mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-15 17:40:50 -07:00
standardize TLS connection properties (#54315)
* openstack: standardize tls params * tower: tower_verify_ssl->validate_certs * docker: use standard tls config params - cacert_path -> ca_cert - cert_path -> client_cert - key_path -> client_key - tls_verify -> validate_certs * k8s: standardize tls connection params - verify_ssl -> validate_certs - ssl_ca_cert -> ca_cert - cert_file -> client_cert - key_file -> client_key * ingate: verify_ssl -> validate_certs * manageiq: standardize tls params - verify_ssl -> validate_certs - ca_bundle_path -> ca_cert * mysql: standardize tls params - ssl_ca -> ca_cert - ssl_cert -> client_cert - ssl_key -> client_key * nios: ssl_verify -> validate_certs * postgresql: ssl_rootcert -> ca_cert * rabbitmq: standardize tls params - cacert -> ca_cert - cert -> client_cert - key -> client_key * rackspace: verify_ssl -> validate_certs * vca: verify_certs -> validate_certs * kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs * lxd: standardize tls params - key_file -> client_key - cert_file -> client_cert * get_certificate: ca_certs -> ca_cert * get_certificate.py: clarify one or more certs in a file Co-Authored-By: jamescassell <code@james.cassell.me> * zabbix: tls_issuer -> ca_cert * bigip_device_auth_ldap: standardize tls params - ssl_check_peer -> validate_certs - ssl_client_cert -> client_cert - ssl_client_key -> client_key - ssl_ca_cert -> ca_cert * vdirect: vdirect_validate_certs -> validate_certs * mqtt: standardize tls params - ca_certs -> ca_cert - certfile -> client_cert - keyfile -> client_key * pulp_repo: standardize tls params remove `importer_ssl` prefix * rhn_register: sslcacert -> ca_cert * yum_repository: standardize tls params The fix for yum_repository is not straightforward since this module is only a thin wrapper for the underlying commands and config. In this case, we add the new values as aliases, keeping the old as primary, only due to the internal structure of the module. Aliases added: - sslcacert -> ca_cert - sslclientcert -> client_cert - sslclientkey -> client_key - sslverify -> validate_certs * gitlab_hook: enable_ssl_verification -> hook_validate_certs * Adjust arguments for docker_swarm inventory plugin. * foreman callback: standardize tls params - ssl_cert -> client_cert - ssl_key -> client_key * grafana_annotations: validate_grafana_certs -> validate_certs * nrdp callback: validate_nrdp_certs -> validate_certs * kubectl connection: standardize tls params - kubectl_cert_file -> client_cert - kubectl_key_file -> client_key - kubectl_ssl_ca_cert -> ca_cert - kubectl_verify_ssl -> validate_certs * oc connection: standardize tls params - oc_cert_file -> client_cert - oc_key_file -> client_key - oc_ssl_ca_cert -> ca_cert - oc_verify_ssl -> validate_certs * psrp connection: cert_trust_path -> ca_cert TODO: cert_validation -> validate_certs (multi-valued vs bool) * k8s inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * openshift inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * tower inventory: verify_ssl -> validate_certs * hashi_vault lookup: cacert -> ca_cert * k8s lookup: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * laps_passord lookup: cacert_file -> ca_cert * changelog for TLS parameter standardization
This commit is contained in:
James Cassell
Adam Miller
parent
85d836171b
commit
bc4ef99533
90 changed files with 556 additions and 411 deletions
|
|
@ -87,26 +87,30 @@ options:
|
|||
- "yes"
|
||||
- "no"
|
||||
- start-tls
|
||||
ssl_ca_cert:
|
||||
ca_cert:
|
||||
description:
|
||||
- Specifies the name of an SSL certificate from a certificate authority (CA).
|
||||
- To remove this value, use the reserved value C(none).
|
||||
type: str
|
||||
ssl_client_key:
|
||||
aliases: [ ssl_ca_cert ]
|
||||
client_key:
|
||||
description:
|
||||
- Specifies the name of an SSL client key.
|
||||
- To remove this value, use the reserved value C(none).
|
||||
type: str
|
||||
ssl_client_cert:
|
||||
aliases: [ ssl_client_key ]
|
||||
client_cert:
|
||||
description:
|
||||
- Specifies the name of an SSL client certificate.
|
||||
- To remove this value, use the reserved value C(none).
|
||||
type: str
|
||||
ssl_check_peer:
|
||||
aliases: [ ssl_client_cert ]
|
||||
validate_certs:
|
||||
description:
|
||||
- Specifies whether the system checks an SSL peer, as a result of which the
|
||||
system requires and verifies the server certificate.
|
||||
type: bool
|
||||
aliases: [ ssl_check_peer ]
|
||||
login_ldap_attr:
|
||||
description:
|
||||
- Specifies the LDAP directory attribute containing the local user name that is
|
||||
|
|
@ -196,22 +200,22 @@ ssl:
|
|||
returned: changed
|
||||
type: str
|
||||
sample: start-tls
|
||||
ssl_ca_cert:
|
||||
ca_cert:
|
||||
description: The name of an SSL certificate from a certificate authority.
|
||||
returned: changed
|
||||
type: str
|
||||
sample: My-Trusted-CA-Bundle.crt
|
||||
ssl_client_key:
|
||||
client_key:
|
||||
description: The name of an SSL client key.
|
||||
returned: changed
|
||||
type: str
|
||||
sample: MyKey.key
|
||||
ssl_client_cert:
|
||||
client_cert:
|
||||
description: The name of an SSL client certificate.
|
||||
returned: changed
|
||||
type: str
|
||||
sample: MyCert.crt
|
||||
ssl_check_peer:
|
||||
validate_certs:
|
||||
description: Indicates if the system checks an SSL peer.
|
||||
returned: changed
|
||||
type: bool
|
||||
|
|
@ -257,10 +261,10 @@ class Parameters(AnsibleF5Parameters):
|
|||
'userTemplate': 'user_template',
|
||||
'fallback': 'fallback_to_local',
|
||||
'loginAttribute': 'login_ldap_attr',
|
||||
'sslCheckPeer': 'ssl_check_peer',
|
||||
'sslClientCert': 'ssl_client_cert',
|
||||
'sslClientKey': 'ssl_client_key',
|
||||
'sslCaCertFile': 'ssl_ca_cert',
|
||||
'sslCheckPeer': 'validate_certs',
|
||||
'sslClientCert': 'client_cert',
|
||||
'sslClientKey': 'client_key',
|
||||
'sslCaCertFile': 'ca_cert',
|
||||
'checkRolesGroup': 'check_member_attr',
|
||||
'searchBaseDn': 'remote_directory_tree',
|
||||
}
|
||||
|
|
@ -293,10 +297,10 @@ class Parameters(AnsibleF5Parameters):
|
|||
'scope',
|
||||
'servers',
|
||||
'ssl',
|
||||
'ssl_ca_cert',
|
||||
'ssl_check_peer',
|
||||
'ssl_client_cert',
|
||||
'ssl_client_key',
|
||||
'ca_cert',
|
||||
'validate_certs',
|
||||
'client_cert',
|
||||
'client_key',
|
||||
'user_template',
|
||||
]
|
||||
|
||||
|
|
@ -803,10 +807,10 @@ class ArgumentSpec(object):
|
|||
ssl=dict(
|
||||
choices=['yes', 'no', 'start-tls']
|
||||
),
|
||||
ssl_ca_cert=dict(),
|
||||
ssl_client_key=dict(),
|
||||
ssl_client_cert=dict(),
|
||||
ssl_check_peer=dict(type='bool'),
|
||||
ca_cert=dict(aliases=['ssl_ca_cert']),
|
||||
client_key=dict(aliases=['ssl_client_key']),
|
||||
client_cert=dict(aliases=['ssl_client_cert']),
|
||||
validate_certs=dict(type='bool', aliases=['ssl_check_peer']),
|
||||
login_ldap_attr=dict(),
|
||||
fallback_to_local=dict(type='bool'),
|
||||
update_password=dict(
|
||||
|
|
|
|||
|
|
@ -82,13 +82,14 @@ options:
|
|||
- may be set as C(VDIRECT_HTTPS) or C(VDIRECT_USE_SSL) environment variable.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
vdirect_validate_certs:
|
||||
validate_certs:
|
||||
description:
|
||||
- If C(no), SSL certificates will not be validated,
|
||||
- may be set as C(VDIRECT_VALIDATE_CERTS) or C(VDIRECT_VERIFY) environment variable.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
aliases: [ vdirect_validate_certs ]
|
||||
devices:
|
||||
description:
|
||||
- List of Radware Alteon device names for commit operations.
|
||||
|
|
@ -172,9 +173,9 @@ meta_args = dict(
|
|||
vdirect_timeout=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_TIMEOUT']),
|
||||
default=60, type='int'),
|
||||
vdirect_validate_certs=dict(
|
||||
validate_certs=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_VERIFY', 'VDIRECT_VALIDATE_CERTS']),
|
||||
default=True, type='bool'),
|
||||
default=True, type='bool', aliases=['vdirect_validate_certs']),
|
||||
vdirect_https_port=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_HTTPS_PORT']),
|
||||
default=2189, type='int'),
|
||||
|
|
@ -219,7 +220,7 @@ class VdirectCommit(object):
|
|||
http_port=params['vdirect_http_port'],
|
||||
timeout=params['vdirect_timeout'],
|
||||
https=params['vdirect_use_ssl'],
|
||||
verify=params['vdirect_validate_certs'])
|
||||
verify=params['validate_certs'])
|
||||
self.devices = params['devices']
|
||||
self.apply = params['apply']
|
||||
self.save = params['save']
|
||||
|
|
|
|||
|
|
@ -76,13 +76,14 @@ options:
|
|||
- may be set as VDIRECT_HTTPS or VDIRECT_USE_SSL environment variable.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
vdirect_validate_certs:
|
||||
validate_certs:
|
||||
description:
|
||||
- If C(no), SSL certificates will not be validated,
|
||||
- may be set as VDIRECT_VALIDATE_CERTS or VDIRECT_VERIFY environment variable.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
aliases: [ vdirect_validate_certs ]
|
||||
file_name:
|
||||
description:
|
||||
- vDirect runnable file name to be uploaded.
|
||||
|
|
@ -148,9 +149,9 @@ meta_args = dict(
|
|||
vdirect_timeout=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_TIMEOUT']),
|
||||
default=60, type='int'),
|
||||
vdirect_validate_certs=dict(
|
||||
validate_certs=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_VERIFY', 'VDIRECT_VALIDATE_CERTS']),
|
||||
default=True, type='bool'),
|
||||
default=True, type='bool', aliases=['vdirect_validate_certs']),
|
||||
vdirect_https_port=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_HTTPS_PORT']),
|
||||
default=2189, type='int'),
|
||||
|
|
@ -187,7 +188,7 @@ class VdirectFile(object):
|
|||
http_port=params['vdirect_http_port'],
|
||||
timeout=params['vdirect_timeout'],
|
||||
https=params['vdirect_use_ssl'],
|
||||
verify=params['vdirect_validate_certs'])
|
||||
verify=params['validate_certs'])
|
||||
|
||||
def upload(self, fqn):
|
||||
if fqn.endswith(TEMPLATE_EXTENSION):
|
||||
|
|
|
|||
|
|
@ -76,13 +76,14 @@ options:
|
|||
- may be set as C(VDIRECT_HTTPS) or C(VDIRECT_USE_SSL) environment variable.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
vdirect_validate_certs:
|
||||
validate_certs:
|
||||
description:
|
||||
- If C(no), SSL certificates will not be validated,
|
||||
- may be set as C(VDIRECT_VALIDATE_CERTS) or C(VDIRECT_VERIFY) environment variable.
|
||||
- This should only set to C(no) used on personally controlled sites using self-signed certificates.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
aliases: [ vdirect_validate_certs ]
|
||||
runnable_type:
|
||||
description:
|
||||
- vDirect runnable type.
|
||||
|
|
@ -160,9 +161,9 @@ meta_args = dict(
|
|||
vdirect_timeout=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_TIMEOUT']),
|
||||
default=60, type='int'),
|
||||
vdirect_validate_certs=dict(
|
||||
validate_certs=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_VERIFY', 'VDIRECT_VALIDATE_CERTS']),
|
||||
default=True, type='bool'),
|
||||
default=True, type='bool', aliases=['vdirect_validate_certs']),
|
||||
vdirect_https_port=dict(
|
||||
required=False, fallback=(env_fallback, ['VDIRECT_HTTPS_PORT']),
|
||||
default=2189, type='int'),
|
||||
|
|
@ -222,7 +223,7 @@ class VdirectRunnable(object):
|
|||
http_port=params['vdirect_http_port'],
|
||||
timeout=params['vdirect_timeout'],
|
||||
https=params['vdirect_use_ssl'],
|
||||
verify=params['vdirect_validate_certs'])
|
||||
verify=params['validate_certs'])
|
||||
self.params = params
|
||||
self.type = self.params['runnable_type']
|
||||
self.name = self.params['runnable_name']
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue