standardize TLS connection properties (#54315)

* openstack: standardize tls params

* tower: tower_verify_ssl->validate_certs

* docker: use standard tls config params

- cacert_path -> ca_cert
- cert_path -> client_cert
- key_path -> client_key
- tls_verify -> validate_certs

* k8s: standardize tls connection params

- verify_ssl -> validate_certs
- ssl_ca_cert -> ca_cert
- cert_file -> client_cert
- key_file -> client_key

* ingate: verify_ssl -> validate_certs

* manageiq: standardize tls params

- verify_ssl -> validate_certs
- ca_bundle_path -> ca_cert

* mysql: standardize tls params

- ssl_ca -> ca_cert
- ssl_cert -> client_cert
- ssl_key -> client_key

* nios: ssl_verify -> validate_certs

* postgresql: ssl_rootcert -> ca_cert

* rabbitmq: standardize tls params

- cacert -> ca_cert
- cert -> client_cert
- key -> client_key

* rackspace: verify_ssl -> validate_certs

* vca: verify_certs -> validate_certs

* kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs

* lxd: standardize tls params

- key_file -> client_key
- cert_file -> client_cert

* get_certificate: ca_certs -> ca_cert

* get_certificate.py: clarify one or more certs in a file

Co-Authored-By: jamescassell <code@james.cassell.me>

* zabbix: tls_issuer -> ca_cert

* bigip_device_auth_ldap: standardize tls params

- ssl_check_peer -> validate_certs
- ssl_client_cert -> client_cert
- ssl_client_key -> client_key
- ssl_ca_cert -> ca_cert

* vdirect: vdirect_validate_certs -> validate_certs

* mqtt: standardize tls params

- ca_certs -> ca_cert
- certfile -> client_cert
- keyfile -> client_key

* pulp_repo: standardize tls params

remove `importer_ssl` prefix

* rhn_register: sslcacert -> ca_cert

* yum_repository: standardize tls params

The fix for yum_repository is not straightforward since this module is
only a thin wrapper for the underlying commands and config.  In this
case, we add the new values as aliases, keeping the old as primary,
only due to the internal structure of the module.

Aliases added:
- sslcacert -> ca_cert
- sslclientcert -> client_cert
- sslclientkey -> client_key
- sslverify -> validate_certs

* gitlab_hook: enable_ssl_verification -> hook_validate_certs

* Adjust arguments for docker_swarm inventory plugin.

* foreman callback: standardize tls params

- ssl_cert -> client_cert
- ssl_key -> client_key

* grafana_annotations: validate_grafana_certs -> validate_certs

* nrdp callback: validate_nrdp_certs -> validate_certs

* kubectl connection: standardize tls params

- kubectl_cert_file -> client_cert
- kubectl_key_file -> client_key
- kubectl_ssl_ca_cert -> ca_cert
- kubectl_verify_ssl -> validate_certs

* oc connection: standardize tls params

- oc_cert_file -> client_cert
- oc_key_file -> client_key
- oc_ssl_ca_cert -> ca_cert
- oc_verify_ssl -> validate_certs

* psrp connection: cert_trust_path -> ca_cert

TODO: cert_validation -> validate_certs (multi-valued vs bool)

* k8s inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* openshift inventory: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* tower inventory: verify_ssl -> validate_certs

* hashi_vault lookup: cacert -> ca_cert

* k8s lookup: standardize tls params

- cert_file -> client_cert
- key_file -> client_key
- ca_cert -> ca_cert
- verify_ssl -> validate_certs

* laps_passord lookup: cacert_file -> ca_cert

* changelog for TLS parameter standardization

lib/ansible/plugins/lookup/hashi_vault.py

@@ -54,8 +54,9 @@ DOCUMENTATION = """
     mount_point:
       description: vault mount point, only required if you have a custom mount point.
       default: ldap
-    cacert:
+    ca_cert:
       description: path to certificate to use for authentication.
+      aliases: [ cacert ]
     validate_certs:
       description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
       type: boolean
@@ -267,6 +268,10 @@ class LookupModule(LookupBase):
                 raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
             vault_dict[key] = value
 
+        if 'ca_cert' in vault_dict.keys():
+            vault_dict['cacert'] = vault_dict['ca_cert']
+            vault_dict.pop('ca_cert', None)
+
         vault_conn = HashiVault(**vault_dict)
 
         for term in terms:

lib/ansible/plugins/lookup/k8s.py

@@ -98,24 +98,28 @@ DOCUMENTATION = """
         description:
         - Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment
           variable.
-      cert_file:
+      client_cert:
         description:
         - Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE
           environment
           variable.
-      key_file:
+        aliases: [ cert_file ]
+      client_key:
         description:
         - Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment
           variable.
-      ssl_ca_cert:
+        aliases: [ key_file ]
+      ca_cert:
         description:
         - Path to a CA certificate used to authenticate with the API. Can also be specified via K8S_AUTH_SSL_CA_CERT
           environment variable.
-      verify_ssl:
+        aliases: [ ssl_ca_cert ]
+      validate_certs:
         description:
         - Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL
           environment variable.
         type: bool
+        aliases: [ verify_ssl ]
 
     requirements:
       - "python >= 2.7"

lib/ansible/plugins/lookup/laps_password.py

@@ -40,13 +40,14 @@ options:
     - gssapi
     default: gssapi
     type: str
-  cacert_file:
+  ca_cert:
     description:
     - The path to a CA certificate PEM file to use for certificate validation.
     - Certificate validation is used when C(scheme=ldaps) or C(start_tls=yes).
     - This may fail on hosts with an older OpenLDAP install like MacOS, this will have to be updated before
       reinstalling python-ldap to get working again.
     type: str
+    aliases: [ cacert_file ]
   domain:
     description:
     - The domain to search in to retrieve the LAPS password.
@@ -173,7 +174,7 @@ EXAMPLES = """
     ansible_password: "{{ lookup('laps_password', 'windows-pc',
                                  domain='dc01.ansible.com',
                                  start_tls=True,
-                                 cacert_file='/usr/local/share/certs/ad.pem') }}"
+                                 ca_cert='/usr/local/share/certs/ad.pem') }}"
 """
 
 RETURN = """
@@ -243,7 +244,7 @@ class LookupModule(LookupBase):
         scheme = self.get_option('scheme')
         start_tls = self.get_option('start_tls')
         validate_certs = self.get_option('validate_certs')
-        cacert_file = self.get_option('cacert_file')
+        cacert_file = self.get_option('ca_cert')
         search_base = self.get_option('search_base')
         username = self.get_option('username')
         password = self.get_option('password')