2024-04-01 21:59:48 +00:00
|
|
|
---
|
2024-05-03 20:27:42 +00:00
|
|
|
# hashistack generate certificates playbook
|
2024-04-01 21:59:48 +00:00
|
|
|
- name: "Generate certificates"
|
2024-07-11 21:28:44 +00:00
|
|
|
hosts: all, !deployment
|
2024-04-01 21:59:48 +00:00
|
|
|
strategy: linear
|
|
|
|
gather_facts: true
|
|
|
|
become: true
|
|
|
|
tasks:
|
2024-06-25 13:16:42 +00:00
|
|
|
- name: "Import variables"
|
2024-07-25 20:29:19 +00:00
|
|
|
ansible.builtin.import_role:
|
|
|
|
name: ednz_cloud.hashistack.hashistack
|
2024-06-25 13:16:42 +00:00
|
|
|
tags:
|
|
|
|
- always
|
|
|
|
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-04-03 21:55:01 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
2024-04-03 21:55:01 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
delegate_to: localhost
|
|
|
|
run_once: true
|
2024-07-25 20:29:19 +00:00
|
|
|
tags:
|
|
|
|
- always
|
2024-04-03 21:55:01 +00:00
|
|
|
|
|
|
|
- name: "Generate external certificates" # noqa: run-once[task]
|
2024-07-25 20:29:19 +00:00
|
|
|
tags:
|
|
|
|
- always
|
2024-04-01 21:59:48 +00:00
|
|
|
delegate_to: localhost
|
|
|
|
run_once: true
|
|
|
|
block:
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-04-01 21:59:48 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
2024-04-01 21:59:48 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
2024-04-03 21:55:01 +00:00
|
|
|
- name: "Create private keys"
|
|
|
|
community.crypto.openssl_privatekey:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
2024-04-03 21:55:01 +00:00
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
loop:
|
|
|
|
- name: nomad
|
|
|
|
fqdn: "{{ nomad_fqdn }}"
|
|
|
|
- name: vault
|
|
|
|
fqdn: "{{ vault_fqdn }}"
|
|
|
|
- name: consul
|
|
|
|
fqdn: "{{ consul_fqdn }}"
|
|
|
|
|
|
|
|
- name: "Create certificate signing request"
|
|
|
|
community.crypto.openssl_csr_pipe:
|
2024-07-25 20:29:19 +00:00
|
|
|
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
2024-04-03 21:55:01 +00:00
|
|
|
common_name: "{{ item.fqdn }}"
|
|
|
|
organization_name: EDNZ Cloud
|
|
|
|
register: csr
|
|
|
|
loop:
|
|
|
|
- name: nomad
|
|
|
|
fqdn: "{{ nomad_fqdn }}"
|
|
|
|
- name: vault
|
|
|
|
fqdn: "{{ vault_fqdn }}"
|
|
|
|
- name: consul
|
|
|
|
fqdn: "{{ consul_fqdn }}"
|
|
|
|
|
|
|
|
- name: "Create self-signed certificate from CSR"
|
|
|
|
community.crypto.x509_certificate:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
|
2024-04-03 21:55:01 +00:00
|
|
|
csr_content: "{{ item.csr }}"
|
2024-07-25 20:29:19 +00:00
|
|
|
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
|
2024-04-03 21:55:01 +00:00
|
|
|
provider: selfsigned
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
loop: "{{ csr.results }}"
|
|
|
|
|
|
|
|
- name: "Generate internal certificates"
|
|
|
|
tags:
|
|
|
|
- never
|
|
|
|
- internal
|
|
|
|
delegate_to: localhost
|
|
|
|
vars:
|
2024-07-25 20:29:19 +00:00
|
|
|
hashistack_ca_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.key"
|
|
|
|
hashistack_ca_cert_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.crt"
|
2024-04-03 21:55:01 +00:00
|
|
|
block:
|
|
|
|
- name: "Create internal CA" # noqa: run-once[task]
|
|
|
|
run_once: true
|
2024-04-01 21:59:48 +00:00
|
|
|
block:
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-04-03 21:55:01 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca"
|
2024-04-03 21:55:01 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
|
|
|
- name: "Create CA private key"
|
2024-04-01 21:59:48 +00:00
|
|
|
community.crypto.openssl_privatekey:
|
2024-04-03 21:55:01 +00:00
|
|
|
path: "{{ hashistack_ca_key_path }}"
|
2024-04-01 21:59:48 +00:00
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
2024-04-03 21:55:01 +00:00
|
|
|
|
|
|
|
- name: "Create CA signing request"
|
2024-04-01 21:59:48 +00:00
|
|
|
community.crypto.openssl_csr_pipe:
|
2024-04-03 21:55:01 +00:00
|
|
|
privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
|
|
common_name: "CA"
|
|
|
|
organization_name: EDNZ Cloud
|
|
|
|
use_common_name_for_san: false
|
|
|
|
basic_constraints:
|
|
|
|
- CA:TRUE
|
|
|
|
basic_constraints_critical: true
|
|
|
|
key_usage:
|
|
|
|
- keyCertSign
|
|
|
|
key_usage_critical: true
|
|
|
|
register: ca_csr
|
|
|
|
|
|
|
|
- name: "Create self-signed CA certificate from CSR"
|
2024-04-01 21:59:48 +00:00
|
|
|
community.crypto.x509_certificate:
|
2024-04-03 21:55:01 +00:00
|
|
|
path: "{{ hashistack_ca_cert_path }}"
|
|
|
|
csr_content: "{{ ca_csr.csr }}"
|
|
|
|
privatekey_path: "{{ hashistack_ca_key_path }}"
|
2024-04-01 21:59:48 +00:00
|
|
|
provider: selfsigned
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
|
2024-04-03 21:55:01 +00:00
|
|
|
- name: "Create Vault certificates"
|
|
|
|
when:
|
|
|
|
- "'vault_servers' in group_names"
|
|
|
|
vars:
|
2024-07-25 20:29:19 +00:00
|
|
|
vault_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
|
|
|
|
vault_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
|
2024-04-03 21:55:01 +00:00
|
|
|
block:
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-04-03 21:55:01 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
2024-04-03 21:55:01 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
|
|
|
- name: "Create Vault certificate keys"
|
|
|
|
community.crypto.openssl_privatekey:
|
|
|
|
path: "{{ vault_private_key_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
|
|
|
|
- name: "Create CSRs for Vault servers"
|
|
|
|
community.crypto.openssl_csr_pipe:
|
|
|
|
privatekey_path: "{{ vault_private_key_path }}"
|
|
|
|
common_name: "{{ inventory_hostname }}"
|
|
|
|
subject_alt_name:
|
|
|
|
- "DNS:{{ inventory_hostname }}"
|
|
|
|
- "DNS:active.vault.service.consul"
|
|
|
|
- "DNS:standby.vault.service.consul"
|
|
|
|
- "DNS:vault.service.consul"
|
|
|
|
- "DNS:localhost"
|
|
|
|
- "IP:{{ api_interface_address }}"
|
|
|
|
- "IP:127.0.0.1"
|
2024-04-06 21:47:35 +00:00
|
|
|
key_usage_critical: true
|
|
|
|
key_usage:
|
|
|
|
- Digital Signature
|
|
|
|
- Key Encipherment
|
|
|
|
- Key Agreement
|
2024-04-03 21:55:01 +00:00
|
|
|
extended_key_usage:
|
|
|
|
- TLS Web Server Authentication
|
|
|
|
- TLS Web Client Authentication
|
|
|
|
organization_name: EDNZ Cloud
|
|
|
|
use_common_name_for_san: false
|
|
|
|
register: vault_csr
|
|
|
|
|
|
|
|
- name: "Sign certificates with internal CA"
|
|
|
|
community.crypto.x509_certificate:
|
|
|
|
path: "{{ vault_certificate_path }}"
|
|
|
|
csr_content: "{{ vault_csr.csr }}"
|
|
|
|
provider: ownca
|
|
|
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
|
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
|
|
ownca_not_after: "+365d"
|
|
|
|
ownca_not_before: "-1d"
|
|
|
|
|
|
|
|
- name: "Concatenate CA and Child certificates"
|
|
|
|
block:
|
2024-04-06 21:47:35 +00:00
|
|
|
- name: "Read content of ca.crt"
|
2024-04-03 21:55:01 +00:00
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_cert_path }}"
|
2024-04-06 21:47:35 +00:00
|
|
|
register: ca_crt_content
|
2024-04-03 21:55:01 +00:00
|
|
|
|
|
|
|
- name: "Read content of cert.pem"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ vault_certificate_path }}"
|
|
|
|
register: cert_pem_content
|
|
|
|
|
|
|
|
- name: "Concatenate certificates"
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
2024-04-06 21:47:35 +00:00
|
|
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
2024-04-03 21:55:01 +00:00
|
|
|
dest: "{{ vault_certificate_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0644"
|
|
|
|
|
2024-04-06 21:47:35 +00:00
|
|
|
- name: "Create Consul certificates"
|
|
|
|
when:
|
2024-05-05 00:37:29 +00:00
|
|
|
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
2024-04-06 21:47:35 +00:00
|
|
|
vars:
|
2024-07-25 20:29:19 +00:00
|
|
|
consul_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
|
|
|
consul_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
2024-04-06 21:47:35 +00:00
|
|
|
block:
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-04-06 21:47:35 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
2024-04-06 21:47:35 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
|
|
|
- name: "Create Consul certificate keys"
|
|
|
|
community.crypto.openssl_privatekey:
|
|
|
|
path: "{{ consul_private_key_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
|
|
|
|
- name: "Create CSRs for Consul servers"
|
|
|
|
vars:
|
|
|
|
consul_csr_sans: >-
|
|
|
|
{%- set sans_list = [
|
|
|
|
'DNS:' + inventory_hostname,
|
|
|
|
'DNS:consul.service.consul',
|
|
|
|
'DNS:localhost',
|
|
|
|
'IP:' + api_interface_address,
|
|
|
|
'IP:127.0.0.1'
|
|
|
|
] -%}
|
2024-07-25 20:29:19 +00:00
|
|
|
{%- if consul_enable_server -%}
|
|
|
|
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
|
2024-04-06 21:47:35 +00:00
|
|
|
{%- endif -%}
|
|
|
|
{{ sans_list }}
|
|
|
|
community.crypto.openssl_csr_pipe:
|
|
|
|
privatekey_path: "{{ consul_private_key_path }}"
|
|
|
|
common_name: "{{ inventory_hostname }}"
|
|
|
|
subject_alt_name: "{{ consul_csr_sans }}"
|
|
|
|
key_usage_critical: true
|
|
|
|
key_usage:
|
|
|
|
- Digital Signature
|
|
|
|
- Key Encipherment
|
|
|
|
- Key Agreement
|
|
|
|
extended_key_usage:
|
|
|
|
- TLS Web Server Authentication
|
|
|
|
- TLS Web Client Authentication
|
|
|
|
organization_name: EDNZ Cloud
|
|
|
|
use_common_name_for_san: false
|
|
|
|
register: consul_csr
|
|
|
|
|
|
|
|
- name: "Sign certificates with internal CA"
|
|
|
|
community.crypto.x509_certificate:
|
|
|
|
path: "{{ consul_certificate_path }}"
|
|
|
|
csr_content: "{{ consul_csr.csr }}"
|
|
|
|
provider: ownca
|
|
|
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
|
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
|
|
ownca_not_after: "+365d"
|
|
|
|
ownca_not_before: "-1d"
|
|
|
|
|
|
|
|
- name: "Concatenate CA and Child certificates"
|
|
|
|
block:
|
|
|
|
- name: "Read content of ca.crt"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_cert_path }}"
|
|
|
|
register: ca_crt_content
|
|
|
|
|
|
|
|
- name: "Read content of cert.pem"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ consul_certificate_path }}"
|
|
|
|
register: cert_pem_content
|
|
|
|
|
|
|
|
- name: "Concatenate certificates"
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
|
|
dest: "{{ consul_certificate_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0644"
|
2024-07-02 21:06:16 +00:00
|
|
|
|
|
|
|
- name: "Create Nomad certificates"
|
|
|
|
when:
|
|
|
|
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
|
|
|
vars:
|
2024-07-25 20:29:19 +00:00
|
|
|
nomad_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
|
|
|
|
nomad_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
|
2024-07-02 21:06:16 +00:00
|
|
|
block:
|
2024-07-25 20:29:19 +00:00
|
|
|
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
2024-07-02 21:06:16 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-25 20:29:19 +00:00
|
|
|
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
2024-07-02 21:06:16 +00:00
|
|
|
state: directory
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
|
|
|
- name: "Create Nomad certificate keys"
|
|
|
|
community.crypto.openssl_privatekey:
|
|
|
|
path: "{{ nomad_private_key_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
|
|
|
|
- name: "Create CSRs for Nomad servers"
|
|
|
|
vars:
|
|
|
|
nomad_csr_sans: >-
|
|
|
|
{%- set sans_list = [
|
|
|
|
'DNS:' + inventory_hostname,
|
|
|
|
'DNS:localhost',
|
|
|
|
'IP:' + api_interface_address,
|
|
|
|
'IP:127.0.0.1'
|
|
|
|
] -%}
|
2024-07-25 20:29:19 +00:00
|
|
|
{%- if nomad_enable_server -%}
|
|
|
|
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
|
2024-07-02 21:06:16 +00:00
|
|
|
{%- if (enable_consul | bool) -%}
|
|
|
|
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
|
|
|
{%- endif -%}
|
|
|
|
{%- endif -%}
|
2024-07-25 20:29:19 +00:00
|
|
|
{%- if nomad_enable_client -%}
|
|
|
|
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
|
2024-07-02 21:06:16 +00:00
|
|
|
{%- endif -%}
|
|
|
|
{{ sans_list }}
|
|
|
|
community.crypto.openssl_csr_pipe:
|
|
|
|
privatekey_path: "{{ nomad_private_key_path }}"
|
|
|
|
common_name: "{{ inventory_hostname }}"
|
|
|
|
subject_alt_name: "{{ nomad_csr_sans }}"
|
|
|
|
key_usage_critical: true
|
|
|
|
key_usage:
|
|
|
|
- Digital Signature
|
|
|
|
- Key Encipherment
|
|
|
|
extended_key_usage:
|
|
|
|
- TLS Web Server Authentication
|
|
|
|
- TLS Web Client Authentication
|
|
|
|
organization_name: EDNZ Cloud
|
|
|
|
use_common_name_for_san: false
|
|
|
|
register: nomad_csr
|
|
|
|
|
|
|
|
- name: "Sign certificates with internal CA"
|
|
|
|
community.crypto.x509_certificate:
|
|
|
|
path: "{{ nomad_certificate_path }}"
|
|
|
|
csr_content: "{{ nomad_csr.csr }}"
|
|
|
|
provider: ownca
|
|
|
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
|
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
|
|
ownca_not_after: "+365d"
|
|
|
|
ownca_not_before: "-1d"
|
|
|
|
|
|
|
|
- name: "Concatenate CA and Child certificates"
|
|
|
|
block:
|
|
|
|
- name: "Read content of ca.crt"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_cert_path }}"
|
|
|
|
register: ca_crt_content
|
|
|
|
|
|
|
|
- name: "Read content of cert.pem"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ nomad_certificate_path }}"
|
|
|
|
register: cert_pem_content
|
|
|
|
|
|
|
|
- name: "Concatenate certificates"
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
|
|
dest: "{{ nomad_certificate_path }}"
|
|
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
mode: "0644"
|