing would need to involve owned domains and actual ECS accounts, and unless the account was configured otherwise, would issue genuine publicly trusted certificates.
I am going to clean up the integration tests additionally (migrate the 'fail' calls into distinct pytest methods that check data against our database as well).
Integration Tests:
ecs_certificate_playbook.txt
ecs_certificate_output.txt