test/integration/targets/docker_swarm/tasks/tests/options-ca.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

---
- block:
  - name: Generate privatekey
    openssl_privatekey:
      path: "{{ output_dir }}/ansible_{{ key }}.key"
      size: 2048
      mode: "0666"
    loop:
    - key1
    - key2
    loop_control:
      loop_var: key

  - name: Generate CSR
    openssl_csr:
      path: "{{ output_dir }}/ansible_{{ key }}.csr"
      privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
      basic_constraints:
      - "CA:TRUE"
      key_usage:
      - keyCertSign
    loop:
    - key1
    - key2
    loop_control:
      loop_var: key

  - name: Generate self-signed certificate
    openssl_certificate:
      path: "{{ output_dir }}/ansible_{{ key }}.pem"
      privatekey_path: "{{ output_dir }}/ansible_{{ key }}.key"
      csr_path: "{{ output_dir }}/ansible_{{ key }}.csr"
      provider: selfsigned
    loop:
    - key1
    - key2
    loop_control:
      loop_var: key

  ###################################################################
  ## signing_ca_cert and signing_ca_key #############################
  ###################################################################
  - name: signing_ca_cert and signing_ca_key (check mode)
    docker_swarm:
      advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
      state: present
      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
      timeout: 120
    check_mode: yes
    diff: yes
    register: output_1

  - name: signing_ca_cert and signing_ca_key
    docker_swarm:
      advertise_addr: "{{ansible_default_ipv4.address | default('127.0.0.1')}}"
      state: present
      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
      timeout: 120
    diff: yes
    register: output_2

  - name: Private key
    debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
  - name: Cert
    debug: msg="{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
  - docker_swarm_facts:
    register: output
  - debug: var=output

  # Idempotence for CA cert and key don't work yet! FIXME

  #- name: signing_ca_cert and signing_ca_key (idempotent)
  #  docker_swarm:
  #    state: present
  #    signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
  #    signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
  #    timeout: 120
  #  diff: yes
  #  register: output_3

  #- name: signing_ca_cert and signing_ca_key (idempotent, check mode)
  #  docker_swarm:
  #    state: present
  #    signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.pem') }}"
  #    signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key1.key') }}"
  #    timeout: 120
  #  check_mode: yes
  #  diff: yes
  #  register: output_4

  - name: signing_ca_cert and signing_ca_key (change, check mode)
    docker_swarm:
      state: present
      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
      timeout: 120
    check_mode: yes
    diff: yes
    register: output_5

  - name: signing_ca_cert and signing_ca_key (change)
    docker_swarm:
      state: present
      signing_ca_cert: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.pem') }}"
      signing_ca_key: "{{ lookup('file', role_path ~ '/' ~ output_dir ~ '/ansible_key2.key') }}"
      timeout: 120
    diff: yes
    register: output_6

  - name: assert signing_ca_cert and signing_ca_key
    assert:
      that:
         - 'output_1 is changed'
         - 'output_1.actions[0] | regex_search("New Swarm cluster created: ")'
         - 'output_1.diff.before is defined'
         - 'output_1.diff.after is defined'
         - 'output_2 is changed'
         - 'output_2.actions[0] | regex_search("New Swarm cluster created: ")'
         - 'output_2.diff.before is defined'
         - 'output_2.diff.after is defined'
         #- 'output_3 is not changed'
         #- 'output_3.actions[0] == "No modification"'
         #- 'output_3.diff.before is defined'
         #- 'output_3.diff.after is defined'
         #- 'output_4 is not changed'
         #- 'output_4.actions[0] == "No modification"'
         #- 'output_4.diff.before is defined'
         #- 'output_4.diff.after is defined'
         - 'output_5 is changed'
         - 'output_5.actions[0] == "Swarm cluster updated"'
         - 'output_5.diff.before is defined'
         - 'output_5.diff.after is defined'
         - 'output_6 is changed'
         - 'output_6.actions[0] == "Swarm cluster updated"'
         - 'output_6.diff.before is defined'
         - 'output_6.diff.after is defined'

  # https://github.com/ansible/ansible/issues/34054: openssl_certificate unusable on RHEL 7
  when: pyopenssl_version.stdout is version('0.15', '>=')