Use the certificate role to generate certificates in the logging role

- Introduce logging_certificates variable to specify parameters for using the certificate role.
linux-system-roles · Sep 15, 2022 · 8d186f8 · 8d186f8
1 parent 8ddcab1
commit 8d186f8
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 42 deletions.
diff --git a/README.md b/README.md
@@ -432,6 +432,17 @@ These variables are set in the same level of the `logging_inputs`, `logging_outp
   If set to `false` and ports are found in the logging role parameters, unset the selinux
   for the ports using the selinux role.
   Default to `true`.
+- `logging_certificates`: This is a `list` of `dict` in the same format as used
+  by the `fedora.linux_system_roles.certificate` role.  Specify this variable if
+  you want the certificate role to generate the certificates for the logging system
+  configured by the logging role. With this example, `self-signed` certificate
+  `logging_cert.crt` is generated in `/etc/pki/tls/certs`.
+```yaml
+    logging_certificates:
+      - name: logging_cert
+        dns: ['localhost', 'www.example.com']
+        ca: self-sign
+```
 
 ### Update and Delete
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -102,6 +102,15 @@ logging_manage_firewall: true
 # unset the selinux for the ports using the selinux role.
 logging_manage_selinux: true
 
+# If you want the role to generate the certificates in the logging
+# configuration, specify the arguments to pass to the certificate
+# system role. Here's an example.
+# logging_certificates:
+#   - name: logging_cert
+#     dns: ['localhost', 'www.example.com']
+#     ca: self-sign
+logging_certificates: []
+
 # ansible_facts required by the role
 __logging_required_facts:
   - distribution

diff --git a/tasks/certificate.yml b/tasks/certificate.yml
@@ -0,0 +1,7 @@
+---
+- name: Generate certificates
+  include_role:
+    name: fedora.linux_system_roles.certificate
+  vars:
+    certificate_requests: "{{ logging_certificates }}"
+  when: logging_certificates | length > 0
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -47,7 +47,7 @@
               length != item.inputs | length
       vars:
         __logging_input_names: "{{ logging_inputs |
-          map(attribute='name') | list }}"
+            map(attribute='name') | list }}"
 
     # Manage firewall for the ports configured as logging role parameters
     - name: Gather ports specified in the logging_inputs and outputs vars
@@ -59,6 +59,10 @@
     - name: Manage selinux on the gathered ports
       include_tasks: selinux.yml
 
+    # Configure certificates
+    - name: Generate certificates
+      include_tasks: certificate.yml
+
     - block:
         - name: Re-read facts after adding custom fact
           setup:

diff --git a/tests/tests_relp.yml b/tests/tests_relp.yml
@@ -1,35 +1,24 @@
----
 - name: Test the server/client configuration using tls relp
   hosts: all
   vars:
-    __test_ca_key_name: test-ca-key.pem
-    __test_ca_cert_name: test-ca.crt
-    __test_key_name: test-key.pem
-    __test_csr_name: test-cert.csr
-    __test_cert_name: test-cert.pem
-    __test_ca_path: /etc/pki/CA
-    __test_ca_key_path: "{{ __test_ca_path }}/private"
-    __test_ca_cert_path: "{{ __test_ca_path }}/certs"
-    __test_key_path: /etc/pki/tls/private
-    __test_cert_path: /etc/pki/tls/certs
-    __test_csr_path: /etc/rsyslog.d
-    __test_ca_key: "{{ __test_ca_key_path }}/{{ __test_ca_key_name }}"
-    __test_ca_cert: "{{ __test_ca_cert_path }}/{{ __test_ca_cert_name }}"
-    __test_key: "{{ __test_key_path }}/{{ __test_key_name }}"
-    __test_cert_csr: "{{ __test_csr_path }}/{{ __test_csr_name }}"
-    __test_cert: "{{ __test_cert_path }}/{{ __test_cert_name }}"
+    __test_cert_name: logging_cert
+    __test_ca_cert: "/etc/pki/tls/certs/{{ __test_cert_name }}.crt"
+    __test_key: "/etc/pki/tls/private/{{ __test_cert_name }}.key"
+    __test_cert: "/etc/pki/tls/certs/{{ __test_cert_name }}.crt"
     __test_relp_server0: /etc/rsyslog.d/11-input-relp-relp_server0.conf
     __test_relp_server1: /etc/rsyslog.d/11-input-relp-relp_server1.conf
     __test_relp_client0: /etc/rsyslog.d/31-output-relp-relp_client0.conf
     __test_relp_client1: /etc/rsyslog.d/31-output-relp-relp_client1.conf
 
   tasks:
-    - include_tasks: tasks/create_tests_certs.yml
-
     # TEST CASE 0
     - name: "TEST CASE 0; Test the server configuration containing tls tcp,
       plain tcp and udp connection"
       vars:
+        logging_certificates:
+          - name: logging_cert
+            dns: ['localhost', 'www.example.com']
+            ca: self-sign
         logging_inputs:
           - name: system_input
             type: basics
@@ -230,6 +219,10 @@
     - name: TEST CASE 1; Test the client configuration using tls relp
       vars:
         logging_enabled: true
+        logging_certificates:
+          - name: logging_cert
+            dns: ['localhost', 'www.example.com']
+            ca: self-sign
         logging_inputs:
           - name: system_input
             type: basics
@@ -391,10 +384,8 @@
     - name: clean up pki files
       file: path="{{ item }}" state=absent
       loop:
-        - "{{ __test_ca_key }}"
         - "{{ __test_ca_cert }}"
         - "{{ __test_key }}"
-        - "{{ __test_cert_csr }}"
         - "{{ __test_cert }}"
 
     - name: Check ports managed by firewall and selinux

diff --git a/tests/tests_server.yml b/tests/tests_server.yml
@@ -12,36 +12,24 @@
   plain tcp and udp connection"
   hosts: all
   vars:
-    __test_ca_key_name: test-ca-key.pem
-    __test_ca_csr: test-ca.csr
-    __test_ca_cert_name: test-ca.crt
-    __test_key_name: test-key.pem
-    __test_csr_name: test-cert.csr
-    __test_cert_name: test-cert.pem
-    __test_ca_path: /etc/pki/CA
-    __test_ca_key_path: "{{ __test_ca_path }}/private"
-    __test_ca_cert_path: "{{ __test_ca_path }}/certs"
-    __test_key_path: /etc/pki/tls/private
-    __test_cert_path: /etc/pki/tls/certs
-    __test_csr_path: /etc/rsyslog.d
-    __test_ca_key: "{{ __test_ca_key_path }}/{{ __test_ca_key_name }}"
-    __test_ca_cert_csr: "{{ __test_csr_path }}/{{ __test_ca_csr }}"
-    __test_ca_cert: "{{ __test_ca_cert_path }}/{{ __test_ca_cert_name }}"
-    __test_key: "{{ __test_key_path }}/{{ __test_key_name }}"
-    __test_cert_csr: "{{ __test_csr_path }}/{{ __test_csr_name }}"
-    __test_cert: "{{ __test_cert_path }}/{{ __test_cert_name }}"
+    __test_cert_name: logging_cert
+    __test_ca_cert: "/etc/pki/tls/certs/{{ __test_cert_name }}.crt"
+    __test_key: "/etc/pki/tls/private/{{ __test_cert_name }}.key"
+    __test_cert: "/etc/pki/tls/certs/{{ __test_cert_name }}.crt"
     __test_server_ptcp: /etc/rsyslog.d/11-input-remote-remote_ptcp.conf
     __test_server_tcp: /etc/rsyslog.d/11-input-remote-remote_tcp.conf
     __test_server_udp: /etc/rsyslog.d/11-input-remote-remote_udp.conf
     __expected_error: "Error: remote_tcp_0 and remote_tcp_1 conflict."
 
   tasks:
-    - include_tasks: tasks/create_tests_certs.yml
-
     # TEST CASE 0
     - name: "TEST CASE 0; Test the server configuration containing tls tcp,
       plain tcp and udp connection"
       vars:
+        logging_certificates:
+          - name: logging_cert
+            dns: ['localhost', 'www.example.com']
+            ca: self-sign
         logging_pki_files:
           - ca_cert: "{{ __test_ca_cert }}"
             cert: "{{ __test_cert }}"
@@ -182,6 +170,10 @@
         - name: "TEST CASE 1; Test the server configuration containing
           conflicted tls inputs in the remote input"
           vars:
+            logging_certificates:
+              - name: logging_cert
+                dns: ['localhost', 'www.example.com']
+                ca: self-sign
             logging_pki_files:
               - ca_cert: "{{ __test_ca_cert }}"
                 cert: "{{ __test_cert }}"
@@ -238,3 +230,10 @@
       rescue:
         - debug:
             msg: Caught an expected error - {{ ansible_failed_result }}
+
+    - name: clean up pki files
+      file: path="{{ item }}" state=absent
+      loop:
+        - "{{ __test_ca_cert }}"
+        - "{{ __test_key }}"
+        - "{{ __test_cert }}"