diff --git a/roles/hashistack_ca/tasks/generate/generate_consul.yml b/roles/hashistack_ca/tasks/generate/generate_consul.yml index 0ea58b9..a2600f2 100644 --- a/roles/hashistack_ca/tasks/generate/generate_consul.yml +++ b/roles/hashistack_ca/tasks/generate/generate_consul.yml @@ -1,5 +1,5 @@ --- -# task/generate_consul for hashistack_ca +# task/generate_consul file for hashistack_ca - name: "Consul leaf certificates | Create certificate directory in for consul servers" ansible.builtin.file: path: "{{ hashistack_ca_consul_dir }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml index 5245d7a..da61e00 100644 --- a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml +++ b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml @@ -1,5 +1,5 @@ --- -# task/generate_intermediate for hashistack_ca +# task/generate_intermediate file for hashistack_ca - name: "Intermediate CA | Create temporary cert directory in {{ hashistack_ca_directory }}/intermediate" ansible.builtin.file: path: "{{ hashistack_ca_intermediate_dir }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_nomad.yml b/roles/hashistack_ca/tasks/generate/generate_nomad.yml index 111ab2b..20e9dc8 100644 --- a/roles/hashistack_ca/tasks/generate/generate_nomad.yml +++ b/roles/hashistack_ca/tasks/generate/generate_nomad.yml @@ -1,5 +1,5 @@ --- -# task/generate_nomad for hashistack_ca +# task/generate_nomad file for hashistack_ca - name: "Nomad leaf certificates | Create certificate directory in for nomad servers" ansible.builtin.file: path: "{{ hashistack_ca_nomad_dir }}" @@ -42,6 +42,9 @@ ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}" ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}" ownca_not_before: "-1d" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" - name: "Nomad leaf certificates | Generate fullchain certificate" block: diff --git a/roles/hashistack_ca/tasks/generate/generate_root.yml b/roles/hashistack_ca/tasks/generate/generate_root.yml index 9711c1b..f634316 100644 --- a/roles/hashistack_ca/tasks/generate/generate_root.yml +++ b/roles/hashistack_ca/tasks/generate/generate_root.yml @@ -1,5 +1,5 @@ --- -# task/generate_root for hashistack_ca +# task/generate_root file for hashistack_ca - name: "Root CA | Create temporary cert directory in {{ hashistack_ca_directory }}" # noqa: run-once[task] ansible.builtin.file: path: "{{ hashistack_ca_root_dir }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_vault.yml b/roles/hashistack_ca/tasks/generate/generate_vault.yml index abb42f5..5bfd708 100644 --- a/roles/hashistack_ca/tasks/generate/generate_vault.yml +++ b/roles/hashistack_ca/tasks/generate/generate_vault.yml @@ -1,5 +1,5 @@ --- -# task/generate_vault for hashistack_ca +# task/generate_vault file for hashistack_ca - name: "Vault leaf certificates | Create certificate directory in for vault servers" ansible.builtin.file: path: "{{ hashistack_ca_vault_dir }}" diff --git a/roles/hashistack_ca/tasks/main.yml b/roles/hashistack_ca/tasks/main.yml index ac20f28..00a8b62 100644 --- a/roles/hashistack_ca/tasks/main.yml +++ b/roles/hashistack_ca/tasks/main.yml @@ -39,3 +39,9 @@ when: - hashistack_ca_generate_leaf - "'vault_servers' in group_names" + +- name: "Consul leaf certificates | Import renew_consul.yml" + ansible.builtin.include_tasks: renew/renew_consul.yml + when: + - hashistack_ca_renew_leaf + - "('consul_servers' in group_names) or ('consul_agents' in group_names)" diff --git a/roles/hashistack_ca/tasks/renew/renew_consul.yml b/roles/hashistack_ca/tasks/renew/renew_consul.yml new file mode 100644 index 0000000..b57188f --- /dev/null +++ b/roles/hashistack_ca/tasks/renew/renew_consul.yml @@ -0,0 +1,55 @@ +--- +# tasks/renew/renew_consul file for hashistack_ca +- name: "Consul leaf certificates | Check if certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_consul_cert_path }}" + register: _hashistack_ca_consul_cert_stat + +- name: "Consul leaf certificates | Check if intermediate CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_stat + +- name: "Consul leaf certificates | Check certificate for renewal" + when: + - _hashistack_ca_consul_cert_stat.stat.exists + - _hashistack_ca_consul_cert_stat.stat.isreg + - _hashistack_ca_intermediate_cert_stat.stat.exists + - _hashistack_ca_intermediate_cert_stat.stat.isreg + block: + - name: "Consul leaf certificates | Get certificate expiration date" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_consul_cert_path }}" + valid_at: + renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}" + register: _hashistack_ca_consul_cert_info + + - name: "Intermediate CA | Get intermediate CA certificate info" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_info + + - name: "Consul leaf certificates | Check if certificate is expiring within the threshold" + ansible.builtin.set_fact: + _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_consul_cert_info.valid_at.renew_threshold }}" + + - name: "Consul leaf certificates | Check if intermediate CA has been renewed" + ansible.builtin.set_fact: + _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_consul_cert_info.not_before }}" + +- name: "Consul leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed" + when: + - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed + block: + - name: "Consul leaf certificates | Remove old certificate before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_consul_cert_path }}" + state: absent + + - name: "Consul leaf certificates | Remove old certificate key before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_consul_key_path }}" + state: absent + + - name: "Consul leaf certificates | Generate new consul leaf certificate" + ansible.builtin.include_tasks: ../generate/generate_consul.yml diff --git a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml index 2240733..4b56a1b 100644 --- a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml +++ b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml @@ -1,5 +1,5 @@ --- -# tasks/renew/renew_intermediate.yml file for hashistack_ca +# tasks/renew/renew_intermediate file for hashistack_ca - name: "Intermediate CA | Check if intermediate CA certificate exists" ansible.builtin.stat: path: "{{ hashistack_ca_intermediate_cert_path }}" diff --git a/roles/hashistack_ca/tasks/renew/renew_nomad.yml b/roles/hashistack_ca/tasks/renew/renew_nomad.yml new file mode 100644 index 0000000..eb08c51 --- /dev/null +++ b/roles/hashistack_ca/tasks/renew/renew_nomad.yml @@ -0,0 +1,55 @@ +--- +# tasks/renew/renew_nomad file for hashistack_ca +- name: "Nomad leaf certificates | Check if certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_nomad_cert_path }}" + register: _hashistack_ca_nomad_cert_stat + +- name: "Nomad leaf certificates | Check if intermediate CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_stat + +- name: "Nomad leaf certificates | Check certificate for renewal" + when: + - _hashistack_ca_nomad_cert_stat.stat.exists + - _hashistack_ca_nomad_cert_stat.stat.isreg + - _hashistack_ca_intermediate_cert_stat.stat.exists + - _hashistack_ca_intermediate_cert_stat.stat.isreg + block: + - name: "Nomad leaf certificates | Get certificate expiration date" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_nomad_cert_path }}" + valid_at: + renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}" + register: _hashistack_ca_nomad_cert_info + + - name: "Intermediate CA | Get intermediate CA certificate info" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_info + + - name: "Nomad leaf certificates | Check if certificate is expiring within the threshold" + ansible.builtin.set_fact: + _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_nomad_cert_info.valid_at.renew_threshold }}" + + - name: "Nomad leaf certificates | Check if intermediate CA has been renewed" + ansible.builtin.set_fact: + _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_nomad_cert_info.not_before }}" + +- name: "Nomad leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed" + when: + - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed + block: + - name: "Nomad leaf certificates | Remove old certificate before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_nomad_cert_path }}" + state: absent + + - name: "Nomad leaf certificates | Remove old certificate key before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_nomad_key_path }}" + state: absent + + - name: "Nomad leaf certificates | Generate new nomad leaf certificate" + ansible.builtin.include_tasks: ../generate/generate_nomad.yml diff --git a/roles/hashistack_ca/tasks/renew/renew_root.yml b/roles/hashistack_ca/tasks/renew/renew_root.yml index e2593fd..9f0ca63 100644 --- a/roles/hashistack_ca/tasks/renew/renew_root.yml +++ b/roles/hashistack_ca/tasks/renew/renew_root.yml @@ -1,5 +1,5 @@ --- -# tasks/renew/renew_root.yml +# tasks/renew/renew_root file for hashistack_ca - name: "Root CA | Check if root CA certificate exists" ansible.builtin.stat: path: "{{ hashistack_ca_root_cert_path }}" diff --git a/roles/hashistack_ca/tasks/renew/renew_vault.yml b/roles/hashistack_ca/tasks/renew/renew_vault.yml new file mode 100644 index 0000000..cd9596a --- /dev/null +++ b/roles/hashistack_ca/tasks/renew/renew_vault.yml @@ -0,0 +1,55 @@ +--- +# tasks/renew/renew_vault file for hashistack_ca +- name: "Vault leaf certificates | Check if certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_vault_cert_path }}" + register: _hashistack_ca_vault_cert_stat + +- name: "Vault leaf certificates | Check if intermediate CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_stat + +- name: "Vault leaf certificates | Check certificate for renewal" + when: + - _hashistack_ca_vault_cert_stat.stat.exists + - _hashistack_ca_vault_cert_stat.stat.isreg + - _hashistack_ca_intermediate_cert_stat.stat.exists + - _hashistack_ca_intermediate_cert_stat.stat.isreg + block: + - name: "Vault leaf certificates | Get certificate expiration date" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_vault_cert_path }}" + valid_at: + renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}" + register: _hashistack_ca_vault_cert_info + + - name: "Intermediate CA | Get intermediate CA certificate info" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_info + + - name: "Vault leaf certificates | Check if certificate is expiring within the threshold" + ansible.builtin.set_fact: + _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_vault_cert_info.valid_at.renew_threshold }}" + + - name: "Vault leaf certificates | Check if intermediate CA has been renewed" + ansible.builtin.set_fact: + _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_vault_cert_info.not_before }}" + +- name: "Vault leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed" + when: + - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed + block: + - name: "Vault leaf certificates | Remove old certificate before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_vault_cert_path }}" + state: absent + + - name: "Vault leaf certificates | Remove old certificate key before renewal" + ansible.builtin.file: + path: "{{ hashistack_ca_vault_key_path }}" + state: absent + + - name: "Vault leaf certificates | Generate new vault leaf certificate" + ansible.builtin.include_tasks: ../generate/generate_vault.yml