diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 5423ce1..84d75a3 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -13,5 +13,5 @@ jobs: steps: - uses: UCL-MIRSG/.github/actions/linting@v0.26.0 with: - ansible-roles-config: ./meta/requirements.yml + ansible-roles-config: ./meta/collections.yml pre-commit-config: ./.pre-commit-config.yaml diff --git a/README.md b/README.md index b7f6fb8..22c8b3c 100644 --- a/README.md +++ b/README.md @@ -17,29 +17,36 @@ This role is for installing [docker-ce](https://docs.docker.com/engine/install/) If you would like to [configure](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) your Docker server such that clients can connect to it via TLS, you can also use this role to generate the necessary certificates. The following variables can be used to configure certificate creation and signing: - -| Name | Description | +docker_tls_verify +| Name | Description | | ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | -| `docker_generate_certificates` | If `true`, CA, server, and client certificates will be generated. Defaults to `false` | -| `docker_certificate_directory` | Directory in which to store the certificates. Defaults to `/home/docker/.docker` | -| `docker_config_dir` | Docker configuration directory. Defaults to `/etc/docker` | -| `docker_daemon_conf_file` | Docker daemon configuration filename. Defaults to `/etc/docker/daemon.json` | -| `docker_server_hostname` | Hostname of your Docker server. Used for the `commonName` field of the certificate signing request subject. Defaults to `"{{ ansible_host }}"` | -| `docker_server_ip` | IP address of your Docker server. Defaults to `0.0.0.0` | -| `docker_ca_key` | Filename for the CA certificate key. Defaults to `/home/docker/.docker/ca.key` | -| `docker_ca_csr` | Filename for the CA certificate signing request. Defaults to `/home/docker/.docker/ca.csr` | -| `docker_ca_cert` | Filename for the CA certificate. Defaults to `/home/docker/.docker/ca.pem` | -| `docker_server_key` | Filename for the server certificate key. Defaults to `/home/docker/.docker/server-key.pem` | -| `docker_server_csr` | Filename for the server certificate signing request. Defaults to `/home/docker/.docker/server.csr` | -| `docker_server_cert` | Filename for the server certificate. Defaults to `/home/docker/.docker/server-cert.pem` | -| `docker_client_hostnames` | List of hostnames of clients that will connect to the server. Defaults to `[]` | -| `docker_client_certificate_directory` | Directory in which to store the client certificates. Defaults to `/home/docker/.docker/client_certs` | -| `docker_client_certificate_cache_directory` | Directory in which to client certificates will be copied to. Defaults to `~/ansible_persistent_files/docker_certificates` | +| `docker_generate_certificates` | If `true`, CA, server, and client certificates will be generated. Defaults to `false` | +| `docker_certificate_directory` | Directory in which to store the certificates. Defaults to `/home/docker/.docker` | +| `docker_config_dir` | Docker configuration directory. Defaults to `/etc/docker` | +| `docker_daemon_conf_file` | Docker daemon configuration filename. Defaults to `/etc/docker/daemon.json` | +| `docker_server_hostname` | Hostname of your Docker server. Used for the `commonName` field of the certificate signing request subject. Defaults to `"{{ ansible_host }}"` | +| `docker_server_ip` | IP address of your Docker server. Defaults to `0.0.0.0` | +| `docker_tls_verify` | If `true`, require that TLS certificates can be verified by a root authority. Defaults to `true` | +| `docker_ca_key` | Filename for the CA certificate key. Defaults to `/home/docker/.docker/ca.key` | +| `docker_ca_csr` | Filename for the CA certificate signing request. Defaults to `/home/docker/.docker/ca.csr` | +| `docker_ca_cert` | Filename for the CA certificate. Defaults to `/home/docker/.docker/ca.pem` | +| `docker_server_key` | Filename for the server certificate key. Defaults to `/home/docker/.docker/server-key.pem` | +| `docker_server_csr` | Filename for the server certificate signing request. Defaults to `/home/docker/.docker/server.csr` | +| `docker_server_cert` | Filename for the server certificate. Defaults to `/home/docker/.docker/server-cert.pem` | +| `docker_client_hostnames` | List of hostnames of clients that will connect to the server. Defaults to `[]` | +| `docker_client_certificate_directory` | Directory in which to store the client certificates. Defaults to `/home/docker/.docker/client_certs` | +| `docker_client_certificate_cache_directory` | Directory in which to client certificates will be copied to. Defaults to `~/ansible_persistent_files/docker_certificates` | If you have specified a list of clients in `docker_client_hostnames`, the certificate for each client will be stored locally on your Ansible controller in the folder `docker_client_certificate_cache_directory`. You will then need to copy these certificates to the corresponding client. +## Dependencies + +You will need to install the following collections before using `mirsg.docker`: + +- `community.crypto` + ## Installation Include in a requirements.yml file as follows: diff --git a/defaults/main.yml b/defaults/main.yml index 8b40ccd..97133d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,6 +22,7 @@ docker_daemon_conf_file: "/etc/docker/daemon.json" docker_server_hostname: "{{ ansible_host }}" docker_server_ip: "0.0.0.0" docker_server_port: "2376" +docker_tls_verify: true # mirsg.docker CA certificate docker_ca_key: "{{ docker_certificate_directory }}/ca.key" diff --git a/meta/requirements.yml b/meta/collections.yml similarity index 100% rename from meta/requirements.yml rename to meta/collections.yml diff --git a/molecule/centos7/molecule.yml b/molecule/centos7/molecule.yml index 351946b..428e023 100644 --- a/molecule/centos7/molecule.yml +++ b/molecule/centos7/molecule.yml @@ -2,7 +2,7 @@ dependency: name: galaxy options: - role-file: meta/requirements.yml + requirements-file: meta/collections.yml force: true driver: diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky8/molecule.yml index 017320b..fa0637c 100644 --- a/molecule/rocky8/molecule.yml +++ b/molecule/rocky8/molecule.yml @@ -2,7 +2,7 @@ dependency: name: galaxy options: - role-file: meta/requirements.yml + requirements-file: meta/collections.yml force: true driver: diff --git a/tasks/server-cert.yml b/tasks/server-cert.yml index ceb1117..3c4f199 100644 --- a/tasks/server-cert.yml +++ b/tasks/server-cert.yml @@ -25,3 +25,9 @@ mode: "0400" notify: - Restart docker + +- name: Copy server CA certificate to Ansible Controller cache + ansible.builtin.fetch: + src: "{{ docker_ca_cert }}" + dest: "{{ docker_client_certificate_cache_directory }}/ca.pem" + flat: true diff --git a/templates/daemon.json.j2 b/templates/daemon.json.j2 index 98b549d..3769115 100644 --- a/templates/daemon.json.j2 +++ b/templates/daemon.json.j2 @@ -1,6 +1,6 @@ { "hosts": ["tcp://{{ docker_server_ip }}:{{ docker_server_port }}", "unix:///var/run/docker.sock"], - "tlsverify": true, + "tlsverify": {{ docker_tls_verify | lower }}, "tlscacert": "{{ docker_ca_cert }}", "tlscert": "{{ docker_server_cert }}", "tlskey": "{{ docker_server_key }}"