-
Notifications
You must be signed in to change notification settings - Fork 21
/
tests_basic_ipa.yml
98 lines (92 loc) · 3.11 KB
/
tests_basic_ipa.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
---
- name: Test using IPA to issue certs
hosts: all
gather_facts: true
become: true
tags:
- tests::slow
tasks:
- name: Check if test is supported
vars:
ostree_booted_file: /run/ostree-booted
block:
- name: Check if system is ostree
stat:
path: "{{ ostree_booted_file }}"
register: __ostree_booted_stat
- name: Skip if not supported
meta: end_host
when: __ostree_booted_stat.stat.exists
- name: Setup IPA
import_tasks: tasks/setup_ipa.yml
- name: Issue IPA signed certificates
include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: mycert_basic_ipa
dns: ipaserver.test.local
principal: HTTP/[email protected]
ca: ipa
- name: groupcert
dns: ipaserver.test.local
principal: HTTP/[email protected]
ca: ipa
group: ftp
- name: Verify certificates
include_tasks: tasks/assert_certificate_parameters.yml
loop: "{{ certificates }}"
loop_control:
loop_var: cert
vars:
certificates:
- path: /etc/pki/tls/certs/mycert_basic_ipa.crt
key_path: /etc/pki/tls/private/mycert_basic_ipa.key
subject:
- name: commonName
oid: 2.5.4.3
value: ipaserver.test.local
- name: organizationName
oid: 2.5.4.10
value: TEST.LOCAL
subject_alt_name:
- name: DNS
value: ipaserver.test.local
- name: Universal Principal Name (UPN)
oid: 1.3.6.1.4.1.311.20.2.3
value: HTTP/[email protected]
- name: Kerberos principalname
oid: 1.3.6.1.5.2.2
value: HTTP/[email protected]
# IPA CA doesn't respect the requested key_usage (and that's ok)
key_usage:
- digital_signature
- content_commitment
- key_encipherment
- data_encipherment
- path: /etc/pki/tls/certs/groupcert.crt
key_path: /etc/pki/tls/private/groupcert.key
owner: root
group: ftp
mode: "0640"
subject:
- name: commonName
oid: 2.5.4.3
value: ipaserver.test.local
- name: organizationName
oid: 2.5.4.10
value: TEST.LOCAL
subject_alt_name:
- name: DNS
value: ipaserver.test.local
- name: Universal Principal Name (UPN)
oid: 1.3.6.1.4.1.311.20.2.3
value: HTTP/[email protected]
- name: Kerberos principalname
oid: 1.3.6.1.5.2.2
value: HTTP/[email protected]
key_usage:
- digital_signature
- content_commitment
- key_encipherment
- data_encipherment