Ansible Integration with TigerTrust
TigerTrust provides an Ansible collection for automating certificate lifecycle management across your infrastructure. Deploy, rotate, and manage certificates using familiar Ansible patterns.
Collection Installation
Install the TigerTrust collection:
# Install from Ansible Galaxy ansible-galaxy collection install tigertrust.certificates # Or install from source ansible-galaxy collection install git+https://github.com/tigertrust/ansible-collection.git
Configuration
Configure TigerTrust credentials:
# group_vars/all.yml tigertrust_api_url: https://api.tigertrust.io tigertrust_api_key: "{{ vault_tigertrust_api_key }}" tigertrust_org_id: "{{ vault_tigertrust_org_id }}"
Certificate Modules
Use TigerTrust modules in playbooks:
--- - name: Manage certificates hosts: webservers become: yes tasks: - name: Request certificate from TigerTrust tigertrust.certificates.certificate: common_name: "{{ inventory_hostname }}" san_names: - "{{ inventory_hostname }}" - "{{ ansible_fqdn }}" issuer: enterprise-ca validity_days: 365 state: present register: cert_result - name: Deploy certificate to server tigertrust.certificates.deploy: certificate_id: "{{ cert_result.certificate_id }}" cert_path: /etc/ssl/certs/server.crt key_path: /etc/ssl/private/server.key chain_path: /etc/ssl/certs/chain.crt owner: root group: ssl-cert mode: '0640' notify: Restart nginx - name: Verify certificate tigertrust.certificates.verify: cert_path: /etc/ssl/certs/server.crt check_expiry: yes check_chain: yes register: verify_result handlers: - name: Restart nginx service: name: nginx state: restarted
Certificate Rotation
Automate certificate rotation:
--- - name: Rotate expiring certificates hosts: all become: yes tasks: - name: Check certificate expiration tigertrust.certificates.info: cert_path: /etc/ssl/certs/server.crt register: cert_info - name: Renew if expiring within 30 days when: cert_info.days_until_expiry < 30 block: - name: Request renewal tigertrust.certificates.renew: certificate_id: "{{ cert_info.certificate_id }}" register: renewal - name: Deploy renewed certificate tigertrust.certificates.deploy: certificate_id: "{{ renewal.new_certificate_id }}" cert_path: /etc/ssl/certs/server.crt key_path: /etc/ssl/private/server.key backup: yes notify: Restart services
Roles
Use pre-built roles:
# requirements.yml roles: - name: tigertrust.certificates.webserver version: "1.0.0" - name: tigertrust.certificates.kubernetes version: "1.0.0" # playbook.yml --- - name: Configure web servers hosts: webservers roles: - role: tigertrust.certificates.webserver vars: tigertrust_domains: - "{{ inventory_hostname }}" tigertrust_webserver: nginx tigertrust_auto_renew: yes
Inventory Integration
Dynamic inventory based on certificates:
# tigertrust_inventory.yml plugin: tigertrust.certificates.inventory api_url: https://api.tigertrust.io api_key: "{{ lookup('env', 'TIGERTRUST_API_KEY') }}" filters: environment: production expiring_within_days: 30 groups: expiring_soon: "days_until_expiry < 14" critical: "days_until_expiry < 7" compose: ansible_host: "common_name"
AWX/Tower Integration
Configure AWX credentials:
# Custom credential type name: TigerTrust kind: cloud inputs: fields: - id: api_url type: string label: API URL - id: api_key type: string label: API Key secret: true - id: org_id type: string label: Organization ID injectors: env: TIGERTRUST_API_URL: '{{ api_url }}' TIGERTRUST_API_KEY: '{{ api_key }}' TIGERTRUST_ORG_ID: '{{ org_id }}'
Vault Integration
Secure credentials with Ansible Vault:
# vault.yml (encrypted) vault_tigertrust_api_key: your-api-key-here vault_tigertrust_org_id: your-org-id # Usage ansible-playbook certificates.yml --ask-vault-pass
Fact Gathering
Gather certificate facts:
- name: Gather certificate facts tigertrust.certificates.facts: paths: - /etc/ssl/certs - /etc/pki/tls/certs register: cert_facts - name: Show certificates debug: msg: "Certificate {{ item.common_name }} expires in {{ item.days_until_expiry }} days" loop: "{{ cert_facts.certificates }}"
Automate your certificate infrastructure with TigerTrust and Ansible.