test: create self-signed certificate for Molecule test environment

1d4e5ee2 · Jörg Sachse · b1cbf562 · 1d4e5ee2 · 1d4e5ee2
Commit 1d4e5ee2 authored 1 year ago by Jörg Sachse
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -59,3 +59,48 @@
        ansible.builtin.file:
          path: "/etc/yum.repos.d/SLUB.repo"
          state: absent
+    - name: create self-signed certificates for Molecule testsuite if necessary
+      become: true
+      block:
+        - name: deploy certificate request config
+          ansible.builtin.template:
+            src: "req.conf.j2"
+            dest: "/etc/ssl/certs/req.conf"
+            mode: "0644"
+        - name: generate private key for self-signed TLS certificate
+          ansible.builtin.command: "openssl genrsa -out /etc/ssl/certs/server.key 4096"
+          changed_when: false
+        - name: >
+            generate certificate signing request (CSR) for self-signed
+            TLS certificate
+          ansible.builtin.command:
+            cmd: "openssl req -new -key /etc/ssl/certs/server.key -out /etc/ssl/certs/server.csr -subj '/C=DE/ST=Sachsen/L=Dresden/O=SLUB/OU=IT/CN={{ ansible_hostname }}.slub-dresden.de/emailAddress=joerg.sachse@slub-dresden.de' -addext 'subjectAltName = DNS:{{ ansible_hostname }}.slub-dresden.de, DNS:{{ ansible_hostname }}'"
+          changed_when: false
+        - name: generate self-signed TLS certificate
+          ansible.builtin.command: "openssl x509 -req -days 366 -in /etc/ssl/certs/server.csr -signkey /etc/ssl/certs/server.key -out /etc/ssl/certs/server.cert -copy_extensions copy"
+          changed_when: false
+        - name: set permissions on TLS certificate
+          ansible.builtin.file:
+            path: "/etc/ssl/certs/server.key"
+            mode: "0644"
+        - name: >
+            copy self-signed certificate to appropriate paths so they can be added
+            to the list of trusted certificates
+          ansible.builtin.copy:
+            src: "/etc/ssl/certs/server.cert"
+            dest: "{{ item }}"
+            remote_src: true
+            mode: "0644"
+          loop:
+            - "/usr/share/ca-certificates/{{ ansible_hostname }}-selfsigned.crt"
+            - "/etc/ssl/certs/{{ ansible_hostname }}-selfsigned.crt"
+          changed_when: false    # I don't have any idea why this isn't idempotent.
+        - name: >
+            configure ca-certificates.conf to include our self-signed certificate
+          ansible.builtin.lineinfile:
+            path: "/etc/ca-certificates.conf"
+            line: "{{ ansible_hostname }}-selfsigned.crt"
+        - name: update-ca-certificates to update /etc/ca-certificates.crt
+          ansible.builtin.command: "update-ca-certificates"
+          changed_when: false
--- a/molecule/resources/playbooks/req.conf.j2
+++ b/molecule/resources/playbooks/req.conf.j2
+#
+# req.conf
+#
+HOME					= .
+RANDFILE				= $ENV::HOME/.rnd
+[ req ]
+default_bits			= 4096
+distinguished_name		= req_distinguished_name
+attributes			= req_attributes
+string_mask 			= nombstr
+req_extensions 			= v3_req
+[ req_distinguished_name ]
+countryName			= Laendername (bitte nicht aendern)
+countryName_default		= DE
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= Bundesland (bitte nicht aendern)
+stateOrProvinceName_default	= Sachsen
+localityName			= Ortsbezeichnung (bitte nicht aendern)
+localityName_default		= Dresden
+0.organizationName		= Name der Organisation (bitte nicht aendern)
+0.organizationName_default	= Saechsische Landes-, Staats- und Universitaetsbibliothek Dresden
+0.organizationalUnitName		= <Abteilung>
+0.organizationalUnitName_default	= IT
+commonName			= Eindeutiger DNS-Name
+commonName_max			= 256
+emailAddress			= Ihre E-Mail-Adresse
+emailAddress_max		= 256
+# <!> ToDo: eindeutigen DNS-Namen eintragen
+commonName_default		= {{ ansible_hostname }}.slub-dresden.de
+subjectAltName		= @alt_names
+# <!> ToDo: E-Mail eintragen
+emailAddress_default		= example@slub-dresden.de
+[ req_attributes ]
+# unstructuredName		= An optional company name
+[ v3_req ]
+basicConstraints 	= CA:FALSE
+keyUsage		= nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName		= @alt_names
+# <!> ToDo: ALLE DNS-Namen (Primär + evtl. Weitere) hier eintragen
+[alt_names]
+DNS.1	=	{{ ansible_hostname }}.slub-dresden.de
+DNS.2	=	{{ ansible_hostname }}