Try Spotterclient certificate authority
Authors: Ricardo Gomez-Ulmke (@rjgu)
preview | supported by community
Install with ansible-galaxy collection install solace.pubsub_plus:==1.12.2
collections:
- name: solace.pubsub_plus
version: 1.12.2Allows addition, removal and configuration of client certificate authority objects on Solace Brokers in an idempotent manner.
Supports standalone brokers and Solace Cloud.
# Copyright (c) 2022, Solace Corporation, Ricardo Gomez-Ulmke, <ricardo.gomez-ulmke@solace.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
name: "solace_client_cert_authority.doc-example"
hosts: all
gather_facts: no
any_errors_fatal: true
collections:
- solace.pubsub_plus
module_defaults:
solace.pubsub_plus.solace_gather_facts:
host: "{{ sempv2_host }}"
port: "{{ sempv2_port }}"
secure_connection: "{{ sempv2_is_secure_connection }}"
username: "{{ sempv2_username }}"
password: "{{ sempv2_password }}"
timeout: "{{ sempv2_timeout }}"
solace_cloud_api_token: "{{ SOLACE_CLOUD_API_TOKEN if broker_type=='solace_cloud' else omit }}"
solace_cloud_service_id: "{{ solace_cloud_service_id | default(omit) }}"
solace.pubsub_plus.solace_client_cert_authority:
host: "{{ sempv2_host }}"
port: "{{ sempv2_port }}"
secure_connection: "{{ sempv2_is_secure_connection }}"
username: "{{ sempv2_username }}"
password: "{{ sempv2_password }}"
timeout: "{{ sempv2_timeout }}"
solace_cloud_api_token: "{{ SOLACE_CLOUD_API_TOKEN if broker_type=='solace_cloud' else omit }}"
solace_cloud_service_id: "{{ solace_cloud_service_id | default(omit) }}"
solace.pubsub_plus.solace_get_client_cert_authorities:
host: "{{ sempv2_host }}"
port: "{{ sempv2_port }}"
secure_connection: "{{ sempv2_is_secure_connection }}"
username: "{{ sempv2_username }}"
password: "{{ sempv2_password }}"
timeout: "{{ sempv2_timeout }}"
solace_cloud_api_token: "{{ SOLACE_CLOUD_API_TOKEN if broker_type=='solace_cloud' else omit }}"
solace_cloud_service_id: "{{ solace_cloud_service_id | default(omit) }}"
solace.pubsub_plus.solace_client_cert_authority_ocsp_trusted_cn:
host: "{{ sempv2_host }}"
port: "{{ sempv2_port }}"
secure_connection: "{{ sempv2_is_secure_connection }}"
username: "{{ sempv2_username }}"
password: "{{ sempv2_password }}"
timeout: "{{ sempv2_timeout }}"
solace.pubsub_plus.solace_get_client_cert_authority_ocsp_trusted_cns:
host: "{{ sempv2_host }}"
port: "{{ sempv2_port }}"
secure_connection: "{{ sempv2_is_secure_connection }}"
username: "{{ sempv2_username }}"
password: "{{ sempv2_password }}"
timeout: "{{ sempv2_timeout }}"
tasks:
- name: gather facts
solace_gather_facts:
# no_log: true
- set_fact:
is_solace_cloud: "{{ ansible_facts.solace.isSolaceCloud }}"
sempv2_version: "{{ ansible_facts.solace.about.api.sempVersion }}"
working_dir: "{{ WORKING_DIR }}"
cert_file: "{{ WORKING_DIR }}/cert.pem"
- name: end play if incorrect sempV2 version
meta: end_play
when: sempv2_version|float < 2.19
- name: "main: generate certificate"
command: >
openssl req
-x509
-newkey
rsa:4096
-keyout {{ working_dir }}/key.pem
-out {{ cert_file }}
-days 365
-nodes
-subj "/C=UK/ST=London/L=London/O=Solace/OU=Org/CN=www.example.com"
- name: create cert authority
solace_client_cert_authority:
name: asc_test
settings:
certContent: "{{ lookup('file', cert_file) }}"
revocationCheckEnabled: false
state: present
- name: get config of cert authority
solace_get_client_cert_authorities:
query_params:
where:
- "certAuthorityName==asc_test"
- name: get monitor of cert authority
solace_get_client_cert_authorities:
api: monitor
query_params:
where:
- "certAuthorityName==asc_test"
# set an OCSP trusted name
# note: not available in Solace Cloud API
- name: set trusted name
block:
- name: add trusted name
solace_client_cert_authority_ocsp_trusted_cn:
name: "*.domain.com"
client_cert_authority_name: asc_test
state: present
- name: get list of trusted names
solace_get_client_cert_authority_ocsp_trusted_cns:
client_cert_authority_name: asc_test
- name: remove trusted name
solace_client_cert_authority_ocsp_trusted_cn:
name: "*.domain.com"
client_cert_authority_name: asc_test
state: absent
when: not is_solace_cloud
- name: remove cert authority
solace_client_cert_authority:
name: asc_test
state: absent
host:
default: localhost
description: Hostname of Solace Broker.
required: false
type: str
name:
description: The name of the Client Certificate Authority. Maps to 'certAuthorityName'
in the Sempv2 API.
required: true
type: str
port:
default: 8080
description: Management port of Solace Broker.
required: false
type: int
state:
choices:
- present
- absent
default: present
description: Target state.
required: false
type: str
timeout:
default: 10
description: Connection timeout in seconds for the http request.
required: false
type: int
password:
default: admin
description: Administrator password for Solace Broker.
required: false
type: str
username:
default: admin
description: Administrator username for Solace Broker.
required: false
type: str
x_broker:
description: Custom HTTP header with the broker virtual router id, if using a SEMPv2
Proxy/agent infrastructure.
required: false
type: str
reverse_proxy:
description: 'Use a reverse proxy / api gateway. Note: B(Experimental. Not permitted
for Solace Cloud API).'
required: false
suboptions:
headers:
description: 'Additional headers to add to the http call. Example: ''apiKey: {my-api-key}''.'
required: false
suboptions:
x-asc-module:
default: false
description: Flag for the module to add the header 'x-asc-module:{module-name}'
to the http call with it's module name.
required: false
type: bool
x-asc-module-op:
default: false
description: Flag for the module to add the header 'x-asc-module-op:{module
operation}' to the http call with the module's operation.
required: false
type: bool
type: dict
query_params:
description: 'Additional query paramters to add to the URL. Example: ''apiCode:
{my-api-code}''.'
required: false
type: dict
semp_base_path:
description: 'Base path prepended to all SEMP calls. Example: ''my/base/path''.
Resulting URL will be: http(s)://{host}:{port}/{semp_base_path}/{module-semp-call-path}'
required: false
type: str
use_basic_auth:
default: false
description: Flag to use basic authentication in the http(s) call or not. Uses
'username'/'password'.
required: false
type: bool
type: dict
validate_certs:
default: true
description: Flag to switch validation of client certificates on/off when using a
secure connection.
required: false
type: bool
sempv2_settings:
aliases:
- settings
description: JSON dictionary of additional configuration for the SEMP V2 API. See
Reference documentation.
required: false
type: dict
secure_connection:
default: false
description: If true, use https rather than http.
required: false
type: bool
solace_cloud_home:
choices:
- us
- au
- US
- AU
- ''
description: The Solace Cloud home region.
required: false
type: str
solace_cloud_api_token:
description:
- The API Token.
- Generate using Solace Cloud console with the appropriate permissions for the operations
you want to enable.
- Either both (solace_cloud_api_token AND solace_cloud_service_id) must be provided
or none.
required: false
type: str
solace_cloud_service_id:
description:
- The service id in Solace Cloud.
- Click on the service in Solace Cloud - the service id is in the URL.
- Either both (solace_cloud_api_token AND solace_cloud_service_id) must be provided
or none.
required: false
type: str
msg:
description: The response from the HTTP call in case of error.
returned: error
type: dict
rc:
description: Return code. rc=0 on success, rc=1 on error.
returned: always
sample:
error:
rc: 1
success:
rc: 0
type: int
response:
description: The response from the Solace Sempv2 request.
returned: success
type: dict