Skip to content

Commit fd30639

Browse files
rsuplinarsuplina
authored
Add ownership management for generated TLS certificate and key files in freeipa_server_enrolled_tls role (#310)
Signed-off-by: rsuplina <[email protected]>
1 parent 6b1507d commit fd30639

File tree

4 files changed

+44
-0
lines changed

4 files changed

+44
-0
lines changed

roles/freeipa_server_enrolled_tls/README.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ None.
3333
| `enrolled_cert_key_path` | `path` | `False` | `/etc/pki/tls/private/host.key` | The path on the target host to save the generated private key file. |
3434
| `enrolled_cert_csr_path` | `path` | `False` | `/etc/pki/tls/private/host.csr` | The path on the target host to save the generated CSR file. |
3535
| `enrolled_cert_path` | `path` | `False` | `/etc/pki/tls/certs/host.crt` | The path on the target host to save the issued TLS certificate. |
36+
| `enrolled_cert_owner` | `str` | `False` | | Owner (user) for the generated certificate and private key files. |
37+
| `enrolled_cert_group` | `str` | `False` | | Group for the generated certificate and private key files. |
3638

3739
## Example Playbook
3840

@@ -47,6 +49,19 @@ None.
4749
ipaadmin_password: "password"
4850
enrolled_cert_key_path: "/etc/pki/tls/private/gateway.key"
4951
enrolled_cert_path: "/etc/pki/tls/certs/gateway.crt"
52+
53+
- hosts: enrolled_hosts
54+
tasks:
55+
- name: Issue a TLS certificate and private key for PostgreSQL service
56+
ansible.builtin.import_role:
57+
name: freeipa_server_enrolled_tls
58+
vars:
59+
enrolled_hostname: "postgres.example.internal"
60+
ipaladmin_password: "password"
61+
enrolled_cert_key_path: "/etc/pki/tls/private/postgres.key"
62+
enrolled_cert_path: "/etc/pki/tls/certs/postgres.crt"
63+
enrolled_cert_owner: "postgres"
64+
enrolled_cert_group: "postgres"
5065
```
5166
5267
## License

roles/freeipa_server_enrolled_tls/defaults/main.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,5 @@ enrolled_principal_type: host
2020
enrolled_cert_key_path: "/etc/pki/tls/private/host.key"
2121
enrolled_cert_csr_path: "/etc/pki/tls/private/host.csr"
2222
enrolled_cert_path: "/etc/pki/tls/certs/host.crt"
23+
# enrolled_file_owner: ""
24+
# enrolled_file_group: ""

roles/freeipa_server_enrolled_tls/meta/argument_specs.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,13 @@ argument_specs:
5252
- The type of principal for certificate request (e.g., host, service).
5353
type: str
5454
default: host
55+
enrolled_file_owner:
56+
description:
57+
- Owner (user) for the generated certificate and private key files.
58+
type: str
59+
required: false
60+
enrolled_file_group:
61+
description:
62+
- Group for the generated certificate and private key files.
63+
type: str
64+
required: false

roles/freeipa_server_enrolled_tls/tasks/main.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,20 @@
3434
principal: "{{ enrolled_principal_type }}/{{ enrolled_hostname }}"
3535
certificate_out: "{{ enrolled_cert_path }}"
3636
state: requested
37+
38+
- name: Set file ownership for certificate and key
39+
when: enrolled_file_owner is defined and enrolled_file_group is defined
40+
block:
41+
- name: Set ownership for private key file
42+
ansible.builtin.file:
43+
path: "{{ enrolled_cert_key_path }}"
44+
owner: "{{ enrolled_file_owner }}"
45+
group: "{{ enrolled_file_group }}"
46+
mode: "0400"
47+
48+
- name: Set ownership for certificate file
49+
ansible.builtin.file:
50+
path: "{{ enrolled_cert_path }}"
51+
owner: "{{ enrolled_file_owner }}"
52+
group: "{{ enrolled_file_group }}"
53+
mode: "0644"

0 commit comments

Comments
 (0)