ansible openssl_csr 创建动态 CN 和 alt_namess 列表

ansible openssl_csr creation with dynamic CN and alt_namess list

我正在通过 ansible 创建私钥和 csr 文件。 我坚持如何将 CN 和 alt 名称(逗号分隔列表)传递给 ansible 剧本。

手动命令和配置文件。

openssl req -new -sha256 -nodes -out NEW.csr -newkey rsa:2048 -keyout NEW.key -config config.txt

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C=US
ST=NEWYORK
L=CITY
O=ABC
OU=XYZ
emailAddress=ABC@XYZ.com
CN = uat.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = us.uat.com
DNS.2 = apac.uat.com 
DNS.3 =  123
DNS.4 =  abc
DNS.5 =  xyz

我在下面创建了剧本,但坚持如何将 CN 和 alt_names 作为逗号分隔列表作为输入传递,如果存在带有 alt_names 的现有 CN,我想要 ansible append/add 将 DNS 服务器条目添加到配置文件并生成新的 csr 文件。

   - name: Generate an OpenSSL private RSA key with size-2048 bits
     openssl_privatekey:
      path: API.key_{{ansible_date_time.iso8601}}
      type: RSA
      size: 2048
     register: privatekey

   - name: Generate an OpenSSL certificate signing request file bases on input key values
     openssl_csr:
       path: API.csr_{{ansible_date_time.iso8601}}
       privatekey_path: "{{ privatekey.filename }}"
       common_name: "{{ CN }}"
       group: apigee
       owner: apigee
       mode: '700'
       digest: sha256
       email_address:  abc@xyz.com
       country_name: US
       locality_name:  
       organization_name:  
       organizational_unit_name:  
       state_or_province_name:  
       subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
     with_dict:
       dns_server:
       - www.ansible.com
       - m.ansible.com
   - debug: var="{{ item }}"
     with_items:
     - csr.filename
     - csr.privatekey
     - csr.subject
     - csr.subjectAltName

您好,请试试这个片段

  vars:
    CN: uat.com
    dns_server:
      - www.ansible.com
      - m.ansible.com

  tasks:

  - name: Generate an OpenSSL private RSA key with size-2048 bits
    openssl_privatekey:
      path: API.key_{{ansible_date_time.iso8601}}
      type: RSA
      size: 2048
    register: privatekey

  - name: Generate an OpenSSL certificate signing request file bases on input key values
    openssl_csr:
      path: API.csr_{{ansible_date_time.iso8601}}
      privatekey_path: "{{ privatekey.filename }}"
      common_name: "{{ CN }}"
      group: apigee
      owner: apigee
      mode: '700'
      digest: sha256
      email_address:  abc@xyz.com
      country_name: US
      locality_name:  
      organization_name:  
      organizational_unit_name:  
      state_or_province_name:  
      subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
    with_dict:
      dns_server: "{{dns_server}}"
    register: csr

  - set_fact:
      res: "{{csr.results[0]}}"

  - debug: var="{{item}}"
    with_items:
    - res.filename
    - res.privatekey
    - res.subject
    - res.subjectAltName

选项 1:将 extra_vars 作为字典传递

ansible-playbook test.yaml -vv -e '{"CN":"uat.com","dns_server":["www.ansible.com","m.ansible.com"]}'

方案二:多个extra_vars,但需要做变量编辑dns_server: "{{ dns_server_list.split(',') }}"

ansible-playbook test.yaml -vv -e "dns_server_list=www.ansible.com,m.ansible.com" -e "CN=uat.com"

以下test.yaml

---
- hosts: loadbalancer
  vars:
    dns_server: "{{ dns_server_list.split(',') }}"
  tasks:
  - name: debug CN
    debug:
      msg: "{{ CN }}"
    when: CN is defined
  - name: debug dns_server
    debug:
      msg: "{{ dns_server }}"
    when: dns_server is defined

将在

上产生结果
TASK [debug CN] ************************************************************************************************************************************
task path: /vagrant/provisioning/testvar.yaml:4
ok: [loadbalancer] => {
    "msg": "uat.com"
}

TASK [debug dns_server] ****************************************************************************************************************************
task path: /vagrant/provisioning/testvar.yaml:8
ok: [loadbalancer] => {
    "msg": [
        "www.ansible.com", 
        "m.ansible.com"
    ]
}