cloudera-labs · wmudge · Oct 1, 2025 · Sep 29, 2025 · Sep 29, 2025 · Oct 1, 2025
diff --git a/roles/freeipa_server_enrolled_tls/README.md b/roles/freeipa_server_enrolled_tls/README.md
@@ -0,0 +1,68 @@
+# freeipa_server_enrolled_tls
+
+Issue a TLS certificate and private key for an enrolled host
+
+This role issues a **TLS certificate and private key** for a host that is enrolled in FreeIPA. This is useful for hosts that are already members of the FreeIPA domain and need TLS certificates for their services. The process includes generating a private key and Certificate Signing Request (CSR), and then requesting a certificate from FreeIPA's Certificate Authority (CA) using the host's enrolled identity.
+
+The role will:
+
+  * Authenticate to the FreeIPA server using the provided administrative credentials.
+  * Generate a private key and CSR directly on the target host.
+  * Request a TLS certificate from FreeIPA's CA for the enrolled host.
+  * The certificate and key will be saved directly to their final locations.
+
+
+## Requirements
+
+  * The target host must be already enrolled in the FreeIPA domain.
+  * The `ipaadmin_principal` must have permissions to issue certificates in FreeIPA.
+  * Write access to the specified certificate and key paths on the FreeIPA server.
+
+## Dependencies
+
+None.
+
+## Parameters
+
+| Variable | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `ipaadmin_password` | `str` | `True` | | **FreeIPA** admin password for authentication. |
+| `ipaadmin_principal` | `str` | `False` | `admin` | **FreeIPA** admin principal for authentication. |
+| `enrolled_hostname` | `str` | `True` | | The hostname for which the certificate will be issued. Must be an enrolled FreeIPA client. |
+| `enrolled_principal_type` | `str` | `False` | `host` | The type of principal for certificate request (e.g., host, service). |
+| `enrolled_cert_key_path` | `path` | `False` | `/etc/pki/tls/private/host.key` | The path on the target host to save the generated private key file. |
+| `enrolled_cert_csr_path` | `path` | `False` | `/etc/pki/tls/private/host.csr` | The path on the target host to save the generated CSR file. |
+| `enrolled_cert_path` | `path` | `False` | `/etc/pki/tls/certs/host.crt` | The path on the target host to save the issued TLS certificate. |
+
+## Example Playbook
+
+```yaml
+- hosts: enrolled_hosts
+  tasks:
+    - name: Issue a TLS certificate and private key for enrolled host
+      ansible.builtin.import_role:
+        name: cloudera.exe.freeipa_server_enrolled_tls
+      vars:
+        enrolled_hostname: "hostname.example.internal"
+        ipaadmin_password: "password"
+        enrolled_cert_key_path: "/etc/pki/tls/private/gateway.key"
+        enrolled_cert_path: "/etc/pki/tls/certs/gateway.crt"
+```
+
+## License
+
+```
+Copyright 2025 Cloudera, Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+```
diff --git a/roles/freeipa_server_enrolled_tls/defaults/main.yml b/roles/freeipa_server_enrolled_tls/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ipaadmin_principal: admin
+ipaadmin_password: "{{ undef(hint='Please define the FreeIPA adminstrator principal password') }}"
+
+enrolled_principal_type: host
+enrolled_cert_key_path: "/etc/pki/tls/private/host.key"
+enrolled_cert_csr_path: "/etc/pki/tls/private/host.csr"
+enrolled_cert_path: "/etc/pki/tls/certs/host.crt"
diff --git a/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml b/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml
@@ -0,0 +1,54 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Issue a TLS certificate and private key for an enrolled host
+    description:
+      - Issue a TLS certificate and private key for a host that is already enrolled in FreeIPA.
+      - The certificate is requested from FreeIPA CA using the enrolled host's identity.
+    author: Cloudera Labs
+    version_added: 3.1.0
+    options:
+      ipaadmin_password:
+        description: FreeIPA admin password used for authentication.
+        type: str
+        required: true
+      ipaadmin_principal:
+        description: FreeIPA admin principal used for authentication.
+        type: str
+        default: admin
+      enrolled_hostname:
+        description:
+          - The hostname for which the certificate will be issued.
+        type: str
+        required: true
+      enrolled_cert_key_path:
+        description: The path to the private key file for the TLS certificate.
+        type: str
+        default: /etc/pki/tls/private/host.key
+      enrolled_cert_csr_path:
+        description: The path to the CSR file for the TLS certificate.
+        type: str
+        default: /etc/pki/tls/private/host.csr
+      enrolled_cert_path:
+        description: The path of issued TLS certificate.
+        type: str
+        default: /etc/pki/tls/certs/host.crt
+      enrolled_principal_type:
+        description:
+          - The type of principal for certificate request (e.g., host, service).
+        type: str
+        default: host
diff --git a/roles/freeipa_server_enrolled_tls/molecule/default/converge.yml b/roles/freeipa_server_enrolled_tls/molecule/default/converge.yml
@@ -0,0 +1,22 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Converge
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Provision enrolled TLS
+      ansible.builtin.import_role:
+        name: cloudera.exe.freeipa_server_enrolled_tls