venafi.ansible_role_venafi

Panoramica Versioni Approfondimenti

Venafi
Apache 2.0 License
Community Supported
Compatible with TPP 17.3+ & VaaS
:warning: This project is no longer actively developed and will only receive updates for security issues and critical bugs. For full functionality, please refer to the Ansible Collection for Venafi, which is regularly updated. Transitioning is simple—install the venafi.machine_identity collection from Ansible Galaxy and replace role: venafi.ansible_role_venafi with role: venafi.machine_identity.certificate in your playbooks. We encourage you to make the switch as soon as possible.

Venafi Role for Ansible

This solution adds the ability to enroll certificates in Red Hat Ansible by integrating with the Venafi Trust Protection Platform or Venafi as a Service, ensuring compliance with company security policies and providing visibility into certificate issuance across the organization.

:red_car: Try out our integration examples today

We will guide you step-by-step on how to add certificates to your Infrastructure as Code automation using Ansible.

Products Integration examples available...
F5 BIG-IP Secure application delivery with F5 BIG-IP and the Venafi Ansible role
Citrix ADC Secure application delivery with Citrix ADC and the Venafi Ansible role

NOTE If you don't find an example for a product you use, please check back later. We are working on adding more integration examples.

Requirements

Please check the Venafi prerequisites, then install Ansible and VCert-Python (version 0.10.0 or higher) using pip:

pip install ansible vcert --upgrade

Using with Ansible Galaxy

For more information about Ansible Galaxy, visit https://galaxy.ansible.com/docs/using/installing.html

  1. Install the Venafi Role for Ansible from Ansible Galaxy:

    ansible-galaxy install venafi.ansible_role_venafi

  2. Create a credentials.yml file and add your connection details:

    For Trust Protection Platform:

    cat <<EOF >>credentials.yml
access_token: 'p0WTt3sDPbzm2BDIkoJROQ=='
url: 'https://tpp.venafi.example'
zone: "DevOps\\Ansible"
trust_bundle: "/path/to/bundle.pem"
EOF

    For Venafi as a Service:

    cat <<EOF >>credentials.yml
token: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
zone: 'Business App\\Enterprise CIT'
EOF

  3. To secure the credentials.yml file, you can encrypt it using ansible-vault. This step is optional but strongly recommended. Find more details at https://docs.ansible.com/ansible/latest/user_guide/vault.html.

    ansible-vault encrypt credentials.yml

  4. Create a simple playbook named sample.yml.

    - hosts: localhost
  roles:
    - role: venafi.ansible_role_venafi
      certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}"

  5. Run the playbook.

    ansible-playbook sample.yml --ask-vault-pass

    Running this playbook will generate a certificate and save it in the /tmp/etc/ssl/ directory. The --ask-vault-pass option is required if you encrypted the credentials.yml file. Additional variables can also be added to customize the certificate and key pair details.

Preparing a Docker demo environment for running Ansible

  1. (Optional) If you want to use your own Docker inventory, update the tests/inventory file.

    1. To run our demo playbook, you'll need the Docker provisioning role. Download it:
    git clone https://github.com/chrismeyersfsu/provision_docker.git tests/roles/provision_docker
    1. Build the necessary Docker images:
    docker build ./tests --tag local-ansible-test

    Demo certificates will be stored in the /tmp/ansible/etc/ssl directory on the Ansible host and then distributed to the /etc/ssl/ directory of remote hosts.

  2. Create a credentials file as previously described.

  3. Run the Ansible playbook:

    ansible-playbook -i tests/inventory \
  tests/venafi-playbook-example.yml \
  --extra-vars "credentials_file=credentials.yml docker_demo=true" \
  --ask-vault-pass

Sample Playbook

Here's an example of how your playbook could look:

- hosts: servers
  roles:
    - role: "ansible-role-venafi"
      certificate_common_name: "{{ ansible_fqdn }}.venafi.example.com"
      certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}"
      certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"
      # Additional settings...

For more examples, check the venafi-playbook-example.yml file.

License

Copyright © Venafi, Inc. All rights reserved.

This software is licensed under the Apache License, Version 2.0. See LICENSE for the complete license text.

For comments or questions, please contact opensource@venafi.com.

Informazioni sul progetto

Streamline machine identity (certificate and key) acquisition using Venafi vcert.

role certificates security ssl venafi
Installa
ansible-galaxy install venafi.ansible_role_venafi
GitHub repository
14 stelle
8 fork
7 problemi aperti
Licenza
apache-2.0
Download
4.8k
Proprietario
CyberArk (former Venafi projects)
CyberArk, the undisputed leader in Privileged Account Security, secures secrets used by machines and users to protect traditional and cloud-native apps.