-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathside_effect.yml
113 lines (101 loc) · 3.3 KB
/
side_effect.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
---
# - Cannot add these to converge.yml because they will cause idempotence
# issues, since tasks in the role will run multiple times (since we are
# running the role multiple times or because the steps that need to be
# followed will break idempotence).
# - "Abusing" the side-effect playbook to avoid creating multiple scenarios
# with difference converge playbooks.
# - These will not be included in the idempotence check (idempotence runs
# before side-effects). The converge.yml playbook should run all paths in
# the code, thus it should be enough for the idempotence check.
# - verify.yml runs after the side-effects, thus it will cover the cases
# included here as well.
- name: Disable role
hosts: all
vars:
easyrsa_enabled: false
roles:
- nkakouros.easyrsa
tasks:
- name: Check role did not run
assert:
that:
- easyrsa_role_run == false
- name: Disable all downloading, nothing should be created on the controller (case 2)
hosts: all
vars_files:
- vars/common.yml
roles:
- role: nkakouros.easyrsa
easyrsa_download_dir: "{{ easyrsa_download_dir_alt }}"
easyrsa_download: []
easyrsa_download_pki: false
- name: Download the whole pki, no separate certs/keys (case 3)
hosts: all
vars_files:
- vars/common.yml
roles:
- role: nkakouros.easyrsa
easyrsa_download_dir: "{{ easyrsa_download_dir_alt2 }}"
easyrsa_download: []
easyrsa_download_pki: true
easyrsa_download_pki_extract: true
- name: Download separate certs/keys, not the whole pki (case 4)
hosts: all
vars_files:
- vars/common.yml
tasks:
- name: Load case1 vars to read the clients
include_vars:
file: vars/case1.yml
name: case1
- name: Run the role
include_role:
name: nkakouros.easyrsa
vars:
easyrsa_download_dir: "{{ easyrsa_download_dir_alt3 }}"
easyrsa_download: "{{ case1.easyrsa_clients }}"
easyrsa_download_pki: false
- name: Revoke/renvew certificates and manually check idempotency
hosts: all
vars_files:
- vars/common.yml
- vars/revoke.yml
handlers:
- name: Handler that should be notified during crl creation/update
copy:
dest: "{{ _easyrsa_crl_handler_lock_file }}"
content: 'placeholder'
mode: 0o644
listen: _easyrsa-crl-triggered-handler
delegate_to: localhost
tasks:
- name: Generate certificate to be revoked and revoke it
include_role:
name: nkakouros.easyrsa
public: true
- meta: flush_handlers # noqa name[missing]
- name: Try to re-revoke the revoked certificate
include_role:
name: nkakouros.easyrsa
vars:
easyrsa_clients: []
easyrsa_renew: []
- name: Check idempotency of certificate revocation
assert:
that:
- _easyrsa_crl_regeneration_needed_due_to_revoke is not changed
- _easyrsa_crl_regeneration_needed_due_to_revoke_renewed is not changed
- name: Replace pki
hosts: all
vars_files:
- vars/common.yml
roles:
- role: nkakouros.easyrsa
easyrsa_pki_dir: "{{ easyrsa_pki_dir_alt }}"
easyrsa_replace_pki: true
easyrsa_clients:
- name: one-client
- role: nkakouros.easyrsa
easyrsa_pki_dir: "{{ easyrsa_pki_dir_alt }}"
easyrsa_replace_pki: true