Closed simonkowallik closed 1 year ago
we have got something similar for ssl_profiles in f5_modules which coincidentally was used with file extensions for key/cert: https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_client_ssl.py#L78
needs similar implementation
Hi, this is being tracked internally: INFRAANO-1119, thanks!
This has been fixed, will be released on 4/2023 Sprint, thank you.
COMPONENT NAME
bigip_ssl_key_cert
version1.13.0
Environment
ANSIBLE VERSION
BIGIP VERSION
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
The ansible module enforces '.key' and '.crt' extension for keys and certificates.
This is the relevant code:
https://github.com/F5Networks/f5-ansible-bigip/blob/9d46de49b1945a0ca1e4574e243275078fe97d32/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_ssl_key_cert.py#L213-L239
While adding extensions could be considered a good practice, F5 BIG-IP TMOS (WebUI, tmsh, iControl REST API) does not enforce adding extensions to certificate or key files. Therefore the ansible module is not consistent with the features and behaviour of TMOS.
This is a problem because it prevents using ansible to manage existing sets of certificates and keys as well as reference issuer certificates that do not end with '.crt'.
STEPS TO REPRODUCE
This will produce
sys file ssl-cert cert1.crt
andsys file ssl-key cert1.key
on the BIG-IP..crt
and.key
are added even though not specified in the playbook (cert_name
andkey_name
).EXPECTED RESULTS
The expectation is to create the objects with the specified name without modification.
ACTUAL RESULTS
The produced objects are always named with
.crt
and.key
file extensions.POSSIBLE SOLUTION?
It is understandable that it is likely not desirable to change the current behaviour to avoid breaking existing implementations. One option could be to introduce a new module option to use the literal names as specified in the playbook.
For example:
Because
use_literal_names
istrue
the objects on the BIG-IP will be namedsys file ssl-cert cert1
andsys file ssl-key cert1
(.crt and .key not appended by ansible).