standardize TLS connection properties (#54315)

* openstack: standardize tls params

* tower: tower_verify_ssl->validate_certs

* docker: use standard tls config params

- cacert_path -> ca_cert
- cert_path -> client_cert
- key_path -> client_key
- tls_verify -> validate_certs

* k8s: standardize tls connection params

- verify_ssl -> validate_certs
- ssl_ca_cert -> ca_cert
- cert_file -> client_cert
- key_file -> client_key

* ingate: verify_ssl -> validate_certs

* manageiq: standardize tls params

- verify_ssl -> validate_certs
- ca_bundle_path -> ca_cert

* mysql: standardize tls params

- ssl_ca -> ca_cert
- ssl_cert -> client_cert
- ssl_key -> client_key

* nios: ssl_verify -> validate_certs

* postgresql: ssl_rootcert -> ca_cert

* rabbitmq: standardize tls params

- cacert -> ca_cert
- cert -> client_cert
- key -> client_key

* rackspace: verify_ssl -> validate_certs

* vca: verify_certs -> validate_certs

* kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs

* lxd: standardize tls params

- key_file -> client_key
- cert_file -> client_cert

* get_certificate: ca_certs -> ca_cert

* get_certificate.py: clarify one or more certs in a file

Co-Authored-By: jamescassell <code@james.cassell.me>

* zabbix: tls_issuer -> ca_cert

* bigip_device_auth_ldap: standardize tls params

- ssl_check_peer -> validate_certs
- ssl_client_cert -> client_cert
- ssl_client_key -> client_key
- ssl_ca_cert -> ca_cert

* vdirect: vdirect_validate_certs -> validate_certs

* mqtt: standardize tls params

- ca_certs -> ca_cert
- certfile -> client_cert
- keyfile -> client_key

* pulp_repo: standardize tls params

remove `importer_ssl` prefix

* rhn_register: sslcacert -> ca_cert

* yum_repository: standardize tls params

The fix for yum_repository is not straightforward since this module is
only a thin wrapper for the underlying commands and config.  In this
case, we add the new values as aliases, keeping the old as primary,
only due to the internal structure of the module.

Aliases added:
- sslcacert -> ca_cert
- sslclientcert -> client_cert
- sslclientkey -> client_key
- sslverify -> validate_certs

* gitlab_hook: enable_ssl_verification -> hook_validate_certs

* Adjust arguments for docker_swarm inventory plugin.

* foreman callback: standardize tls params

- ssl_cert -> client_cert
- ssl_key -> client_key

* grafana_annotations: validate_grafana_certs -> validate_certs

* nrdp callback: validate_nrdp_certs -> validate_certs

* kubectl connection: standardize tls params

- kubectl_cert_file -> client_cert
- kubectl_key_file -> client_key
- kubectl_ssl_ca_cert -> ca_cert
- kubectl_verify_ssl -> validate_certs

* oc connection: standardize tls params

- oc_cert_file -> client_cert
- oc_key_file -> client_key
- oc_ssl_ca_cert -> ca_cert
- oc_verify_ssl -> validate_certs

* psrp connection: cert_trust_path -> ca_cert

TODO: cert_validation -> validate_certs (multi-valued vs bool)

* k8s inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* openshift inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* tower inventory: verify_ssl -> validate_certs

* hashi_vault lookup: cacert -> ca_cert

* k8s lookup: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* laps_passord lookup: cacert_file -> ca_cert

* changelog for TLS parameter standardization

lib/ansible/plugins/doc_fragments/docker.py

@@ -42,27 +42,27 @@ options:
               instead. If the environment variable is not set, the default value will be used.
         type: int
         default: 60
-    cacert_path:
+    ca_cert:
         description:
             - Use a CA certificate when performing server verification by providing the path to a CA certificate file.
             - If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
               the file C(ca.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
         type: path
-        aliases: [ tls_ca_cert ]
-    cert_path:
+        aliases: [ tls_ca_cert, cacert_path ]
+    client_cert:
         description:
             - Path to the client's TLS certificate file.
             - If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
               the file C(cert.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
         type: path
-        aliases: [ tls_client_cert ]
-    key_path:
+        aliases: [ tls_client_cert, cert_path ]
+    client_key:
         description:
             - Path to the client's TLS key file.
             - If the value is not specified in the task and the environment variable C(DOCKER_CERT_PATH) is set,
               the file C(key.pem) from the directory specified in the environment variable C(DOCKER_CERT_PATH) will be used.
         type: path
-        aliases: [ tls_client_key ]
+        aliases: [ tls_client_key, key_path ]
     ssl_version:
         description:
             - Provide a valid SSL version number. Default value determined by ssl.py module.
@@ -77,13 +77,14 @@ options:
               instead. If the environment variable is not set, the default value will be used.
         type: bool
         default: no
-    tls_verify:
+    validate_certs:
         description:
             - Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
             - If the value is not specified in the task, the value of environment variable C(DOCKER_TLS_VERIFY) will be
               used instead. If the environment variable is not set, the default value will be used.
         type: bool
         default: no
+        aliases: [ tls_verify ]
     debug:
         description:
             - Debug mode

lib/ansible/plugins/doc_fragments/ingate.py

@@ -46,11 +46,12 @@ options:
         description:
           - The timeout (in seconds) for REST API requests.
         type: int
-      verify_ssl:
+      validate_certs:
         description:
           - Verify the unit's HTTPS certificate.
         type: bool
         default: yes
+        aliases: [ verify_ssl ]
 notes:
   - This module requires that the Ingate Python SDK is installed on the
     host. To install the SDK use the pip command from your shell

lib/ansible/plugins/doc_fragments/k8s_auth_options.py

@@ -43,31 +43,35 @@ options:
       variable.
     - Please read the description of the C(username) option for a discussion of when this option is applicable.
     type: str
-  cert_file:
+  client_cert:
     description:
     - Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment
       variable.
     type: path
-  key_file:
+    aliases: [ cert_file ]
+  client_key:
     description:
     - Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment
       variable.
     type: path
-  ssl_ca_cert:
+    aliases: [ key_file ]
+  ca_cert:
     description:
     - Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to
       avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
     type: path
-  verify_ssl:
+    aliases: [ ssl_ca_cert ]
+  validate_certs:
     description:
     - Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL
       environment variable.
     type: bool
+    aliases: [ verify_ssl ]
 notes:
   - "The OpenShift Python client wraps the K8s Python client, providing full access to
     all of the APIS and models available on both platforms. For API version details and
     additional information visit https://github.com/openshift/openshift-restclient-python"
-  - "To avoid SSL certificate validation errors when C(verify_ssl) is I(True), the full
-    certificate chain for the API server must be provided via C(ssl_ca_cert) or in the
+  - "To avoid SSL certificate validation errors when C(validate_certs) is I(True), the full
+    certificate chain for the API server must be provided via C(ca_cert) or in the
     kubeconfig file."
 '''

lib/ansible/plugins/doc_fragments/manageiq.py

@@ -32,15 +32,17 @@ options:
         description:
           - ManageIQ token. C(MIQ_TOKEN) env var if set. otherwise, required if no username or password is passed in.
         type: str
-      verify_ssl:
+      validate_certs:
         description:
           - Whether SSL certificates should be verified for HTTPS requests. defaults to True.
         type: bool
         default: yes
-      ca_bundle_path:
+        aliases: [ verify_ssl ]
+      ca_cert:
         description:
           - The path to a CA bundle file or directory with certificates. defaults to None.
         type: path
+        aliases: [ ca_bundle_path ]
 
 requirements:
   - 'manageiq-client U(https://github.com/ManageIQ/manageiq-api-client-python/)'

lib/ansible/plugins/doc_fragments/mysql.py

@@ -43,22 +43,25 @@ options:
     type: path
     default: '~/.my.cnf'
     version_added: "2.0"
-  ssl_ca:
+  ca_cert:
     description:
       - The path to a Certificate Authority (CA) certificate. This option, if used, must specify the same certificate
         as used by the server.
     type: path
     version_added: "2.0"
-  ssl_cert:
+    aliases: [ ssl_ca ]
+  client_cert:
     description:
       - The path to a client public key certificate.
     type: path
     version_added: "2.0"
-  ssl_key:
+    aliases: [ ssl_cert ]
+  client_key:
     description:
       - The path to the client private key.
     type: path
     version_added: "2.0"
+    aliases: [ ssl_key ]
 requirements:
    - PyMySQL (Python 2.7 and Python 3.X), or
    - MySQLdb (Python 2.x)

lib/ansible/plugins/doc_fragments/nios.py

@@ -36,13 +36,14 @@ options:
           - Value can also be specified using C(INFOBLOX_PASSWORD) environment
             variable.
         type: str
-      ssl_verify:
+      validate_certs:
         description:
           - Boolean value to enable or disable verifying SSL certificates
           - Value can also be specified using C(INFOBLOX_SSL_VERIFY) environment
             variable.
         type: bool
         default: no
+        aliases: [ ssl_verify ]
       http_request_timeout:
         description:
           - The amount of time before to wait before receiving a response

lib/ansible/plugins/doc_fragments/openstack.py

@@ -54,26 +54,29 @@ options:
       - How long should the socket layer wait before timing out for API calls.
         If this is omitted, nothing will be passed to the requests library.
     type: int
-  verify:
+  validate_certs:
     description:
       - Whether or not SSL API requests should be verified.
       - Before Ansible 2.3 this defaulted to C(yes).
     type: bool
     default: no
-    aliases: [ validate_certs ]
-  cacert:
+    aliases: [ verify ]
+  ca_cert:
     description:
       - A path to a CA Cert bundle that can be used as part of verifying
         SSL API requests.
     type: str
-  cert:
+    aliases: [ cacert ]
+  client_cert:
     description:
       - A path to a client certificate to use as part of the SSL transaction.
     type: str
-  key:
+    aliases: [ cert ]
+  client_key:
     description:
       - A path to a client key to use as part of the SSL transaction.
     type: str
+    aliases: [ key ]
   interface:
     description:
         - Endpoint URL type to fetch from the service catalog.

lib/ansible/plugins/doc_fragments/postgres.py

@@ -38,18 +38,19 @@ options:
     default: prefer
     choices: [ allow, disable, prefer, require, verify-ca, verify-full ]
     version_added: '2.3'
-  ssl_rootcert:
+  ca_cert:
     description:
       - Specifies the name of a file containing SSL certificate authority (CA) certificate(s).
       - If the file exists, the server's certificate will be verified to be signed by one of these authorities.
     type: str
     version_added: '2.3'
+    aliases: [ ssl_rootcert ]
 notes:
 - The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host.
 - This module uses I(psycopg2), a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on
   the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then
   PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the C(postgresql), C(libpq-dev),
   and C(python-psycopg2) packages on the remote host before using this module.
-- The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
+- The ca_cert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
 requirements: [ psycopg2 ]
 '''

lib/ansible/plugins/doc_fragments/rabbitmq.py

@@ -34,21 +34,24 @@ options:
         choices: [ http , https ]
         default: http
         version_added: "2.3"
-    cacert:
+    ca_cert:
         description:
             - CA certificate to verify SSL connection to management API.
         type: path
         version_added: "2.3"
-    cert:
+        aliases: [ cacert ]
+    client_cert:
         description:
             - Client certificate to send on SSL connections to management API.
         type: path
         version_added: "2.3"
-    key:
+        aliases: [ cert ]
+    client_key:
         description:
             - Private key matching the client certificate.
         type: path
         version_added: "2.3"
+        aliases: [ key ]
     vhost:
         description:
             - RabbitMQ virtual host.

lib/ansible/plugins/doc_fragments/rackspace.py

@@ -35,11 +35,12 @@ options:
     description:
       - Rackspace username, overrides I(credentials).
     type: str
-  verify_ssl:
+  validate_certs:
     description:
       - Whether or not to require SSL validation of API endpoints.
     type: bool
     version_added: '1.5'
+    aliases: [ verify_ssl ]
 requirements:
   - python >= 2.6
   - pyrax
@@ -95,11 +96,12 @@ options:
   username:
     description:
       - Rackspace username, overrides I(credentials).
-  verify_ssl:
+  validate_certs:
     description:
       - Whether or not to require SSL validation of API endpoints.
     version_added: '1.5'
     type: bool
+    aliases: [ verify_ssl ]
 requirements:
   - python >= 2.6
   - pyrax

lib/ansible/plugins/doc_fragments/tower.py

@@ -21,12 +21,13 @@ options:
     description:
     - Password for your Tower instance.
     type: str
-  tower_verify_ssl:
+  validate_certs:
     description:
     - Whether to allow insecure connections to Tower.
     - If C(no), SSL certificates will not be validated.
     - This should only be used on personally controlled sites using self-signed certificates.
     type: bool
+    aliases: [ tower_verify_ssl ]
   tower_config_file:
     description:
     - Path to the Tower config file.

lib/ansible/plugins/doc_fragments/vca.py

@@ -48,11 +48,12 @@ options:
       type: str
       choices: [ absent, present ]
       default: present
-    verify_certs:
+    validate_certs:
       description:
         - If the certificates of the authentication is to be verified.
       type: bool
       default: yes
+      aliases: [ verify_certs ]
     vdc_name:
       description:
         - The name of the vdc where the gateway is located.