-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distinguish or merge java_cert and java_keystore module #53867
Comments
Files identified in the description: If these files are inaccurate, please update the |
cc @Mogztter @haad |
So the first one will create a keystore (from a private key) and the second one will import or remove certificates from an existing keystore.
It's not.
I'm not sure about this one because you don't necessarily want to create a keystore from a private key. Also
Feel free to improve the documentation. For reference here's the pull request where I describe what |
My bad, I wasn't not aware that
I think the confusion the confusion comes from the fact that you can use keystore as a truststore if you add AC and trusted certificates to it. At least that's my understanding 😉 |
Me maybe wrong, but my understanding is that they are identical. So i think that merge is a good idea if this module will provide access to all keytool operations. |
Now you got me really confused. I haven't been digging deeper on the words truststore and keystore. Just noticed that one of my colleagues just used java_cert but found the documentation for the other one. From what I understand is that a truststore actually is a keystore but without the private key part so actually both modules do the same: Store a cert in a .jks file. Don't want to question your implementation here @Mogztter just asking if there is a need for two almost similar modules regarding behavior. Haven't had a look into the code yet. |
If I may add my two cents as a new user. It is confusing to have both modules that are closely related but do not share similar syntax. Playbook Example- name: ensure that only this trusted certificate exists in this keystore
- java_keystore:
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# private_key: None (default)
password: keystore_password
dest: /path/to/truststore.jks
force: true
- name: ensure that this trusted certificate also exists in this keystore
- java_keystore:
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
password: keystore_password
# private_key: None (default)
dest: /path/to/truststore.jks
# force: false (default)
- name: ensure that this key/cert pair exists in this keystore
java_keystore:
name: key1
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
password: keystore_password
dest: /path/to/keystore.jks
# force: false (default)
- name: ensure that only this key/cert pair exists in this keystore
java_keystore:
name: key2
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
password: keystore_password
dest: /path/to/keystore.jks
force: false (default) Admittedly, although this makes sense to me, it might not make sense to all users, especially because of the confusion between keystore and truststore. If combining the modules isn't a great idea, then I like the idea of renaming (Also want to give a thank you to everyone who is working on this project; I think it will wind up being a huge part of our infrastructure in my organization!) |
Adding my vote to this. It seems (to me) that java_cert is the more immature of the two, not supporting owner or group settings when creating a new file, either. I'd vote for removing it and adding the modicum of flexibility needed to allow java_keystore to handle both key and trust stores. |
Thank you very much for your interest in Ansible. Ansible has migrated much of the content into separate repositories to allow for more rapid, independent development. We are closing this issue/PR because this content has been moved to one or more collection repositories.
For further information, please see: |
SUMMARY
There are two modules: java_cert and java_keystore
From the documentation it is not entierly clear what the difference there is in behavior and functionality.
It seems to me that this is a duplicated module so it can either be merged or it must be clear by its documentation what it does different and maybe have a clear statement when to use the other module.
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
2.7.x
The text was updated successfully, but these errors were encountered: