search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip_ssl_key_cert: Module enforces '.key' and '.crt' extension while F5 BIG-IP TMOS doesn't #58

Closed simonkowallik closed 1 year ago

simonkowallik commented 1 year ago
COMPONENT NAME

bigip_ssl_key_cert version 1.13.0

Environment

ANSIBLE VERSION
currently latest
BIGIP VERSION
15.1.x / 16.1.x
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

The ansible module enforces '.key' and '.crt' extension for keys and certificates.

This is the relevant code:

https://github.com/F5Networks/f5-ansible-bigip/blob/9d46de49b1945a0ca1e4574e243275078fe97d32/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_ssl_key_cert.py#L213-L239

While adding extensions could be considered a good practice, F5 BIG-IP TMOS (WebUI, tmsh, iControl REST API) does not enforce adding extensions to certificate or key files. Therefore the ansible module is not consistent with the features and behaviour of TMOS.

This is a problem because it prevents using ansible to manage existing sets of certificates and keys as well as reference issuer certificates that do not end with '.crt'.

STEPS TO REPRODUCE
  tasks:
    - name: Import both key and cert
      bigip_ssl_key_cert:
        key_content: "{{ lookup('file', 'key.pem') }}"
        key_name: cert1
        cert_content: "{{ lookup('file', 'cert.pem') }}"
        cert_name: cert1
        state: present

This will produce sys file ssl-cert cert1.crt and sys file ssl-key cert1.key on the BIG-IP. .crt and .key are added even though not specified in the playbook (cert_name and key_name).

EXPECTED RESULTS

The expectation is to create the objects with the specified name without modification.

ACTUAL RESULTS

The produced objects are always named with .crt and .key file extensions.

POSSIBLE SOLUTION?

It is understandable that it is likely not desirable to change the current behaviour to avoid breaking existing implementations. One option could be to introduce a new module option to use the literal names as specified in the playbook.

For example:

  tasks:
    - name: Import both key and cert
      bigip_ssl_key_cert:
        key_content: "{{ lookup('file', 'key.pem') }}"
        key_name: cert1
        cert_content: "{{ lookup('file', 'cert.pem') }}"
        cert_name: cert1
        use_literal_names: true  # defaults to false
        state: present

Because use_literal_names is true the objects on the BIG-IP will be named sys file ssl-cert cert1 and sys file ssl-key cert1 (.crt and .key not appended by ansible).

wojtek0806 commented 1 year ago

we have got something similar for ssl_profiles in f5_modules which coincidentally was used with file extensions for key/cert: https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_profile_client_ssl.py#L78

needs similar implementation

KrithikaChidambaram commented 1 year ago

Hi, this is being tracked internally: INFRAANO-1119, thanks!

G-gonzalezjimenez commented 1 year ago

This has been fixed, will be released on 4/2023 Sprint, thank you.