standardize TLS connection properties (#54315)

* openstack: standardize tls params

* tower: tower_verify_ssl->validate_certs

* docker: use standard tls config params

- cacert_path -> ca_cert
- cert_path -> client_cert
- key_path -> client_key
- tls_verify -> validate_certs

* k8s: standardize tls connection params

- verify_ssl -> validate_certs
- ssl_ca_cert -> ca_cert
- cert_file -> client_cert
- key_file -> client_key

* ingate: verify_ssl -> validate_certs

* manageiq: standardize tls params

- verify_ssl -> validate_certs
- ca_bundle_path -> ca_cert

* mysql: standardize tls params

- ssl_ca -> ca_cert
- ssl_cert -> client_cert
- ssl_key -> client_key

* nios: ssl_verify -> validate_certs

* postgresql: ssl_rootcert -> ca_cert

* rabbitmq: standardize tls params

- cacert -> ca_cert
- cert -> client_cert
- key -> client_key

* rackspace: verify_ssl -> validate_certs

* vca: verify_certs -> validate_certs

* kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs

* lxd: standardize tls params

- key_file -> client_key
- cert_file -> client_cert

* get_certificate: ca_certs -> ca_cert

* get_certificate.py: clarify one or more certs in a file

Co-Authored-By: jamescassell <code@james.cassell.me>

* zabbix: tls_issuer -> ca_cert

* bigip_device_auth_ldap: standardize tls params

- ssl_check_peer -> validate_certs
- ssl_client_cert -> client_cert
- ssl_client_key -> client_key
- ssl_ca_cert -> ca_cert

* vdirect: vdirect_validate_certs -> validate_certs

* mqtt: standardize tls params

- ca_certs -> ca_cert
- certfile -> client_cert
- keyfile -> client_key

* pulp_repo: standardize tls params

remove `importer_ssl` prefix

* rhn_register: sslcacert -> ca_cert

* yum_repository: standardize tls params

The fix for yum_repository is not straightforward since this module is
only a thin wrapper for the underlying commands and config.  In this
case, we add the new values as aliases, keeping the old as primary,
only due to the internal structure of the module.

Aliases added:
- sslcacert -> ca_cert
- sslclientcert -> client_cert
- sslclientkey -> client_key
- sslverify -> validate_certs

* gitlab_hook: enable_ssl_verification -> hook_validate_certs

* Adjust arguments for docker_swarm inventory plugin.

* foreman callback: standardize tls params

- ssl_cert -> client_cert
- ssl_key -> client_key

* grafana_annotations: validate_grafana_certs -> validate_certs

* nrdp callback: validate_nrdp_certs -> validate_certs

* kubectl connection: standardize tls params

- kubectl_cert_file -> client_cert
- kubectl_key_file -> client_key
- kubectl_ssl_ca_cert -> ca_cert
- kubectl_verify_ssl -> validate_certs

* oc connection: standardize tls params

- oc_cert_file -> client_cert
- oc_key_file -> client_key
- oc_ssl_ca_cert -> ca_cert
- oc_verify_ssl -> validate_certs

* psrp connection: cert_trust_path -> ca_cert

TODO: cert_validation -> validate_certs (multi-valued vs bool)

* k8s inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* openshift inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* tower inventory: verify_ssl -> validate_certs

* hashi_vault lookup: cacert -> ca_cert

* k8s lookup: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* laps_passord lookup: cacert_file -> ca_cert

* changelog for TLS parameter standardization

lib/ansible/module_utils/ansible_tower.py

@@ -70,7 +70,7 @@ def tower_auth_config(module):
         password = module.params.pop('tower_password', None)
         if password:
             auth_config['password'] = password
-        verify_ssl = module.params.pop('tower_verify_ssl', None)
+        verify_ssl = module.params.pop('validate_certs', None)
         if verify_ssl is not None:
             auth_config['verify_ssl'] = verify_ssl
         return auth_config
@@ -92,7 +92,7 @@ class TowerModule(AnsibleModule):
             tower_host=dict(),
             tower_username=dict(),
             tower_password=dict(no_log=True),
-            tower_verify_ssl=dict(type='bool'),
+            validate_certs=dict(type='bool', aliases=['tower_verify_ssl']),
             tower_config_file=dict(type='path'),
         )
         args.update(argument_spec)
@@ -102,7 +102,7 @@ class TowerModule(AnsibleModule):
             ('tower_config_file', 'tower_host'),
             ('tower_config_file', 'tower_username'),
             ('tower_config_file', 'tower_password'),
-            ('tower_config_file', 'tower_verify_ssl'),
+            ('tower_config_file', 'validate_certs'),
         ))
 
         super(TowerModule, self).__init__(argument_spec=args, **kwargs)

lib/ansible/module_utils/docker/common.py

@@ -84,19 +84,19 @@ DOCKER_COMMON_ARGS = dict(
     tls_hostname=dict(type='str', default=DEFAULT_TLS_HOSTNAME, fallback=(env_fallback, ['DOCKER_TLS_HOSTNAME'])),
     api_version=dict(type='str', default='auto', fallback=(env_fallback, ['DOCKER_API_VERSION']), aliases=['docker_api_version']),
     timeout=dict(type='int', default=DEFAULT_TIMEOUT_SECONDS, fallback=(env_fallback, ['DOCKER_TIMEOUT'])),
-    cacert_path=dict(type='path', aliases=['tls_ca_cert']),
-    cert_path=dict(type='path', aliases=['tls_client_cert']),
-    key_path=dict(type='path', aliases=['tls_client_key']),
+    ca_cert=dict(type='path', aliases=['tls_ca_cert', 'cacert_path']),
+    client_cert=dict(type='path', aliases=['tls_client_cert', 'cert_path']),
+    client_key=dict(type='path', aliases=['tls_client_key', 'key_path']),
     ssl_version=dict(type='str', fallback=(env_fallback, ['DOCKER_SSL_VERSION'])),
     tls=dict(type='bool', default=DEFAULT_TLS, fallback=(env_fallback, ['DOCKER_TLS'])),
-    tls_verify=dict(type='bool', default=DEFAULT_TLS_VERIFY, fallback=(env_fallback, ['DOCKER_TLS_VERIFY'])),
+    validate_certs=dict(type='bool', default=DEFAULT_TLS_VERIFY, fallback=(env_fallback, ['DOCKER_TLS_VERIFY']), aliases=['tls_verify']),
     debug=dict(type='bool', default=False)
 )
 
 DOCKER_MUTUALLY_EXCLUSIVE = []
 
 DOCKER_REQUIRED_TOGETHER = [
-    ['cert_path', 'key_path']
+    ['client_cert', 'client_key']
 ]
 
 DEFAULT_DOCKER_REGISTRY = 'https://index.docker.io/v1/'
@@ -406,7 +406,7 @@ class AnsibleDockerClient(Client):
             if use_tls == 'encrypt':
                 params['tls'] = True
             if use_tls == 'verify':
-                params['tls_verify'] = True
+                params['validate_certs'] = True
 
         result = dict(
             docker_host=self._get_value('docker_host', params['docker_host'], 'DOCKER_HOST',
@@ -415,12 +415,12 @@ class AnsibleDockerClient(Client):
                                          'DOCKER_TLS_HOSTNAME', DEFAULT_TLS_HOSTNAME),
             api_version=self._get_value('api_version', params['api_version'], 'DOCKER_API_VERSION',
                                         'auto'),
-            cacert_path=self._get_value('cacert_path', params['cacert_path'], 'DOCKER_CERT_PATH', None),
-            cert_path=self._get_value('cert_path', params['cert_path'], 'DOCKER_CERT_PATH', None),
-            key_path=self._get_value('key_path', params['key_path'], 'DOCKER_CERT_PATH', None),
+            cacert_path=self._get_value('cacert_path', params['ca_cert'], 'DOCKER_CERT_PATH', None),
+            cert_path=self._get_value('cert_path', params['client_cert'], 'DOCKER_CERT_PATH', None),
+            key_path=self._get_value('key_path', params['client_key'], 'DOCKER_CERT_PATH', None),
             ssl_version=self._get_value('ssl_version', params['ssl_version'], 'DOCKER_SSL_VERSION', None),
             tls=self._get_value('tls', params['tls'], 'DOCKER_TLS', DEFAULT_TLS),
-            tls_verify=self._get_value('tls_verfy', params['tls_verify'], 'DOCKER_TLS_VERIFY',
+            tls_verify=self._get_value('tls_verfy', params['validate_certs'], 'DOCKER_TLS_VERIFY',
                                        DEFAULT_TLS_VERIFY),
             timeout=self._get_value('timeout', params['timeout'], 'DOCKER_TIMEOUT',
                                     DEFAULT_TIMEOUT_SECONDS),

lib/ansible/module_utils/k8s/common.py

@@ -106,17 +106,21 @@ AUTH_ARG_SPEC = {
     'password': {
         'no_log': True,
     },
-    'verify_ssl': {
+    'validate_certs': {
         'type': 'bool',
+        'aliases': ['verify_ssl'],
     },
-    'ssl_ca_cert': {
+    'ca_cert': {
         'type': 'path',
+        'aliases': ['ssl_ca_cert'],
     },
-    'cert_file': {
+    'client_cert': {
         'type': 'path',
+        'aliases': ['cert_file'],
     },
-    'key_file': {
+    'client_key': {
         'type': 'path',
+        'aliases': ['key_file'],
     },
 }
 

lib/ansible/module_utils/manageiq.py

@@ -47,8 +47,8 @@ def manageiq_argument_spec():
         username=dict(default=os.environ.get('MIQ_USERNAME', None)),
         password=dict(default=os.environ.get('MIQ_PASSWORD', None), no_log=True),
         token=dict(default=os.environ.get('MIQ_TOKEN', None), no_log=True),
-        verify_ssl=dict(default=True, type='bool'),
-        ca_bundle_path=dict(required=False, default=None),
+        validate_certs=dict(default=True, type='bool', aliases=['verify_ssl']),
+        ca_cert=dict(required=False, default=None, aliases=['ca_bundle_path']),
     )
 
     return dict(
@@ -103,8 +103,8 @@ class ManageIQ(object):
         username = params['username']
         password = params['password']
         token = params['token']
-        verify_ssl = params['verify_ssl']
-        ca_bundle_path = params['ca_bundle_path']
+        verify_ssl = params['validate_certs']
+        ca_bundle_path = params['ca_cert']
 
         self._module = module
         self._api_url = url + '/api'

lib/ansible/module_utils/net_tools/nios/api.py

@@ -67,7 +67,7 @@ NIOS_PROVIDER_SPEC = {
     'host': dict(fallback=(env_fallback, ['INFOBLOX_HOST'])),
     'username': dict(fallback=(env_fallback, ['INFOBLOX_USERNAME'])),
     'password': dict(fallback=(env_fallback, ['INFOBLOX_PASSWORD']), no_log=True),
-    'ssl_verify': dict(type='bool', default=False, fallback=(env_fallback, ['INFOBLOX_SSL_VERIFY'])),
+    'validate_certs': dict(type='bool', default=False, fallback=(env_fallback, ['INFOBLOX_SSL_VERIFY']), aliases=['ssl_verify']),
     'silent_ssl_warnings': dict(type='bool', default=True),
     'http_request_timeout': dict(type='int', default=10, fallback=(env_fallback, ['INFOBLOX_HTTP_REQUEST_TIMEOUT'])),
     'http_pool_connections': dict(type='int', default=10),
@@ -89,7 +89,7 @@ def get_connector(*args, **kwargs):
                         'to be installed.  It can be installed using the '
                         'command `pip install infoblox-client`')
 
-    if not set(kwargs.keys()).issubset(NIOS_PROVIDER_SPEC.keys()):
+    if not set(kwargs.keys()).issubset(list(NIOS_PROVIDER_SPEC.keys()) + ['ssl_verify']):
         raise Exception('invalid or unsupported keyword argument for connector')
     for key, value in iteritems(NIOS_PROVIDER_SPEC):
         if key not in kwargs:
@@ -104,6 +104,10 @@ def get_connector(*args, **kwargs):
             if env in os.environ:
                 kwargs[key] = os.environ.get(env)
 
+    if 'validate_certs' in kwargs.keys():
+        kwargs['ssl_verify'] = kwargs['validate_certs']
+        kwargs.pop('validate_certs', None)
+
     return Connector(kwargs)
 
 

lib/ansible/module_utils/network/ingate/common.py

@@ -23,7 +23,7 @@ def ingate_argument_spec(**kwargs):
         password=dict(type='str', required=True, no_log=True),
         port=dict(type='int'),
         timeout=dict(type='int'),
-        verify_ssl=dict(default=True, type='bool'),
+        validate_certs=dict(default=True, type='bool', aliases=['verify_ssl']),
     )
     argument_spec = dict(
         client=dict(type='dict', required=True,
@@ -56,7 +56,7 @@ def ingate_create_client_noauth(**kwargs):
                                   timeout=client_params['timeout'])
 
     # Check if we should skip SSL Certificate verification.
-    verify_ssl = client_params.get('verify_ssl')
+    verify_ssl = client_params.get('validate_certs')
     if not verify_ssl:
         api_client.skip_verify_certificate()
 

lib/ansible/module_utils/openstack.py

@@ -81,10 +81,10 @@ def openstack_full_argument_spec(**kwargs):
         auth=dict(default=None, type='dict', no_log=True),
         region_name=dict(default=None),
         availability_zone=dict(default=None),
-        verify=dict(default=None, type='bool', aliases=['validate_certs']),
-        cacert=dict(default=None),
-        cert=dict(default=None),
-        key=dict(default=None, no_log=True),
+        validate_certs=dict(default=None, type='bool', aliases=['verify']),
+        ca_cert=dict(default=None, aliases=['cacert']),
+        client_cert=dict(default=None, aliases=['cert']),
+        client_key=dict(default=None, no_log=True, aliases=['key']),
         wait=dict(default=True, type='bool'),
         timeout=dict(default=180, type='int'),
         api_timeout=dict(default=None, type='int'),
@@ -133,8 +133,8 @@ def openstack_cloud_from_module(module, min_version='0.12.0'):
                 " config dict is provided, {param} should be"
                 " excluded.")
             for param in (
-                    'auth', 'region_name', 'verify',
-                    'cacert', 'key', 'api_timeout', 'auth_type'):
+                    'auth', 'region_name', 'validate_certs',
+                    'ca_cert', 'client_key', 'api_timeout', 'auth_type'):
                 if module.params[param] is not None:
                     module.fail_json(msg=fail_message.format(param=param))
             # For 'interface' parameter, fail if we receive a non-default value
@@ -147,9 +147,9 @@ def openstack_cloud_from_module(module, min_version='0.12.0'):
                 auth_type=module.params['auth_type'],
                 auth=module.params['auth'],
                 region_name=module.params['region_name'],
-                verify=module.params['verify'],
-                cacert=module.params['cacert'],
-                key=module.params['key'],
+                verify=module.params['validate_certs'],
+                cacert=module.params['ca_cert'],
+                key=module.params['client_key'],
                 api_timeout=module.params['api_timeout'],
                 interface=module.params['interface'],
             )

lib/ansible/module_utils/postgres.py

@@ -43,7 +43,7 @@ def ensure_libs(sslrootcert=None):
     if not HAS_PSYCOPG2:
         raise LibraryError('psycopg2 is not installed. we need psycopg2.')
     if sslrootcert and psycopg2.__version__ < '2.4.3':
-        raise LibraryError('psycopg2 must be at least 2.4.3 in order to use the ssl_rootcert parameter')
+        raise LibraryError('psycopg2 must be at least 2.4.3 in order to use the ca_cert parameter')
 
     # no problems
     return None
@@ -57,5 +57,5 @@ def postgres_common_argument_spec():
         login_unix_socket=dict(default=''),
         port=dict(type='int', default=5432),
         ssl_mode=dict(default='prefer', choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
-        ssl_rootcert=dict(),
+        ca_cert=dict(aliases=['ssl_rootcert']),
     )

lib/ansible/module_utils/rabbitmq.py

@@ -32,9 +32,9 @@ def rabbitmq_argument_spec():
         login_host=dict(type='str', default='localhost'),
         login_port=dict(type='str', default='15672'),
         login_protocol=dict(type='str', default='http', choices=['http', 'https']),
-        cacert=dict(type='path'),
-        cert=dict(type='path'),
-        key=dict(type='path'),
+        ca_cert=dict(type='path', aliases=['cacert']),
+        client_cert=dict(type='path', aliases=['cert']),
+        client_key=dict(type='path', aliases=['key']),
         vhost=dict(type='str', default='/'),
     )
 

lib/ansible/module_utils/rax.py

@@ -251,7 +251,7 @@ def rax_argument_spec():
         tenant_id=dict(type='str'),
         tenant_name=dict(type='str'),
         username=dict(type='str'),
-        verify_ssl=dict(type='bool'),
+        validate_certs=dict(type='bool', aliases=['verify_ssl']),
     )
 
 
@@ -275,7 +275,7 @@ def setup_rax_module(module, rax_module, region_required=True):
     tenant_id = module.params.get('tenant_id')
     tenant_name = module.params.get('tenant_name')
     username = module.params.get('username')
-    verify_ssl = module.params.get('verify_ssl')
+    verify_ssl = module.params.get('validate_certs')
 
     if env is not None:
         rax_module.set_environment(env)

lib/ansible/module_utils/vca.py

@@ -53,7 +53,7 @@ def vca_argument_spec():
         service_type=dict(default=DEFAULT_SERVICE_TYPE, choices=SERVICE_MAP.keys()),
         vdc_name=dict(),
         gateway_name=dict(default='gateway'),
-        verify_certs=dict(type='bool', default=True)
+        validate_certs=dict(type='bool', default=True, aliases=['verify_certs'])
     )
 
 
@@ -130,7 +130,7 @@ class VcaAnsibleModule(AnsibleModule):
         if service_type == 'vchs':
             version = '5.6'
 
-        verify = self.params.get('verify_certs')
+        verify = self.params.get('validate_certs')
 
         return VCA(host=host, username=username,
                    service_type=SERVICE_MAP[service_type],
@@ -293,7 +293,7 @@ def vca_login(module):
     vdc_name = module.params.get('vdc_name')
     service = module.params.get('service_id')
     version = module.params.get('api_version')
-    verify = module.params.get('verify_certs')
+    verify = module.params.get('validate_certs')
 
     _validate_module(module)