Add mssql_tls_self_sign

Append either -C or -No to sqlcmd Add mssql_tls_self_sign to all tls tests
linux-system-roles · Nov 20, 2024 · 5b28547 · 5b28547
1 parent c939176
commit 5b28547
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -99,6 +99,8 @@ In the case when this variable contains multiple elements, the role instals both
 
 The role does not remove mssql-tools packages if you unset a version with this variable.
 
+If you use version 18 and [mssql_tls_enable](#mssql_tls_enable) with self-signed certificates, you must set [mssql_tls_self_sign](#mssql_tls_self_sign) to `true`.
+
 Default: `[18]`
 
 Type: `list`
@@ -620,6 +622,16 @@ Default: `false`
 
 Type: `bool`
 
+#### mssql_tls_self_sign
+
+Whether certificates that you use are self-signed or not.
+
+Based on this, the role decides whether to run `sqlcmd` with the `-C` argument to trust certificates.
+
+Default: `false`
+
+Type: `bool`
+
 ### TLS Certificates Example Playbooks
 
 #### Configuring SQL Server with TLS Encryption with Certificate Files

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -33,6 +33,7 @@ mssql_tls_force: false
 mssql_tls_version: 1.2
 mssql_tls_remote_src: false
 mssql_tls_certificates: []
+mssql_tls_self_sign: false
 
 mssql_rpm_key: https://packages.microsoft.com/keys/microsoft.asc
 mssql_server_repository: "{{ __mssql_server_repository }}"

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -3,14 +3,6 @@
 - name: Ensure ansible_facts and variables used by role
   include_tasks: set_vars.yml
 
-- name: Temporary debug
-  debug:
-    var: "{{ item }}"
-  loop:
-    - mssql_tools_versions
-    - __sqlcmd_ver
-    - __sqlcmd_cli
-    - __mssql_client_packages
 # This is required to prevent the role from using a __mssql_sqlcmd_login_cmd
 # variable value from a previous role invocation
 - name: Unset the __mssql_sqlcmd_login_cmd fact
@@ -578,10 +570,8 @@
         __mssql_conf_setting: "network forceencryption"
         __mssql_conf_setting_value: "{{ '1' if mssql_tls_enable else 'unset' }}"
 
-- name: Append -C to sqlcmd if encryption is not requested and not in place
-  when:
-    - mssql_tls_enable is not true
-    - __sqlcmd_ver | int == 18
+- name: Append -C to sqlcmd
+  when: __sqlcmd_ver | int == 18
   block:
     - name: Get the setting forceencryption
       shell: >-
@@ -592,9 +582,17 @@
       failed_when: false
       register: __mssql_forceencryption_val
 
-    - name: Append -C to sqlcmd
+    - name: Append -No to sqlcmd when TLS is not configured
       when:
         - __mssql_forceencryption_val.stdout != '1'
+        - "'-No' not in __sqlcmd_cli"
+      set_fact:
+        __sqlcmd_cli: "{{ __sqlcmd_cli + ' -No' }}"
+
+    - name: Append -C to sqlcmd when TLS is configured but certs are self-signed
+      when:
+        - __mssql_forceencryption_val.stdout == '1'
+        - mssql_tls_self_sign | bool
         - "'-C' not in __sqlcmd_cli"
       set_fact:
         __sqlcmd_cli: "{{ __sqlcmd_cli + ' -C' }}"

diff --git a/tests/tests_tls_2017.yml b/tests/tests_tls_2017.yml
@@ -10,6 +10,7 @@
     mssql_edition: Evaluation
     mssql_tcp_port: 1433
     mssql_version: 2017
+    mssql_tls_self_sign: true
     __mssql_gather_facts_no_log: true
   tasks:
     - name: Run test in a block to clean up in always

diff --git a/tests/tests_tls_2019.yml b/tests/tests_tls_2019.yml
@@ -10,6 +10,7 @@
     mssql_edition: Evaluation
     mssql_tcp_port: 1433
     mssql_version: 2019
+    mssql_tls_self_sign: true
     __mssql_gather_facts_no_log: true
   tasks:
     - name: Run test in a block to clean up in always

diff --git a/tests/tests_tls_2022.yml b/tests/tests_tls_2022.yml
@@ -10,6 +10,7 @@
     mssql_edition: Evaluation
     mssql_tcp_port: 1433
     mssql_version: 2022
+    mssql_tls_self_sign: true
     mssql_manage_selinux: "{{ mssql_run_selinux_confined }}"
     __mssql_gather_facts_no_log: true
   tasks: