dellemc.enterprise_sonic.sonic_pki 模块 – 管理 Enterprise Sonic 的 PKI 属性

注意

此模块是 dellemc.enterprise_sonic 集合 (版本 2.5.1) 的一部分。

如果您使用的是 ansible 包，则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装，请运行 ansible-galaxy collection list。

要安装它，请使用： ansible-galaxy collection install dellemc.enterprise_sonic。

要在剧本中使用它，请指定： dellemc.enterprise_sonic.sonic_pki。

dellemc.enterprise_sonic 2.3.0 中的新增功能

概要 

管理 Enterprise Sonic 的 PKI 属性

注意

此模块具有相应的 action 插件。

参数 

参数	注释
config 字典	提供的配置
security_profiles 列表 / 元素=字典	应用程序安全配置文件
cdp_list 列表 / 元素=字符串	CDP 的全局列表
certificate_name 字符串	主机证书名称
key_usage_check 布尔值	要求强制执行密钥用途选项 `false` `true`
ocsp_responder_list 列表 / 元素=字符串	OCSP 响应程序的全局列表
peer_name_check 布尔值	要求验证对等方名称选项 `false` `true`
profile_name 字符串 / 必需	配置文件名称
revocation_check 布尔值	要求证书吊销检查成功选项 `false` `true`
trust_store 字符串	关联的 trust_store 名称
trust_stores 列表 / 元素=字典	CA 证书存储
ca_name 列表 / 元素=字符串	信任存储区中的 CA 证书列表。
name 字符串 / 必需	信任存储区的名称
state 字符串	模块完成后的配置状态。选项 `"merged"` ← (默认) `"deleted"` `"replaced"` `"overridden"`

备注 

注意

针对 Dell Enterprise SONiC 4.1.0 进行了测试

示例 

# Using "merged" state for initial config
#
# Before state:
# -------------
#
# sonic# show running-configuration | grep crypto
# sonic#
#
- name: PKI Config Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Initial Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocspa
                - http://example.com/ocspb
              certificate_name: host
              trust_store: default-ts
          trust_stores:
            - name: default-ts
              ca_name:
                - CA2
        state: merged

# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb

# Using "deleted" state to remove configuration
#
# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp
#
- name: PKI Delete Test
  hosts: datacenter
  gather_facts: true
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: Remove trust_store from security-profile
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              trust_store: default-ts
        state: deleted
# After state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

# Using "overridden" state

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Overridden Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Overridden Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: telemetry
              ocsp_responder_list:
                - http://example.com/ocspb
              revocation_check: true
              trust_store: telemetry-ts
              certificate_name: host
          trust_stores:
            - name: telemetry-ts
              ca_name: CA
        state: overridden
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store telemetry-ts ca-cert CA
# crypto security-profile telemetry revocation_check true
# crypto security-profile trust_store telemetry telemetry-ts
# crypto security-profile certificate telemetry host
# crypto security-profile ocsp-list telemetry http://example.com/ocspb

# Using "replaced" state to update config

# Before state:
# ------------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocspa,http://example.com/ocspb
#
- name: PKI Replace Test
  hosts: datacenter
  gather_facts: false
  connection: httpapi
  collections:
    - dellemc.enterprise_sonic
  tasks:
    - name: "Replace Config"
      sonic_pki:
        config:
          security_profiles:
            - profile_name: rest
              ocsp_responder_list:
                - http://example.com/ocsp
              revocation_check: false
              trust_store: default-ts
              certificate_name: host
        state: replaced
# After state:
# -----------
#
# sonic# show running-configuration | grep crypto
# crypto trust_store default-ts ca-cert CA2
# crypto security-profile rest
# crypto security-profile trust_store rest default-ts
# crypto security-profile certificate rest host
# crypto security-profile ocsp-list rest http://example.com/ocsp

返回值 

常见的返回值已记录在此处，以下是此模块特有的字段

键	描述
after 字典	模块调用后的结果配置。返回：发生更改时示例： `"The configuration returned will always be in the same format as the parameters above.\n"`
before 字典	模块调用之前的配置。返回：始终返回示例： `"The configuration returned will always be in the same format as the parameters above.\n"`
commands 列表 / 元素=字符串	推送到远程设备的命令集。返回：始终返回示例： `["command 1", "command 2", "command 3"]`

作者

Eric Seifert (@seiferteric)