damex.incus.incus_certificate module – Ensure Incus certificate

Note

This module is part of the damex.incus collection (version 1.11.7).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install damex.incus.

To use it in a playbook, specify: damex.incus.incus_certificate.

Synopsis

  • Add, update, and remove trusted certificates in the Incus trust store via the Incus REST API.

  • Certificates are identified by their friendly name.

  • Cluster-wide resource — not scoped to a project.

Parameters

Parameter

Comments

certificate

string

PEM-encoded client certificate to add.

Required when creating a new trust store entry.

Ignored on update.

client_cert

string

Client certificate content for remote authentication.

Requires url and client_key. Mutually exclusive with token and client_cert_path.

client_cert_path

string

Client certificate path for remote authentication.

Requires url and client_key_path. Mutually exclusive with token and client_cert.

client_key

string

Client key content for remote authentication.

Requires url and client_cert. Mutually exclusive with client_key_path.

client_key_path

string

Client key path for remote authentication.

Requires url and client_cert_path. Mutually exclusive with client_key.

name

string / required

Friendly name for the certificate in the trust store.

projects

list / elements=string

Projects the certificate is restricted to.

Only effective when restricted=true.

Default: []

restricted

boolean

Whether the certificate is restricted to specific projects.

Choices:

  • false ← (default)

  • true

server_cert

string

Server certificate content for remote verification.

Requires url. Mutually exclusive with server_cert_path.

server_cert_path

string

Server certificate path for remote verification.

Requires url. Mutually exclusive with server_cert.

socket_path

string

Incus Unix socket path for local connections.

Default: "/var/lib/incus/unix.socket"

state

string

Desired state of the certificate.

Choices:

  • "present" ← (default)

  • "absent"

token

string

Token for remote authentication.

Requires url. Mutually exclusive with client_cert.

type

string

Certificate type.

Choices:

  • "client" ← (default)

  • "metrics"

url

string

Remote Incus server URL (e.g. https://host:8443).

If specified, connects via HTTPS instead of Unix socket.

validate_certs

boolean

Server TLS certificate validation.

Choices:

  • false

  • true ← (default)

wait

boolean

Async operation completion wait.

Set to false for fire-and-forget behaviour.

Choices:

  • false

  • true ← (default)

Examples

- name: Ensure client certificate
  damex.incus.incus_certificate:
    name: ansible
    certificate: "{{ lookup('file', '/etc/incus/client.crt') }}"

- name: Ensure restricted certificate
  damex.incus.incus_certificate:
    name: ci-runner
    certificate: "{{ lookup('file', 'ci.crt') }}"
    restricted: true
    projects:
      - default
      - staging

- name: Ensure certificate is absent
  damex.incus.incus_certificate:
    name: old-client
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Resource state change indicator.

Returned: always

changed_keys

list / elements=string

Configuration keys that changed.

Returned: always

diff

dictionary

Before and after state for diff mode.

Returned: changed

after

dictionary

State after the change.

Returned: success

before

dictionary

State before the change.

Returned: success

Authors

  • Roman Kuzmitskii (@damex)