From 3aa7ee8d17997d19758ee8dac76303da2122a574 Mon Sep 17 00:00:00 2001 From: James Cassell Date: Thu, 28 Mar 2019 01:19:28 -0400 Subject: [PATCH] standardize TLS connection properties (#54315) * openstack: standardize tls params * tower: tower_verify_ssl->validate_certs * docker: use standard tls config params - cacert_path -> ca_cert - cert_path -> client_cert - key_path -> client_key - tls_verify -> validate_certs * k8s: standardize tls connection params - verify_ssl -> validate_certs - ssl_ca_cert -> ca_cert - cert_file -> client_cert - key_file -> client_key * ingate: verify_ssl -> validate_certs * manageiq: standardize tls params - verify_ssl -> validate_certs - ca_bundle_path -> ca_cert * mysql: standardize tls params - ssl_ca -> ca_cert - ssl_cert -> client_cert - ssl_key -> client_key * nios: ssl_verify -> validate_certs * postgresql: ssl_rootcert -> ca_cert * rabbitmq: standardize tls params - cacert -> ca_cert - cert -> client_cert - key -> client_key * rackspace: verify_ssl -> validate_certs * vca: verify_certs -> validate_certs * kubevirt_cdi_upload: upload_host_verify_ssl -> upload_host_validate_certs * lxd: standardize tls params - key_file -> client_key - cert_file -> client_cert * get_certificate: ca_certs -> ca_cert * get_certificate.py: clarify one or more certs in a file Co-Authored-By: jamescassell * zabbix: tls_issuer -> ca_cert * bigip_device_auth_ldap: standardize tls params - ssl_check_peer -> validate_certs - ssl_client_cert -> client_cert - ssl_client_key -> client_key - ssl_ca_cert -> ca_cert * vdirect: vdirect_validate_certs -> validate_certs * mqtt: standardize tls params - ca_certs -> ca_cert - certfile -> client_cert - keyfile -> client_key * pulp_repo: standardize tls params remove `importer_ssl` prefix * rhn_register: sslcacert -> ca_cert * yum_repository: standardize tls params The fix for yum_repository is not straightforward since this module is only a thin wrapper for the underlying commands and config. In this case, we add the new values as aliases, keeping the old as primary, only due to the internal structure of the module. Aliases added: - sslcacert -> ca_cert - sslclientcert -> client_cert - sslclientkey -> client_key - sslverify -> validate_certs * gitlab_hook: enable_ssl_verification -> hook_validate_certs * Adjust arguments for docker_swarm inventory plugin. * foreman callback: standardize tls params - ssl_cert -> client_cert - ssl_key -> client_key * grafana_annotations: validate_grafana_certs -> validate_certs * nrdp callback: validate_nrdp_certs -> validate_certs * kubectl connection: standardize tls params - kubectl_cert_file -> client_cert - kubectl_key_file -> client_key - kubectl_ssl_ca_cert -> ca_cert - kubectl_verify_ssl -> validate_certs * oc connection: standardize tls params - oc_cert_file -> client_cert - oc_key_file -> client_key - oc_ssl_ca_cert -> ca_cert - oc_verify_ssl -> validate_certs * psrp connection: cert_trust_path -> ca_cert TODO: cert_validation -> validate_certs (multi-valued vs bool) * k8s inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * openshift inventory: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * tower inventory: verify_ssl -> validate_certs * hashi_vault lookup: cacert -> ca_cert * k8s lookup: standardize tls params - cert_file -> client_cert - key_file -> client_key - ca_cert -> ca_cert - verify_ssl -> validate_certs * laps_passord lookup: cacert_file -> ca_cert * changelog for TLS parameter standardization --- lib/ansible/module_utils/ansible_tower.py | 6 +++--- .../ansible_tower/tower_credential_type.py | 5 +++-- .../ansible_tower/tower_inventory_source.py | 5 +++-- lib/ansible/plugins/inventory/tower.py | 5 +++-- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/ansible/module_utils/ansible_tower.py b/lib/ansible/module_utils/ansible_tower.py index a0aed73a54..e20dd21326 100644 --- a/lib/ansible/module_utils/ansible_tower.py +++ b/lib/ansible/module_utils/ansible_tower.py @@ -70,7 +70,7 @@ def tower_auth_config(module): password = module.params.pop('tower_password', None) if password: auth_config['password'] = password - verify_ssl = module.params.pop('tower_verify_ssl', None) + verify_ssl = module.params.pop('validate_certs', None) if verify_ssl is not None: auth_config['verify_ssl'] = verify_ssl return auth_config @@ -92,7 +92,7 @@ class TowerModule(AnsibleModule): tower_host=dict(), tower_username=dict(), tower_password=dict(no_log=True), - tower_verify_ssl=dict(type='bool'), + validate_certs=dict(type='bool', aliases=['tower_verify_ssl']), tower_config_file=dict(type='path'), ) args.update(argument_spec) @@ -102,7 +102,7 @@ class TowerModule(AnsibleModule): ('tower_config_file', 'tower_host'), ('tower_config_file', 'tower_username'), ('tower_config_file', 'tower_password'), - ('tower_config_file', 'tower_verify_ssl'), + ('tower_config_file', 'validate_certs'), )) super(TowerModule, self).__init__(argument_spec=args, **kwargs) diff --git a/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential_type.py b/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential_type.py index 12b75a4029..831a35ad3f 100644 --- a/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential_type.py +++ b/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential_type.py @@ -58,11 +58,12 @@ options: required: False default: "present" choices: ["present", "absent"] - tower_verify_ssl: + validate_certs: description: - Tower option to avoid certificates check. required: False type: bool + aliases: [ tower_verify_ssl ] extends_documentation_fragment: tower ''' @@ -75,7 +76,7 @@ EXAMPLES = ''' inputs: "{{ lookup('file', 'tower_credential_inputs_nexus.json') }}" injectors: {'extra_vars': {'nexus_credential': 'test' }} state: present - tower_verify_ssl: false + validate_certs: false - tower_credential_type: name: Nexus diff --git a/lib/ansible/modules/web_infrastructure/ansible_tower/tower_inventory_source.py b/lib/ansible/modules/web_infrastructure/ansible_tower/tower_inventory_source.py index 48a1e9ce1d..9aec7a8b95 100644 --- a/lib/ansible/modules/web_infrastructure/ansible_tower/tower_inventory_source.py +++ b/lib/ansible/modules/web_infrastructure/ansible_tower/tower_inventory_source.py @@ -138,10 +138,11 @@ options: - Desired state of the resource. default: "present" choices: ["present", "absent"] - tower_verify_ssl: + validate_certs: description: - Tower option to avoid certificates check. type: bool + aliases: [ tower_verify_ssl ] extends_documentation_fragment: tower ''' @@ -158,7 +159,7 @@ EXAMPLES = ''' overwrite: true source_vars: '{ private: false }' state: present - tower_verify_ssl: false + validate_certs: false ''' diff --git a/lib/ansible/plugins/inventory/tower.py b/lib/ansible/plugins/inventory/tower.py index f77368f7e4..76eb7eb67b 100644 --- a/lib/ansible/plugins/inventory/tower.py +++ b/lib/ansible/plugins/inventory/tower.py @@ -52,13 +52,14 @@ DOCUMENTATION = ''' env: - name: TOWER_INVENTORY required: True - verify_ssl: + validate_certs: description: Specify whether Ansible should verify the SSL certificate of Ansible Tower host. type: bool default: True env: - name: TOWER_VERIFY_SSL required: False + aliases: [ verify_ssl ] include_metadata: description: Make extra requests to provide all group vars with metadata about the source Ansible Tower host. type: bool @@ -156,7 +157,7 @@ class InventoryModule(BaseInventoryPlugin): request_handler = Request(url_username=self.get_option('username'), url_password=self.get_option('password'), force_basic_auth=True, - validate_certs=self.get_option('verify_ssl')) + validate_certs=self.get_option('validate_certs')) inventory_id = self.get_option('inventory_id').replace('/', '') inventory_url = '/api/v2/inventories/{inv_id}/script/?hostvars=1&towervars=1&all=1'.format(inv_id=inventory_id)