Try SpotterRemoved in 0.24.0
Reason:These features are now available in step_ca_provisioner. This module directly edits the CA.json config, which is not recommended. | Alternative:Use M(maxhoesel.smallstep.step_ca_provisioner)s ssh_/x509_ flags instead.
Manage default or provisioner claims on a C(step-ca) server
| "added in version" 0.2.1 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.23.1
collections:
- name: maxhoesel.smallstep
version: 0.23.1This module can add, update or remove claims (such as certificate duration) on a step-ca server. You can either modify the claims of an individual provisioner, or change the default global claims.
- name: Change the TLS cert duration of a provisioner
maxhoesel.smallstep.step_ca_provisioner_claims:
name: webtokens-1
type: JWK
min_tls_cert_duration: 24h
max_tls_cert_duration: 720h
default_tls_cert_duration: 168h
- name: Change default (global) claims
maxhoesel.smallstep.step_ca_provisioner_claims:
global_claims: yes
min_tls_cert_duration: 24h
max_tls_cert_duration: 720h
default_tls_cert_duration: 168h
- name: Overwrite the claims of a provisioner with the given parameters
maxhoesel.smallstep.step_ca_provisioner_claims:
name: webtokens-1
type: JWK
exclusive: yes
min_tls_cert_duration: 24h
max_tls_cert_duration: 720h
default_tls_cert_duration: 168h
name:
description: 'The name of the provisioner to modify. If multiple provisioners have
the same name, all provisioners will be modified unless I(type) is set. Has no effect
if I(global) is true
'
type: str
type:
choices:
- JWK
- OIDC
- AWS
- GCP
- Azure
- ACME
- X5C
- K8sSA
- SSHPOP
description: 'Only modify the provisioner that has this type. Only effective if multiple
provisioners with the same name exist. Has no effect if I(global) is true. Case-sensitive
'
type: str
ca_config:
default: CI($STEPPATH)/config/ca.json
description: The path to the certificate authority configuration file on the host.
type: path
exclusive:
default: false
description: Replace all existing claims for the selected scope with the ones defined
in the module parameters.
type: bool
enable_SSHCA:
description: Enable this provisioner to generate SSH Certificates.
type: bool
global_claims:
default: false
description: If enabled, modify the global defaults instead of specific provisioners.
In this case, I(name) and I(type) are ignored.
type: bool
disable_renewal:
description: Disable renewals with this provisioner.
type: bool
max_host_ssh_duration:
description: Do not allow certificates with a duration greater than this value.
type: str
max_tls_cert_duration:
description: Do not allow certificates with a duration greater than this value.
type: str
max_user_ssh_duration:
description: Do not allow certificates with a duration greater than this value.
type: str
min_host_ssh_duration:
description: Do not allow certificates with a duration less than this value.
type: str
min_tls_cert_duration:
description: Do not allow certificates with a duration less than this value.
type: str
min_user_ssh_duration:
description: Do not allow certificates with a duration less than this value.
type: str
disable_issued_at_check:
description: 'Disable a check verifying that provisioning tokens must be issued after
the CA has booted. This claim is one prevention against token reuse. The default
value is false. Do not change this unless you know what you are doing.
'
type: bool
default_host_ssh_duration:
description: If no certificate validity period is specified, use this value.
type: str
default_tls_cert_duration:
description: If no certificate validity period is specified, use this value.
type: str
default_user_ssh_duration:
description: If no certificate validity period is specified, use this value.
type: str
claims:
description: 'Dictionary contianing the claims of the selected scope. Dict of dict
if multiple provisioners were selected, with the provisioner type as key
'
returned: always
type: dict