Ansible Task for Importing PKI files

sleb23 · August 4, 2025, 3:34pm

I’m using a playbook to configure a 1.4.0 VyOS and struggling to find an efficient solution for importing PKI files. As some of you will know, if you run import pki... from operational mode, it outputs the set pki... command equivalent for you to use in config mode. Whereas if you issue run import pki... from config mode, it imports the file directly.

Now, because the vyos.vyos.vyos_config module doesn’t support using the run <command> syntax, I have a workaround that uses the vyos.vyos_command module to issue the import command in op mode, then takes the resulting stdout and applies regex to format it appropriately, then passes it to vyos.vyos_config to apply the commands.

This seems unnecessarily complicated, and for a sanity check, I just wanted to post here and make sure that I’m not missing any info regarding a simpler solution. Let me know if you have any thoughts, and thanks for your time. Btw, I’m running the latest version of the collection (6.0.0).

Here’s the playbook for anyone interested:

---
- name: Generate and install PKI files
  hosts: vyos
  connection: network_cli
  gather_facts: no

  tasks:
    - name: Run import commands in operational mode to get set commands
      vyos.vyos.vyos_command:
        commands:
          - "{{ item.cmd_dict }}"
      loop:
        - cmd_dict: "import pki ca vyos-ca file /config/auth/vyos-ca.crt" 
        - cmd_dict:
            command: "import pki ca vyos-ca key-file /config/auth/vyos-ca.key"
            prompt: "Enter private key passphrase:"
            answer: "\r"
        - cmd_dict: "import pki certificate vyos-cert file /config/auth/vyos-cert.crt"
        - cmd_dict:
            command: "import pki certificate vyos-cert key-file /config/auth/vyos-cert.key"
            prompt: "Enter private key passphrase:"
            answer: "\r"
      register: import_results
      ignore_errors: true

    - name: Extract set commands from output
      set_fact:
        set_commands: "{{ set_commands | default([]) + [item.stdout_lines | flatten | select('match', '^set ') | first | default('')] }}"
      loop: "{{ import_results.results }}"
      when: item.stdout_lines is defined

    - name: Debug extracted set commands
      debug:
        var: set_commands

    - name: Apply set commands in config mode
      vyos.vyos.vyos_config:
        lines:
          - "{{ item }}"
        comment: "Imported PKI for {{ item.split()[3] }} via Ansible"
        save: true
        match: none
      loop: "{{ set_commands }}"
      when: item | length > 0

Viacheslav · August 4, 2025, 3:44pm

This is not Vyatta, this is VyOS Rename all your playbooks and forget about Vyatta.

sleb23 · August 5, 2025, 2:41pm

Done. Thanks for the correction.

0lzi · August 15, 2025, 12:53pm

We do ours with templates and ansible lookup to lookup the file on the ansible controller.

task.yml


- name: "Assert PKI certificates"
  vyos_config:
    lines: "{{ lookup('template', 'templates/pki.cfg') }}"
  notify: Save config

pki.cfg

set pki ca 'root_ca' certificate '{{ lookup('ansible.builtin.file', './files/ca.pem' | split('\n')[1:-1] | join('') }}'

something like that would work also

sleb23 · August 19, 2025, 6:21pm

Thanks for this, I’ll test it out.

system · September 18, 2025, 6:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.