search

reallyenglish / ansible-role-nsd

ISC License
1 stars 1 forks source link

certificate and key management is PITA #34

Open trombik opened 7 years ago

trombik commented 7 years ago
ISSUE TYPE
ROLE VERSION
2.0.0
CONFIGURATION

n/a or see the unit test.

OS / ENVIRONMENT

n/a

SUMMARY

it is PITA to configure certificate and key.

in tests/serverspec/remote_control_with_variables.yml, x509_certificate_additional_packages and nsd_conf_dir_pre are necessary evil because, when x509-certificate is executed, user nsd does not exist and nsd_conf_dir is not included and expanded. ansible has a module, include_role, which executes a role from inside of another role. it should be possible to remove these necessary evils by using it.

STEPS TO REPRODUCE

n/a

EXPECTED RESULTS

the ugly variables are removed.

ACTUAL RESULTS

they are there.

trombik commented 7 years ago

it appears include_role is not mature yet. see https://github.com/ansible/ansible/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20include_role

trombik commented 7 years ago
platform ansible version status symptom
CentOS 7.3 2.3.1.0 successful n/a
FreeBSD 10.3 2.3.1.0 failed depended role included but the tasks are not executed, saying "Conditional result was False"
OpenBSD 6.0 2.1.0.0 failed include_role is not implemented "ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path."
OpenBSD 6.1 2.2.1.0 failed depended role included but the tasks are not executed, saying "Conditional check failed"
Ubuntu 14.04 2.3.0.0 failed depended role included but the tasks are not executed, saying "Conditional result was False"
Ubuntu 16.04 2.3.0.0 failed depended role included but the tasks are not executed, saying "Conditional result was False"

the diff

diff --git a/.kitchen.yml b/.kitchen.yml
index 54f1760..e7e3dbf 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -106,6 +106,3 @@ suites:
     verifier:
       name: shell
       command: rspec -c -f d -I tests/serverspec tests/serverspec/remote_control_with_variables_spec.rb
-    # as this test case is platform-independant, running on a single platform
-    # is enough.
-    includes: centos-7.3-x86_64
diff --git a/defaults/main.yml b/defaults/main.yml
index 159a5a1..4a0abf7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,3 +12,4 @@ nsd_flags: ""
 nsd_remote_setup: false
 # master and slave
 nsd_zones: {}
+nsd_x509_certificate_enable: no
diff --git a/tasks/main.yml b/tasks/main.yml
index 8cea78a..ddff269 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,6 +5,11 @@

 - include: "install-{{ ansible_os_family }}.yml"

+- name: Include x509-certificate
+  include_role:
+    name: reallyenglish.x509-certificate
+    when: nsd_x509_certificate_enable
+
 - name: Create db directory
   file:
     path: "{{ nsd_db_dir }}"
diff --git a/tests/serverspec/remote_control_with_variables.yml b/tests/serverspec/remote_control_with_variables.yml
index f54943a..1ecc269 100644
--- a/tests/serverspec/remote_control_with_variables.yml
+++ b/tests/serverspec/remote_control_with_variables.yml
@@ -1,21 +1,19 @@
 - hosts: localhost
   roles:
     - reallyenglish.redhat-repo
-    - reallyenglish.x509-certificate
     - ansible-role-nsd
   vars:
-    x509_certificate_additional_packages: "{% if ansible_os_family == 'OpenBSD' %}[]{% else %}nsd{% endif %}"
-    # XXX nsd_conf_dir_pre == nsd_conf_dir
-    # when x509-certificate is applied to the host, `nsd_conf_dir` is not
-    # included yet.
-    nsd_conf_dir_pre: "{% if ansible_os_family == 'OpenBSD' %}/var/nsd/etc{% elif ansible_os_family == 'FreeBSD' %}/usr/local/etc/nsd{% else %}/etc/nsd{% endif %}"
+    nsd_x509_certificate_enable: yes
+
+    # XXX NEVER set this to yes in production
+    x509_certificate_debug_log: yes
     x509_certificate:
       - name: nsd_control
         state: present
         public:
-          path: "{{ nsd_conf_dir_pre }}/nsd_control.pem"
-          owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
-          group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+          path: "{{ nsd_conf_dir }}/nsd_control.pem"
+          owner: "{{ nsd_user }}"
+          group: "{{ nsd_group }}"
           mode: "0644"
           key: |
             -----BEGIN CERTIFICATE-----
@@ -41,9 +39,9 @@
             aIV491QzoOfbuVD5/n31wwAX/BU=
             -----END CERTIFICATE-----
         secret:
-          path: "{{ nsd_conf_dir_pre }}/nsd_control.key"
-          owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
-          group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+          path: "{{ nsd_conf_dir }}/nsd_control.key"
+          owner: "{{ nsd_user }}"
+          group: "{{ nsd_group }}"
           mode: "0600"
           key: |
             -----BEGIN RSA PRIVATE KEY-----
@@ -88,9 +86,9 @@
       - name: nsd_server
         state: present
         public:
-          path: "{{ nsd_conf_dir_pre }}/nsd_server.pem"
-          owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
-          group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+          path: "{{ nsd_conf_dir }}/nsd_server.pem"
+          owner: "{{ nsd_user }}"
+          group: "{{ nsd_group }}"
           mode: "0644"
           key: |
             -----BEGIN CERTIFICATE-----
@@ -116,9 +114,9 @@
             N49rbR5hkqy9SVm7
             -----END CERTIFICATE-----
         secret:
-          path: "{{ nsd_conf_dir_pre }}/nsd_server.key"
-          owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
-          group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+          path: "{{ nsd_conf_dir }}/nsd_server.key"
+          owner: "{{ nsd_user }}"
+          group: "{{ nsd_group }}"
           mode: "0600"
           key: |
             -----BEGIN RSA PRIVATE KEY-----
trombik commented 7 years ago

not sure why the play with 2.3.1.0 on CentOS is successful, but not on FreeBSD. the RPM has a patch, which just requires jinja2 >= 2.6.

jinja version is py27-Jinja2-2.9.5 on FreeBSD and python-jinja2-2.7.2-2.el7.noarch on CentOS.

the following sources are same. https://dl.fedoraproject.org/pub/epel/7Server/SRPMS/a/ansible-2.3.1.0-1.el7.src.rpm http://releases.ansible.com/ansible/ansible-2.3.1.0.tar.gz

rpm2cpio ../ansible-2.3.1.0-1.el7.src.rpm | cpio -idmv
trombik commented 7 years ago

35 has been created

trombik commented 7 years ago

35 has been merged but the issue is not resolved. remains as pending until all the platform support the x509 test suite.

trombik commented 7 years ago

in https://github.com/reallyenglish/ansible-role-uchiwa/pull/11, it is confirmed that freebsd-10.3-amd64 box works with include_role. the cause of the failure might be specific to the role.

trombik commented 7 years ago

the issue is caused by https://github.com/ansible/ansible/issues/25136.

the fix: https://github.com/ansible/ansible/commit/eeaa67657750005b5ff9c287b1883fc08692814d

trombik commented 7 years ago

a workaround is: