trfore.smallstep.step_provisioner role – Add provisioners to Step CA

Note

This role is part of the trfore.smallstep collection (version 1.1.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install trfore.smallstep.

To use it in a playbook, specify: trfore.smallstep.step_provisioner.

Entry point main – Add provisioners to Step CA

New in trfore.smallstep 1.0.0

Synopsis

  • Add provisioners to Step CA configuration.

  • This role is intended to be run on a step CA server.

Parameters

Parameter

Comments

step_ca_path

path

Path to Step CA folder containing configuration and certificate files.

Default: "/etc/step-ca/"

step_provisioner

list / elements=dictionary

List of dictionaries containing provisioners to add to Step CA.

Default: [{"name": "acme", "renewal_after_expiry": false, "ssh": false, "type": "acme"}]

client_id

string

ID used to validate the audience in an OIDC token.

client_secret

string

Decret used to obtain the OIDC tokens.

config_endpoint

string

OIDC configuration URL.

domain

string

Domain used to validate the email claim in OIDC provisioner.

name

string / required

Name of the provisioner.

renewal_after_expiry

boolean

Allow renewals for expired certificates.

Choices:

  • false ← (default)

  • true

ssh

boolean

Enable provisioning of SSH certificates.

Choices:

  • false

  • true

type

string / required

Type of provisioner to create.

Choices:

  • "acme"

  • "oidc"

  • "sshpop"

  • "x5c"

x509_default_dur

string

Default duration, i.e. `72h`, for x509 certificate. Step will default to `24h`.

x509_max_dur

string

Max duration for x509 certificate.

x5c_root

path

Path to Root CA cert (PEM-formatted), e.g. `/etc/step-ca/certs/root_ca.crt`.