Skip to content

Add FreeIPA wildcard certificate profile role #290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 8, 2025
Merged

Add FreeIPA wildcard certificate profile role #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c4aca7b
Add FreeIPA wildcard certificate profile role
wmudge Sep 5, 2025
79f6d50
Remove duplicate SAN object in certificate profile
wmudge Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/docsite/extra-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

---

# sections:
sections:
# - title: Guides
# toctree:
# - design.md
63 changes: 63 additions & 0 deletions roles/freeipa_server_wildcard_profile/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# freeipa_server_ecs

Install a wildcard certificate profile for FreeIPA

This role creates a certificate profile in FreeIPA specifically for issuing wildcard certificates. It configures a new profile to include a wildcard Subject Alternative Name (SAN), making it easy to generate certificates that secure multiple subdomains. This role is designed to be run directly on a FreeIPA server and will not modify an existing profile if one with the same name is already present.

## Requirements
- The `ipaadmin_principal` must have permissions to manage certificate profiles in FreeIPA.
- The role assumes it's being run on the FreeIPA server itself.

## Dependencies

None.

## Parameters
| Variable| Type | Required | Default | Description |
| --- | --- | --- | --- | --- |
| `ipaadmin_principal` | `str` | `False` | `admin` | FreeIPA admin principal for authentication. |
| `ipaadmin_password` | `str` | `True`| | FreeIPA admin password for authentication. This should be stored securely, e.g., using Ansible Vault. |
| `ipaserver_domain` | `str` | `True` | | Domain name to use as the root zone for references within the profile (e.g., example.internal). |
| `ipaserver_realm` | `str` | `True` | | Realm name to use for references within the profile (e.g., EXAMPLE.INTERNAL). |
| `freeipa_wildcard_profile_name` | `str` | `False` | `wildcard` | The name of the wildcard certificate profile to create in FreeIPA. |

## Example Playbook

```yaml
- hosts: ipaserver_host
tasks:
- name: Create the default wildcard certificate profile in FreeIPA
ansible.builtin.import_role:
name: cloudera.exe.freeipa_server_wildcard_profile
vars:
ipaadmin_password: "MySuperSecretAdminPassword" # Use Ansible Vault
ipaserver_domain: "example.internal"
ipaserver_realm: "EXAMPLE.INTERNAL"

- name: Create a custom named wildcard certificate profile
ansible.builtin.import_role:
name: cloudera.exe.freeipa_server_wildcard_profile
vars:
ipaadmin_password: "MySuperSecretAdminPassword"
ipaserver_domain: "apps.example.internal"
ipaserver_realm: "EXAMPLE.INTERNAL"
freeipa_wildcard_profile_name: "custom_profile"
```

## License

```
Copyright 2025 Cloudera, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```
22 changes: 22 additions & 0 deletions roles/freeipa_server_wildcard_profile/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
# Copyright 2025 Cloudera, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

ipaadmin_principal: admin
ipaadmin_password: "{{ undef(hint='Please define the FreeIPA adminstrator principal password') }}"

ipaserver_domain: "{{ undef(hint='Please define the DNS domain') }}"
ipaserver_realm: "{{ undef(hint='Please define the Kerberos realm') }}"

freeipa_wildcard_profile_name: wildcard
43 changes: 43 additions & 0 deletions roles/freeipa_server_wildcard_profile/meta/argument_specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
# Copyright 2025 Cloudera, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

argument_specs:
main:
short_description: Install a wildcard certificate profile for FreeIPA
description:
- Create a certificate profile for a wildcard certificate in FreeIPA.
- This profile will add a wildcard subject alternative name (SAN) to the issued certificate.
- This role expects to be run on a FreeIPA server and will not update an existing profile.
author: Cloudera Labs
version_added: 3.1.0
options:
ipaadmin_principal:
description: FreeIPA admin principal used for authentication.
default: admin
ipaadmin_password:
description: FreeIPA admin password used for authentication.
required: true
ipaserver_domain:
description:
- Domain name to use as the root zone for references within the profile.
required: true
ipaserver_realm:
description:
- Realm to use for references within the profile.
required: true
freeipa_wildcard_profile_name:
description: The name of the wildcard certificate profile to create.
required: false
default: wildcard
23 changes: 23 additions & 0 deletions roles/freeipa_server_wildcard_profile/molecule/default/converge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
# Copyright 2025 Cloudera, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Converge
hosts: all
gather_facts: true
tasks:
- name: Provision ECS DNS entries
ansible.builtin.import_role:
name: cloudera.exe.freeipa_server_wildcard_profile
vars:
Loading
Loading