tls_everywhere

Role Documentation

Welcome to the “tls_everywhere” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tls_everywhere” role.

ipa_bin: ipa
kinit_bin: kinit
kdestroy_bin: kdestroy
helper_status_ok: OK
helper_status_error: ERROR
helper_status_skipped: SKIPPED
helper_report_path: /tmp/report.txt
helper_undercloud_path: /home/{{ ansible_ssh_user }}

Molecule Scenarios

Molecule is being used to test the “tls_everywhere” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Driver: podman

Molecule Platform(s)

- name: centos
  hostname: centos
  image: centos/centos:stream8
  registry:
    url: quay.io
  dockerfile: ../../../../.config/molecule/Dockerfile
  pkg_extras: python*-setuptools python*-pyyaml
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  privileged: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') }}"
    https_proxy: "{{ lookup('env', 'https_proxy') }}"
  ulimits:
  - host

Molecule Inventory

hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3

Example default playbook

- name: Converge
  hosts: all
  vars:
    ipa_bin: echo
    kinit_bin: echo
    kdestroy_bin: echo
    tls_everywhere_undercloud_fqdn: undercloud.example.com
  tasks:
  - name: Run ipa_server_check validation
    block:
    - name: run validation
      include_role:
        name: tls_everywhere
        tasks_from: ipa-server-check
    rescue:
    - name: clear errors
      meta: clear_host_errors

    - name: check command outputs
      assert:
        that:
        - tls_everywhere_aci_check_kinit_output == "host/undercloud.example.com -k
          -t /etc/krb5.keytab"
        - tls_everywhere_aci_check_dns_record_show_output == "dnsrecord-show example.com
          freeipa-0"
        - tls_everywhere_aci_check_service_show_output == "service-show nova/undercloud.example.com
          --all --raw"
        - ipa_server_aci_check_kdestroy_output == "-A"
        - ipa_server_aci_check_failures|length == 1
        - '"Modify Realm Domains" in ipa_server_aci_check_failures[0]'

    - name: End play
      meta: end_play

  - name: Fail the test
    fail:
      msg: |
        The ipa-server-check validation didn't fail as expected