Try to use ansible modules for every task.

2023-12-06 19:35:53 +01:00 · 2023-12-06 19:35:53 +01:00 · 9c497992c3
parent d9bc0b6f6a
commit 9c497992c3
4 changed files with 83 additions and 49 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,15 +1,17 @@
 ---
-java_keystore_use_default: False
+java_keystore_use_default: false
 java_default_keystore: '{{ jdk_java_home }}/jre/lib/security/cacerts'
+java_default_truststore: "{{ java_default_keystore }}"
 java_keystore_dir: "{{ pki_dir | default('/etc/pki') }}/jdk"
-#java_keystore_file: '{{ java_default_keystore }}'
-java_keystore_file: '{{ java_keystore_dir }}/java.jks'
-java_keytool_bin: '{{ jdk_java_home }}/jre/bin/keytool'
+java_keystore_file: "{% if java_keystore_use_default %}{{ java_default_keystore }}{% else %}{{ java_keystore_dir }}/java.jks{% endif %}"
+java_truststore_file: "{{ java_keystore_file }}"

-#java_keystore_certs_list: []
+java_trusted_certificates_list: []
+java_keystore_certs_list: []
 java_keystore_cert_alias: '{{ ansible_fqdn }}'
-# This is the default java password. No need to hide it.
+# This is the default password of the JDK keystore. No need to hide it.
 # Change it inside a vault file if you need something good
 java_keystore_pwd: changeit
+java_truststore_pwd: "{{ java_keystore_pwd }}"
 java_keystore_letsencrypt_trusted_ca: identrustdstx3
-java_import_letsencrypt_cert: True
+java_import_letsencrypt_cert: true
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,2 +0,0 @@
---
-# handlers file for ansible-role-template
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,33 +1,30 @@
 galaxy_info:
  author: Andrea Dell'Amico
-  description: Systems Architect
+  description: Role that manages a Java keystore
  company: ISTI-CNR
-
-  issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
-
+  namespace: adellam
+  role_name: java_keystore
  license: EUPL 1.2+
-
-  min_ansible_version: 2.8
-
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
+  min_ansible_version: "1.14"
  platforms:
    - name: Ubuntu
      versions:
        - bionic
+        - focal
+        - jammy
    - name: EL
      versions:
-        - 7
-        - 8
+        - "7"
+        - "8"
+        - "9"

  galaxy_tags:
    - java
    - keystore

 dependencies:
-  - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git
+  - name: openjdk
+    src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git
    version: master
-    name: openjdk
    state: latest

--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,32 +1,69 @@
 ---
- block:
-    - name: Create the PKI directory
-      file: dest={{ java_keystore_dir }} state=directory owner=root group=root mode=0755
-
+- name: Manage the PKI directory
  when: not java_keystore_use_default
  tags: java_keystore
+  block:
+    - name: Create the PKI directory
+      ansible.builtin.file:
+        dest: "{{ java_keystore_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"

- block:
-    - name: Import the certificates
-      shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ item.alias }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ item.alias }} -file {{ item.certfile }} ; fi
-      with_items: '{{ java_keystore_certs_list | default([]) }}'
-
-    - name: Import the certificate key
-      shell: RETVAL= ; {{ java_keytool_bin }} -import -alias NOME -keyalg RSA -keystore {{ java_keystore_file }} -dname "CN={{ ansible_fqdn }}" -keypass {{ java_keystore_pwd }} -storepass {{ java_keystore_pwd }} -file {{ item.keyfile }}
-      with_items: '{{ java_keystore_certs_list | default([]) }}'
-      
-  when: java_keystore_certs_list is defined
-  tags: java_keystore
-
- block:
-    - name: Import the Letsencrypt intermediate CA cert
-      shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ java_keystore_letsencrypt_trusted_ca }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ java_keystore_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/fullchain ; fi
-
-    - name: Import the letsencrypt certificate
-      shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ ansible_fqdn }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/fullchain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keystore_pwd }} ; {{ java_keytool_bin }} -importkeystore -srcstorepass {{ java_keystore_pwd }} -deststorepass {{ java_keystore_pwd }} -destkeystore {{ java_keystore_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12 ; rm -f /var/tmp/{{ ansible_fqdn }}.p12 ; fi
-
+- name: Import a certificate generated by a mkcert CA into a keystore
  when:
-    - java_import_letsencrypt_cert
-    - letsencrypt_acme_install is defined and letsencrypt_acme_install
-  tags: java_keystore
+    - java_keystore_certs_list is defined
+    - mkcert_create_certificate is defined and mkcert_create_certificate
+  tags: [java_keystore, java_keystore_mkcert]
+  block:
+    - name: Generate a PKCS12 from the certificate and key produced by mkcert
+      community.crypto.openssl_pkcs12:
+        action: export
+        friendly_name: "{{ java_keystore_cert_alias }}"
+        path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
+        certificate_path: "{{ mkcert_cert_dest_path }}"
+        privatekey_path: "{{ mkcert_key_dest_path }}"
+        other_certificates: '{{ java_trusted_certificates_list }}'
+        owner: root
+        group: root
+        mode: "0600"
+        state: present

+    - name: Import the CA certificate
+      community.general.java_cert:
+        pkcs12_path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
+        cert_alias: "{{ java_keystore_cert_alias }}"
+        keystore_path: "{{ java_keystore_file }}"
+        keystore_pass: "{{ java_keystore_pwd }}"
+        keystore_create: true
+        state: present
+
+- name: Import a certificate generated by a Letsencrypt into a keystore
+  when:
+    - java_keystore_certs_list is defined
+    - mkcert_create_certificate is defined and mkcert_create_certificate
+  tags: [java_keystore, java_keystore_letsencrypt, letsencrypt]
+  block:
+    - name: Generate a PKCS12 from the certificate and key produced by Letsencrypt
+      community.crypto.openssl_pkcs12:
+        action: export
+        friendly_name: "{{ java_keystore_cert_alias }}"
+        path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
+        certificate_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/cert"
+        privatekey_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/privkey"
+        other_certificates:
+          - '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
+        owner: root
+        group: root
+        mode: "0600"
+        state: present
+
+    - name: Import the CA certificate
+      community.general.java_cert:
+        pkcs12_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
+        cert_alias: "{{ java_keystore_cert_alias }}"
+        keystore_path: "{{ java_keystore_file }}"
+        keystore_pass: "{{ java_keystore_pwd }}"
+        keystore_create: true
+        state: present