Make tlsverify optional (#18)

- add a variable `docker_tls_verify` - if `true` will require that TLS certificates can be verified by a root authority - copy server CA certificate to Ansible Controller cache (so it can then be copied to clients) - rename `meta/requirements.yml` to `meta/collections.yml`, otherwise this role cannot be installed using `ansible-galaxy` (it complains that the requirements file contains a collection)
UCL-MIRSG · Nov 22, 2023 · 15e4581 · 15e4581
1 parent 7d6b491
commit 15e4581
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 21 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -13,5 +13,5 @@ jobs:
     steps:
       - uses: UCL-MIRSG/.github/actions/linting@v0.26.0
         with:
-          ansible-roles-config: ./meta/requirements.yml
+          ansible-roles-config: ./meta/collections.yml
           pre-commit-config: ./.pre-commit-config.yaml
diff --git a/README.md b/README.md
@@ -17,29 +17,36 @@ This role is for installing [docker-ce](https://docs.docker.com/engine/install/)
 If you would like to [configure](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket)
 your Docker server such that clients can connect to it via TLS, you can also use this role to generate the necessary certificates.
 The following variables can be used to configure certificate creation and signing:
-
-| Name                                        | Description                                                                                                                                    |
+docker_tls_verify
+| Name | Description |
 | ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
-| `docker_generate_certificates`              | If `true`, CA, server, and client certificates will be generated. Defaults to `false`                                                          |
-| `docker_certificate_directory`              | Directory in which to store the certificates. Defaults to `/home/docker/.docker`                                                               |
-| `docker_config_dir`                         | Docker configuration directory. Defaults to `/etc/docker`                                                                                      |
-| `docker_daemon_conf_file`                   | Docker daemon configuration filename. Defaults to `/etc/docker/daemon.json`                                                                    |
-| `docker_server_hostname`                    | Hostname of your Docker server. Used for the `commonName` field of the certificate signing request subject. Defaults to `"{{ ansible_host }}"` |
-| `docker_server_ip`                          | IP address of your Docker server. Defaults to `0.0.0.0`                                                                                        |
-| `docker_ca_key`                             | Filename for the CA certificate key. Defaults to `/home/docker/.docker/ca.key`                                                                 |
-| `docker_ca_csr`                             | Filename for the CA certificate signing request. Defaults to `/home/docker/.docker/ca.csr`                                                     |
-| `docker_ca_cert`                            | Filename for the CA certificate. Defaults to `/home/docker/.docker/ca.pem`                                                                     |
-| `docker_server_key`                         | Filename for the server certificate key. Defaults to `/home/docker/.docker/server-key.pem`                                                     |
-| `docker_server_csr`                         | Filename for the server certificate signing request. Defaults to `/home/docker/.docker/server.csr`                                             |
-| `docker_server_cert`                        | Filename for the server certificate. Defaults to `/home/docker/.docker/server-cert.pem`                                                        |
-| `docker_client_hostnames`                   | List of hostnames of clients that will connect to the server. Defaults to `[]`                                                                 |
-| `docker_client_certificate_directory`       | Directory in which to store the client certificates. Defaults to `/home/docker/.docker/client_certs`                                           |
-| `docker_client_certificate_cache_directory` | Directory in which to client certificates will be copied to. Defaults to `~/ansible_persistent_files/docker_certificates`                      |
+| `docker_generate_certificates` | If `true`, CA, server, and client certificates will be generated. Defaults to `false` |
+| `docker_certificate_directory` | Directory in which to store the certificates. Defaults to `/home/docker/.docker` |
+| `docker_config_dir` | Docker configuration directory. Defaults to `/etc/docker` |
+| `docker_daemon_conf_file` | Docker daemon configuration filename. Defaults to `/etc/docker/daemon.json` |
+| `docker_server_hostname` | Hostname of your Docker server. Used for the `commonName` field of the certificate signing request subject. Defaults to `"{{ ansible_host }}"` |
+| `docker_server_ip` | IP address of your Docker server. Defaults to `0.0.0.0` |
+| `docker_tls_verify` | If `true`, require that TLS certificates can be verified by a root authority. Defaults to `true` |
+| `docker_ca_key` | Filename for the CA certificate key. Defaults to `/home/docker/.docker/ca.key` |
+| `docker_ca_csr` | Filename for the CA certificate signing request. Defaults to `/home/docker/.docker/ca.csr` |
+| `docker_ca_cert` | Filename for the CA certificate. Defaults to `/home/docker/.docker/ca.pem` |
+| `docker_server_key` | Filename for the server certificate key. Defaults to `/home/docker/.docker/server-key.pem` |
+| `docker_server_csr` | Filename for the server certificate signing request. Defaults to `/home/docker/.docker/server.csr` |
+| `docker_server_cert` | Filename for the server certificate. Defaults to `/home/docker/.docker/server-cert.pem` |
+| `docker_client_hostnames` | List of hostnames of clients that will connect to the server. Defaults to `[]` |
+| `docker_client_certificate_directory` | Directory in which to store the client certificates. Defaults to `/home/docker/.docker/client_certs` |
+| `docker_client_certificate_cache_directory` | Directory in which to client certificates will be copied to. Defaults to `~/ansible_persistent_files/docker_certificates` |
 
 If you have specified a list of clients in `docker_client_hostnames`, the certificate for each client will be stored locally on your Ansible
 controller in the folder `docker_client_certificate_cache_directory`. You will then need to copy these certificates to the corresponding
 client.
 
+## Dependencies
+
+You will need to install the following collections before using `mirsg.docker`:
+
+- `community.crypto`
+
 ## Installation
 
 Include in a requirements.yml file as follows:

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -22,6 +22,7 @@ docker_daemon_conf_file: "/etc/docker/daemon.json"
 docker_server_hostname: "{{ ansible_host }}"
 docker_server_ip: "0.0.0.0"
 docker_server_port: "2376"
+docker_tls_verify: true
 
 # mirsg.docker CA certificate
 docker_ca_key: "{{ docker_certificate_directory }}/ca.key"

diff --git a/meta/requirements.yml → meta/collections.yml b/meta/requirements.yml → meta/collections.yml
diff --git a/molecule/centos7/molecule.yml b/molecule/centos7/molecule.yml
@@ -2,7 +2,7 @@
 dependency:
   name: galaxy
   options:
-    role-file: meta/requirements.yml
+    requirements-file: meta/collections.yml
     force: true
 
 driver:

diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky8/molecule.yml
@@ -2,7 +2,7 @@
 dependency:
   name: galaxy
   options:
-    role-file: meta/requirements.yml
+    requirements-file: meta/collections.yml
     force: true
 
 driver:

diff --git a/tasks/server-cert.yml b/tasks/server-cert.yml
@@ -25,3 +25,9 @@
     mode: "0400"
   notify:
     - Restart docker
+
+- name: Copy server CA certificate to Ansible Controller cache
+  ansible.builtin.fetch:
+    src: "{{ docker_ca_cert }}"
+    dest: "{{ docker_client_certificate_cache_directory }}/ca.pem"
+    flat: true
diff --git a/templates/daemon.json.j2 b/templates/daemon.json.j2
@@ -1,6 +1,6 @@
 {
    "hosts": ["tcp://{{ docker_server_ip }}:{{ docker_server_port }}", "unix:///var/run/docker.sock"],
-   "tlsverify": true,
+   "tlsverify": {{ docker_tls_verify | lower }},
    "tlscacert": "{{ docker_ca_cert }}",
    "tlscert": "{{ docker_server_cert }}",
    "tlskey": "{{ docker_server_key }}"