-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
step_ca_certificate
: add state
parameter
#188
Labels
enhancement
New feature or improvement to an existing one
modules
Something affecting one or more module
Milestone
Comments
step_ca_certificate
: rework state
step_ca_certificate
: rework statestep_ca_certificate
: add state
parameter, enable renewal
This was referenced Oct 10, 2023
step_ca_certificate
: add state
parameter, enable renewalstep_ca_certificate
: add state
parameter
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 27, 2023
maxhoesel
added a commit
to maxhoesel/ansible-collection-smallstep-fork
that referenced
this issue
Oct 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
enhancement
New feature or improvement to an existing one
modules
Something affecting one or more module
Right now, the
step_ca_certificate
module simply callsstep-cli
without checking for any existing certificates.This results in the following behavior:
force
isfalse
: On the second run,step-cli
asks for confirmation for overwriting the existing cert, causing the module to fail.true
: The certificate is always overwritten, even when this is not needed.Neither of these are really ideal from a user POV.
As a user, I would like the
step_ca_certificate
module to ensure that a valid certificate with the desired properties exists on the system, regardless of the underlying details.Such a valid certificate must:
It should be
step_ca_certificate
s job to ensure that these conditions are met, whether that includes creating a new certificate or not.I propose the following approach to accomplish this:
serial_number
parameter and other parameters fromstep_ca_revoke
revoke_on_delete
parameterstate
parameter with the following options:present
- If the certificate doesn't exist, is expired or has a SAN parameter mismatch, create a new certificate
- Else, do nothing
revoked
absent
revoke_on_delete
is true, revoke the certificate firstforce
parameter behavior: Instead of passingforce
on the command line to replace existing files (which we pretty much always want given the above model), use offorce
withpresent
will now generate a new certificate on every single run.Implementing this feature would require a few steps:
step_ca_certificate_revoke
moduleThe text was updated successfully, but these errors were encountered: