ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-28 21:31:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

standardize TLS connection properties (#54315)

Browse source 
* openstack: standardize tls params

* tower: tower_verify_ssl->validate_certs

* docker: use standard tls config params

- cacert_path -> ca_cert
- cert_path -> client_cert
- key_path -> client_key
- tls_verify -> validate_certs

* k8s: standardize tls connection params

- verify_ssl -> validate_certs
- ssl_ca_cert -> ca_cert
- cert_file -> client_cert
- key_file -> client_key

* ingate: verify_ssl -> validate_certs

* manageiq: standardize tls params

- verify_ssl -> validate_certs
- ca_bundle_path -> ca_cert

* mysql: standardize tls params

- ssl_ca -> ca_cert
- ssl_cert -> client_cert
- ssl_key -> client_key

* nios: ssl_verify -> validate_certs

* postgresql: ssl_rootcert -> ca_cert

* rabbitmq: standardize tls params

- cacert -> ca_cert
- cert -> client_cert
- key -> client_key

* rackspace: verify_ssl -> validate_certs

* vca: verify_certs -> validate_certs

* kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs

* lxd: standardize tls params

- key_file -> client_key
- cert_file -> client_cert

* get_certificate: ca_certs -> ca_cert

* get_certificate.py: clarify one or more certs in a file

Co-Authored-By: jamescassell <code@james.cassell.me>

* zabbix: tls_issuer -> ca_cert

* bigip_device_auth_ldap: standardize tls params

- ssl_check_peer -> validate_certs
- ssl_client_cert -> client_cert
- ssl_client_key -> client_key
- ssl_ca_cert -> ca_cert

* vdirect: vdirect_validate_certs -> validate_certs

* mqtt: standardize tls params

- ca_certs -> ca_cert
- certfile -> client_cert
- keyfile -> client_key

* pulp_repo: standardize tls params

remove `importer_ssl` prefix

* rhn_register: sslcacert -> ca_cert

* yum_repository: standardize tls params

The fix for yum_repository is not straightforward since this module is
only a thin wrapper for the underlying commands and config.  In this
case, we add the new values as aliases, keeping the old as primary,
only due to the internal structure of the module.

Aliases added:
- sslcacert -> ca_cert
- sslclientcert -> client_cert
- sslclientkey -> client_key
- sslverify -> validate_certs

* gitlab_hook: enable_ssl_verification -> hook_validate_certs

* Adjust arguments for docker_swarm inventory plugin.

* foreman callback: standardize tls params

- ssl_cert -> client_cert
- ssl_key -> client_key

* grafana_annotations: validate_grafana_certs -> validate_certs

* nrdp callback: validate_nrdp_certs -> validate_certs

* kubectl connection: standardize tls params

- kubectl_cert_file -> client_cert
- kubectl_key_file -> client_key
- kubectl_ssl_ca_cert -> ca_cert
- kubectl_verify_ssl -> validate_certs

* oc connection: standardize tls params

- oc_cert_file -> client_cert
- oc_key_file -> client_key
- oc_ssl_ca_cert -> ca_cert
- oc_verify_ssl -> validate_certs

* psrp connection: cert_trust_path -> ca_cert

TODO: cert_validation -> validate_certs (multi-valued vs bool)

* k8s inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* openshift inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* tower inventory: verify_ssl -> validate_certs

* hashi_vault lookup: cacert -> ca_cert

* k8s lookup: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* laps_passord lookup: cacert_file -> ca_cert

* changelog for TLS parameter standardization
This commit is contained in:
James Cassell 2019-03-28 01:19:28 -04:00 committed by Adam Miller
parent 85d836171b
commit bc4ef99533
90 changed files with 556 additions and 411 deletions
Download patch file Download diff file Expand all files Collapse all files

12
lib/ansible/plugins/callback/foreman.py
View file

@ -29,7 +29,7 @@ DOCUMENTATION = '''
ini:
- section: callback_foreman
key: url
ssl_cert:
client_cert:
description: X509 certificate to authenticate to Foreman if https is used
env:
- name: FOREMAN_SSL_CERT
@ -37,7 +37,10 @@ DOCUMENTATION = '''
ini:
- section: callback_foreman
key: ssl_cert
ssl_key:
- section: callback_foreman
key: client_cert
aliases: [ ssl_cert ]
client_key:
description: the corresponding private key
env:
- name: FOREMAN_SSL_KEY
@ -45,6 +48,9 @@ DOCUMENTATION = '''
ini:
- section: callback_foreman
key: ssl_key
- section: callback_foreman
key: client_key
aliases: [ ssl_key ]
verify_certs:
description:
- Toggle to decide whether to verify the Foreman certificate.
@ -96,7 +102,7 @@ class CallbackModule(CallbackBase):
super(CallbackModule, self).set_options(task_keys=task_keys, var_options=var_options, direct=direct)
self.FOREMAN_URL = self.get_option('url')
self.FOREMAN_SSL_CERT = (self.get_option('ssl_cert'), self.get_option('ssl_key'))
self.FOREMAN_SSL_CERT = (self.get_option('client_cert'), self.get_option('client_key'))
self.FOREMAN_SSL_VERIFY = str(self.get_option('verify_certs'))
self.ssl_verify = self._ssl_verify()

7
lib/ansible/plugins/callback/grafana_annotations.py
View file

@ -48,15 +48,18 @@ DOCUMENTATION = """
ini:
- section: callback_grafana_annotations
key: grafana_url
validate_grafana_certs:
validate_certs:
description: validate the SSL certificate of the Grafana server. (For HTTPS url)
env:
- name: GRAFANA_VALIDATE_CERT
ini:
- section: callback_grafana_annotations
key: validate_grafana_certs
- section: callback_grafana_annotations
key: validate_certs
default: True
type: bool
aliases: [ validate_grafana_certs ]
http_agent:
description: The HTTP 'User-agent' value to set in HTTP requets.
env:
@ -173,7 +176,7 @@ class CallbackModule(CallbackBase):
self.grafana_api_key = self.get_option('grafana_api_key')
self.grafana_url = self.get_option('grafana_url')
self.validate_grafana_certs = self.get_option('validate_grafana_certs')
self.validate_grafana_certs = self.get_option('validate_certs')
self.http_agent = self.get_option('http_agent')
self.grafana_user = self.get_option('grafana_user')
self.grafana_password = self.get_option('grafana_password')

7
lib/ansible/plugins/callback/nrdp.py
View file

@ -25,14 +25,17 @@ DOCUMENTATION = '''
ini:
- section: callback_nrdp
key: url
validate_nrdp_certs:
validate_certs:
description: (bool) validate the SSL certificate of the nrdp server. (For HTTPS url)
env:
- name: NRDP_VALIDATE_CERTS
ini:
- section: callback_nrdp
key: validate_nrdp_certs
- section: callback_nrdp
key: validate_certs
default: False
aliases: [ validate_nrdp_certs ]
token:
description: token to be allowed to push nrdp events
required: True
@ -99,7 +102,7 @@ class CallbackModule(CallbackBase):
self.token = self.get_option('token')
self.hostname = self.get_option('hostname')
self.servicename = self.get_option('servicename')
self.validate_nrdp_certs = self.get_option('validate_nrdp_certs')
self.validate_nrdp_certs = self.get_option('validate_certs')
if (self.url or self.token or self.hostname or
self.servicename) is None:

24
lib/ansible/plugins/connection/kubectl.py
View file

@ -123,38 +123,46 @@ DOCUMENTATION = """
env:
- name: K8S_AUTH_TOKEN
- name: K8S_AUTH_API_KEY
kubectl_cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API.
default: ''
vars:
- name: ansible_kubectl_cert_file
- name: ansible_kubectl_client_cert
env:
- name: K8S_AUTH_CERT_FILE
kubectl_key_file:
aliases: [ kubectl_cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API.
default: ''
vars:
- name: ansible_kubectl_key_file
- name: ansible_kubectl_client_key
env:
- name: K8S_AUTH_KEY_FILE
kubectl_ssl_ca_cert:
aliases: [ kubectl_key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API.
default: ''
vars:
- name: ansible_kubectl_ssl_ca_cert
- name: ansible_kubectl_ca_cert
env:
- name: K8S_AUTH_SSL_CA_CERT
kubectl_verify_ssl:
aliases: [ kubectl_ssl_ca_cert ]
validate_certs:
description:
- Whether or not to verify the API server's SSL certificate. Defaults to I(true).
default: ''
vars:
- name: ansible_kubectl_verify_ssl
- name: ansible_kubectl_validate_certs
env:
- name: K8S_AUTH_VERIFY_SSL
aliases: [ kubectl_verify_ssl ]
"""
import distutils.spawn
@ -183,10 +191,10 @@ CONNECTION_OPTIONS = {
'kubectl_host': '--server',
'kubectl_username': '--username',
'kubectl_password': '--password',
'kubectl_cert_file': '--client-certificate',
'kubectl_key_file': '--client-key',
'kubectl_ssl_ca_cert': '--certificate-authority',
'kubectl_verify_ssl': '--insecure-skip-tls-verify',
'client_cert': '--client-certificate',
'client_key': '--client-key',
'ca_cert': '--certificate-authority',
'validate_certs': '--insecure-skip-tls-verify',
'kubectl_token': '--token'
}

24
lib/ansible/plugins/connection/oc.py
View file

@ -106,38 +106,46 @@ DOCUMENTATION = """
env:
- name: K8S_AUTH_TOKEN
- name: K8S_AUTH_API_KEY
oc_cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API.
default: ''
vars:
- name: ansible_oc_cert_file
- name: ansible_oc_client_cert
env:
- name: K8S_AUTH_CERT_FILE
oc_key_file:
aliases: [ oc_cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API.
default: ''
vars:
- name: ansible_oc_key_file
- name: ansible_oc_client_key
env:
- name: K8S_AUTH_KEY_FILE
oc_ssl_ca_cert:
aliases: [ oc_key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API.
default: ''
vars:
- name: ansible_oc_ssl_ca_cert
- name: ansible_oc_ca_cert
env:
- name: K8S_AUTH_SSL_CA_CERT
oc_verify_ssl:
aliases: [ oc_ssl_ca_cert ]
validate_certs:
description:
- Whether or not to verify the API server's SSL certificate. Defaults to I(true).
default: ''
vars:
- name: ansible_oc_verify_ssl
- name: ansible_oc_validate_certs
env:
- name: K8S_AUTH_VERIFY_SSL
aliases: [ oc_verify_ssl ]
"""
from ansible.plugins.connection.kubectl import Connection as KubectlConnection
@ -151,10 +159,10 @@ CONNECTION_OPTIONS = {
'oc_kubeconfig': '--config',
'oc_context': '--context',
'oc_host': '--server',
'oc_cert_file': '--client-certificate',
'oc_key_file': '--client-key',
'oc_ssl_ca_cert': '--certificate-authority',
'oc_verify_ssl': '--insecure-skip-tls-verify',
'client_cert': '--client-certificate',
'client_key': '--client-key',
'ca_cert': '--certificate-authority',
'validate_certs': '--insecure-skip-tls-verify',
'oc_token': '--token'
}

8
lib/ansible/plugins/connection/psrp.py
View file

@ -72,7 +72,7 @@ options:
description:
- Whether to validate the remote server's certificate or not.
- Set to C(ignore) to not validate any certificates.
- I(cert_trust_path) can be set to the path of a PEM certificate chain to
- I(ca_cert) can be set to the path of a PEM certificate chain to
use in the validation.
choices:
- validate
@ -80,13 +80,15 @@ options:
default: validate
vars:
- name: ansible_psrp_cert_validation
cert_trust_path:
ca_cert:
description:
- The path to a PEM certificate chain to use when validating the server's
certificate.
- This value is ignored if I(cert_validation) is set to C(ignore).
vars:
- name: ansible_psrp_cert_trust_path
- name: ansible_psrp_ca_cert
aliases: [ cert_trust_path ]
connection_timeout:
description:
- The connection timeout for making the request to the remote host.
@ -516,7 +518,7 @@ if ($bytes_read -gt 0) {
self._psrp_auth = self.get_option('auth')
# cert validation can either be a bool or a path to the cert
cert_validation = self.get_option('cert_validation')
cert_trust_path = self.get_option('cert_trust_path')
cert_trust_path = self.get_option('ca_cert')
if cert_validation == 'ignore':
self._psrp_cert_validation = False
elif cert_trust_path is not None:

15
lib/ansible/plugins/doc_fragments/docker.py
View file

@ -42,27 +42,27 @@ options:
instead. If the environment variable is not set, the default value will be used.
type: int
default: 60
cacert_path:
ca_cert:
description:
- Use a CA certificate when performing server verification by providing the path to a CA certificate file.
- If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
the file C(ca.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
type: path
aliases: [ tls_ca_cert ]
cert_path:
aliases: [ tls_ca_cert, cacert_path ]
client_cert:
description:
- Path to the client's TLS certificate file.
- If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
the file C(cert.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
type: path
aliases: [ tls_client_cert ]
key_path:
aliases: [ tls_client_cert, cert_path ]
client_key:
description:
- Path to the client's TLS key file.
- If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
the file C(key.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
type: path
aliases: [ tls_client_key ]
aliases: [ tls_client_key, key_path ]
ssl_version:
description:
- Provide a valid SSL version number. Default value determined by ssl.py module.
@ -77,13 +77,14 @@ options:
instead. If the environment variable is not set, the default value will be used.
type: bool
default: no
tls_verify:
validate_certs:
description:
- Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
- If the value is not specified in the task, the value of environment variable C(DOCKER_TLS_VERIFY) will be
used instead. If the environment variable is not set, the default value will be used.
type: bool
default: no
aliases: [ tls_verify ]
debug:
description:
- Debug mode

3
lib/ansible/plugins/doc_fragments/ingate.py
View file

@ -46,11 +46,12 @@ options:
description:
- The timeout (in seconds) for REST API requests.
type: int
verify_ssl:
validate_certs:
description:
- Verify the unit's HTTPS certificate.
type: bool
default: yes
aliases: [ verify_ssl ]
notes:
- This module requires that the Ingate Python SDK is installed on the
host. To install the SDK use the pip command from your shell

16
lib/ansible/plugins/doc_fragments/k8s_auth_options.py
View file

@ -43,31 +43,35 @@ options:
variable.
- Please read the description of the C(username) option for a discussion of when this option is applicable.
type: str
cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment
variable.
type: path
key_file:
aliases: [ cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment
variable.
type: path
ssl_ca_cert:
aliases: [ key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to
avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
type: path
verify_ssl:
aliases: [ ssl_ca_cert ]
validate_certs:
description:
- Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL
environment variable.
type: bool
aliases: [ verify_ssl ]
notes:
- "The OpenShift Python client wraps the K8s Python client, providing full access to
all of the APIS and models available on both platforms. For API version details and
additional information visit https://github.com/openshift/openshift-restclient-python"
- "To avoid SSL certificate validation errors when C(verify_ssl) is I(True), the full
certificate chain for the API server must be provided via C(ssl_ca_cert) or in the
- "To avoid SSL certificate validation errors when C(validate_certs) is I(True), the full
certificate chain for the API server must be provided via C(ca_cert) or in the
kubeconfig file."
'''

6
lib/ansible/plugins/doc_fragments/manageiq.py
View file

@ -32,15 +32,17 @@ options:
description:
- ManageIQ token. C(MIQ_TOKEN) env var if set. otherwise, required if no username or password is passed in.
type: str
verify_ssl:
validate_certs:
description:
- Whether SSL certificates should be verified for HTTPS requests. defaults to True.
type: bool
default: yes
ca_bundle_path:
aliases: [ verify_ssl ]
ca_cert:
description:
- The path to a CA bundle file or directory with certificates. defaults to None.
type: path
aliases: [ ca_bundle_path ]
requirements:
- 'manageiq-client U(https://github.com/ManageIQ/manageiq-api-client-python/)'

9
lib/ansible/plugins/doc_fragments/mysql.py
View file

@ -43,22 +43,25 @@ options:
type: path
default: '~/.my.cnf'
version_added: "2.0"
ssl_ca:
ca_cert:
description:
- The path to a Certificate Authority (CA) certificate. This option, if used, must specify the same certificate
as used by the server.
type: path
version_added: "2.0"
ssl_cert:
aliases: [ ssl_ca ]
client_cert:
description:
- The path to a client public key certificate.
type: path
version_added: "2.0"
ssl_key:
aliases: [ ssl_cert ]
client_key:
description:
- The path to the client private key.
type: path
version_added: "2.0"
aliases: [ ssl_key ]
requirements:
- PyMySQL (Python 2.7 and Python 3.X), or
- MySQLdb (Python 2.x)

3
lib/ansible/plugins/doc_fragments/nios.py
View file

@ -36,13 +36,14 @@ options:
- Value can also be specified using C(INFOBLOX_PASSWORD) environment
variable.
type: str
ssl_verify:
validate_certs:
description:
- Boolean value to enable or disable verifying SSL certificates
- Value can also be specified using C(INFOBLOX_SSL_VERIFY) environment
variable.
type: bool
default: no
aliases: [ ssl_verify ]
http_request_timeout:
description:
- The amount of time before to wait before receiving a response

13
lib/ansible/plugins/doc_fragments/openstack.py
View file

@ -54,26 +54,29 @@ options:
- How long should the socket layer wait before timing out for API calls.
If this is omitted, nothing will be passed to the requests library.
type: int
verify:
validate_certs:
description:
- Whether or not SSL API requests should be verified.
- Before Ansible 2.3 this defaulted to C(yes).
type: bool
default: no
aliases: [ validate_certs ]
cacert:
aliases: [ verify ]
ca_cert:
description:
- A path to a CA Cert bundle that can be used as part of verifying
SSL API requests.
type: str
cert:
aliases: [ cacert ]
client_cert:
description:
- A path to a client certificate to use as part of the SSL transaction.
type: str
key:
aliases: [ cert ]
client_key:
description:
- A path to a client key to use as part of the SSL transaction.
type: str
aliases: [ key ]
interface:
description:
- Endpoint URL type to fetch from the service catalog.

5
lib/ansible/plugins/doc_fragments/postgres.py
View file

@ -38,18 +38,19 @@ options:
default: prefer
choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
version_added: '2.3'
ssl_rootcert:
ca_cert:
description:
- Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
- If the file exists, the server's certificate will be verified to be signed by one of these authorities.
type: str
version_added: '2.3'
aliases: [ ssl_rootcert ]
notes:
- The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host.
- This module uses I(psycopg2), a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on
the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then
PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the C(postgresql), C(libpq-dev),
and C(python-psycopg2) packages on the remote host before using this module.
- The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
- The ca_cert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
requirements: [ psycopg2 ]
'''

9
lib/ansible/plugins/doc_fragments/rabbitmq.py
View file

@ -34,21 +34,24 @@ options:
choices: [ http , https ]
default: http
version_added: "2.3"
cacert:
ca_cert:
description:
- CA certificate to verify SSL connection to management API.
type: path
version_added: "2.3"
cert:
aliases: [ cacert ]
client_cert:
description:
- Client certificate to send on SSL connections to management API.
type: path
version_added: "2.3"
key:
aliases: [ cert ]
client_key:
description:
- Private key matching the client certificate.
type: path
version_added: "2.3"
aliases: [ key ]
vhost:
description:
- RabbitMQ virtual host.

6
lib/ansible/plugins/doc_fragments/rackspace.py
View file

@ -35,11 +35,12 @@ options:
description:
- Rackspace username, overrides I(credentials).
type: str
verify_ssl:
validate_certs:
description:
- Whether or not to require SSL validation of API endpoints.
type: bool
version_added: '1.5'
aliases: [ verify_ssl ]
requirements:
- python >= 2.6
- pyrax
@ -95,11 +96,12 @@ options:
username:
description:
- Rackspace username, overrides I(credentials).
verify_ssl:
validate_certs:
description:
- Whether or not to require SSL validation of API endpoints.
version_added: '1.5'
type: bool
aliases: [ verify_ssl ]
requirements:
- python >= 2.6
- pyrax

3
lib/ansible/plugins/doc_fragments/tower.py
View file

@ -21,12 +21,13 @@ options:
description:
- Password for your Tower instance.
type: str
tower_verify_ssl:
validate_certs:
description:
- Whether to allow insecure connections to Tower.
- If C(no), SSL certificates will not be validated.
- This should only be used on personally controlled sites using self-signed certificates.
type: bool
aliases: [ tower_verify_ssl ]
tower_config_file:
description:
- Path to the Tower config file.

3
lib/ansible/plugins/doc_fragments/vca.py
View file

@ -48,11 +48,12 @@ options:
type: str
choices: [ absent, present ]
default: present
verify_certs:
validate_certs:
description:
- If the certificates of the authentication is to be verified.
type: bool
default: yes
aliases: [ verify_certs ]
vdc_name:
description:
- The name of the vdc where the gateway is located.

33
lib/ansible/plugins/inventory/docker_swarm.py
View file

@ -48,24 +48,25 @@ DOCUMENTATION = '''
description: Connect using TLS without verifying the authenticity of the Docker host server.
type: bool
default: no
tls_verify:
validate_certs:
description: Toggle if connecting using TLS with or without verifying the authenticity of the Docker
host server.
type: bool
default: no
key_path:
aliases: [ tls_verify ]
client_key:
description: Path to the client's TLS key file.
type: path
aliases: [ tls_client_key ]
cacert_path:
aliases: [ tls_client_key, key_path ]
ca_cert:
description: Use a CA certificate when performing server verification by providing the path to a CA
certificate file.
type: path
aliases: [ tls_ca_cert ]
cert_path:
aliases: [ tls_ca_cert, cacert_path ]
client_cert:
description: Path to the client's TLS certificate file.
type: path
aliases: [ tls_client_cert ]
aliases: [ tls_client_cert, cert_path ]
tls_hostname:
description: When verifying the authenticity of the Docker host server, provide the expected name of
the server.
@ -116,10 +117,10 @@ tls: yes
# Example using remote docker with verified TLS and client certificate verification
plugin: docker_swarm
docker_host: tcp://my-docker-host:2376
tls_verify: yes
cacert_path: /somewhere/ca.pem
key_path: /somewhere/key.pem
cert_path: /somewhere/cert.pem
validate_certs: yes
ca_cert: /somewhere/ca.pem
client_key: /somewhere/key.pem
client_cert: /somewhere/cert.pem
# Example using constructed features to create groups and set ansible_host
plugin: docker_swarm
@ -164,10 +165,10 @@ class InventoryModule(BaseInventoryPlugin, Constructable):
raw_params = dict(
docker_host=self.get_option('docker_host'),
tls=self.get_option('tls'),
tls_verify=self.get_option('tls_verify'),
key_path=self.get_option('key_path'),
cacert_path=self.get_option('cacert_path'),
cert_path=self.get_option('cert_path'),
tls_verify=self.get_option('validate_certs'),
key_path=self.get_option('client_key'),
cacert_path=self.get_option('ca_cert'),
cert_path=self.get_option('client_cert'),
tls_hostname=self.get_option('tls_hostname'),
api_version=self.get_option('api_version'),
timeout=self.get_option('timeout'),
@ -186,7 +187,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable):
if self.get_option('include_host_uri'):
if self.get_option('include_host_uri_port'):
host_uri_port = str(self.get_option('include_host_uri_port'))
elif self.get_option('tls') or self.get_option('tls_verify'):
elif self.get_option('tls') or self.get_option('validate_certs'):
host_uri_port = '2376'
else:
host_uri_port = '2375'

14
lib/ansible/plugins/inventory/k8s.py
View file

@ -57,23 +57,27 @@ DOCUMENTATION = '''
description:
- Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD
environment variable.
cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE
environment variable.
key_file:
aliases: [ cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE
environment variable.
ssl_ca_cert:
aliases: [ key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API. Can also be specified via
K8S_AUTH_SSL_CA_CERT environment variable.
verify_ssl:
aliases: [ ssl_ca_cert ]
validate_certs:
description:
- "Whether or not to verify the API server's SSL certificates. Can also be specified via
K8S_AUTH_VERIFY_SSL environment variable."
type: bool
aliases: [ verify_ssl ]
namespaces:
description:
- List of namespaces. If not specified, will fetch all containers for all namespaces user is authorized
@ -93,7 +97,7 @@ plugin: k8s
connections:
host: https://192.168.64.4:8443
token: xxxxxxxxxxxxxxxx
ssl_verify: false
validate_certs: false
# Use default config (~/.kube/config) file and active context, and return objects for a specific namespace
plugin: k8s

12
lib/ansible/plugins/inventory/openshift.py
View file

@ -57,23 +57,27 @@ DOCUMENTATION = '''
description:
- Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD
environment variable.
cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE
environment variable.
key_file:
aliases: [ cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE
environment variable.
ssl_ca_cert:
aliases: [ key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API. Can also be specified via
K8S_AUTH_SSL_CA_CERT environment variable.
verify_ssl:
aliases: [ ssl_ca_cert ]
validate_certs:
description:
- "Whether or not to verify the API server's SSL certificates. Can also be specified via
K8S_AUTH_VERIFY_SSL environment variable."
type: bool
aliases: [ verify_ssl ]
namespaces:
description:
- List of namespaces. If not specified, will fetch all containers for all namespaces user is authorized

5
lib/ansible/plugins/inventory/tower.py
View file

@ -52,13 +52,14 @@ DOCUMENTATION = '''
env:
- name: TOWER_INVENTORY
required: True
verify_ssl:
validate_certs:
description: Specify whether Ansible should verify the SSL certificate of Ansible Tower host.
type: bool
default: True
env:
- name: TOWER_VERIFY_SSL
required: False
aliases: [ verify_ssl ]
include_metadata:
description: Make extra requests to provide all group vars with metadata about the source Ansible Tower host.
type: bool
@ -156,7 +157,7 @@ class InventoryModule(BaseInventoryPlugin):
request_handler = Request(url_username=self.get_option('username'),
url_password=self.get_option('password'),
force_basic_auth=True,
validate_certs=self.get_option('verify_ssl'))
validate_certs=self.get_option('validate_certs'))
inventory_id = self.get_option('inventory_id').replace('/', '')
inventory_url = '/api/v2/inventories/{inv_id}/script/?hostvars=1&towervars=1&all=1'.format(inv_id=inventory_id)

7
lib/ansible/plugins/lookup/hashi_vault.py
View file

@ -54,8 +54,9 @@ DOCUMENTATION = """
mount_point:
description: vault mount point, only required if you have a custom mount point.
default: ldap
cacert:
ca_cert:
description: path to certificate to use for authentication.
aliases: [ cacert ]
validate_certs:
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
type: boolean
@ -267,6 +268,10 @@ class LookupModule(LookupBase):
raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
vault_dict[key] = value
if 'ca_cert' in vault_dict.keys():
vault_dict['cacert'] = vault_dict['ca_cert']
vault_dict.pop('ca_cert', None)
vault_conn = HashiVault(**vault_dict)
for term in terms:

12
lib/ansible/plugins/lookup/k8s.py
View file

@ -98,24 +98,28 @@ DOCUMENTATION = """
description:
- Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment
variable.
cert_file:
client_cert:
description:
- Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE
environment
variable.
key_file:
aliases: [ cert_file ]
client_key:
description:
- Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment
variable.
ssl_ca_cert:
aliases: [ key_file ]
ca_cert:
description:
- Path to a CA certificate used to authenticate with the API. Can also be specified via K8S_AUTH_SSL_CA_CERT
environment variable.
verify_ssl:
aliases: [ ssl_ca_cert ]
validate_certs:
description:
- Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL
environment variable.
type: bool
aliases: [ verify_ssl ]
requirements:
- "python >= 2.7"

7
lib/ansible/plugins/lookup/laps_password.py
View file

@ -40,13 +40,14 @@ options:
- gssapi
default: gssapi
type: str
cacert_file:
ca_cert:
description:
- The path to a CA certificate PEM file to use for certificate validation.
- Certificate validation is used when C(scheme=ldaps) or C(start_tls=yes).
- This may fail on hosts with an older OpenLDAP install like MacOS, this will have to be updated before
reinstalling python-ldap to get working again.
type: str
aliases: [ cacert_file ]
domain:
description:
- The domain to search in to retrieve the LAPS password.
@ -173,7 +174,7 @@ EXAMPLES = """
ansible_password: "{{ lookup('laps_password', 'windows-pc',
domain='dc01.ansible.com',
start_tls=True,
cacert_file='/usr/local/share/certs/ad.pem') }}"
ca_cert='/usr/local/share/certs/ad.pem') }}"
"""
RETURN = """
@ -243,7 +244,7 @@ class LookupModule(LookupBase):
scheme = self.get_option('scheme')
start_tls = self.get_option('start_tls')
validate_certs = self.get_option('validate_certs')
cacert_file = self.get_option('cacert_file')
cacert_file = self.get_option('ca_cert')
search_base = self.get_option('search_base')
username = self.get_option('username')
password = self.get_option('password')