feat: add renewal process for leaf CA

2024-08-17 12:53:06 +02:00 · 2024-08-17 12:53:06 +02:00 · 10bea17054
commit 10bea17054
parent d194e5ef23
11 changed files with 181 additions and 7 deletions
--- a/roles/hashistack_ca/tasks/generate/generate_consul.yml
+++ b/roles/hashistack_ca/tasks/generate/generate_consul.yml
@ -1,5 +1,5 @@
 ---
-# task/generate_consul for hashistack_ca
+# task/generate_consul file for hashistack_ca
 - name: "Consul leaf certificates | Create certificate directory in for consul servers"
  ansible.builtin.file:
    path: "{{ hashistack_ca_consul_dir }}"
--- a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml
+++ b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml
@ -1,5 +1,5 @@
 ---
-# task/generate_intermediate for hashistack_ca
+# task/generate_intermediate file for hashistack_ca
 - name: "Intermediate CA | Create temporary cert directory in {{ hashistack_ca_directory }}/intermediate"
  ansible.builtin.file:
    path: "{{ hashistack_ca_intermediate_dir }}"
--- a/roles/hashistack_ca/tasks/generate/generate_nomad.yml
+++ b/roles/hashistack_ca/tasks/generate/generate_nomad.yml
@ -1,5 +1,5 @@
 ---
-# task/generate_nomad for hashistack_ca
+# task/generate_nomad file for hashistack_ca
 - name: "Nomad leaf certificates | Create certificate directory in for nomad servers"
  ansible.builtin.file:
    path: "{{ hashistack_ca_nomad_dir }}"
@ -42,6 +42,9 @@
        ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
        ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
        ownca_not_before: "-1d"
+        owner: "{{ hashistack_ca_directory_owner }}"
+        group: "{{ hashistack_ca_directory_owner }}"
+        mode: "0644"

    - name: "Nomad leaf certificates | Generate fullchain certificate"
      block:
--- a/roles/hashistack_ca/tasks/generate/generate_root.yml
+++ b/roles/hashistack_ca/tasks/generate/generate_root.yml
@ -1,5 +1,5 @@
 ---
-# task/generate_root for hashistack_ca
+# task/generate_root file for hashistack_ca
 - name: "Root CA | Create temporary cert directory in {{ hashistack_ca_directory }}" # noqa: run-once[task]
  ansible.builtin.file:
    path: "{{ hashistack_ca_root_dir }}"
--- a/roles/hashistack_ca/tasks/generate/generate_vault.yml
+++ b/roles/hashistack_ca/tasks/generate/generate_vault.yml
@ -1,5 +1,5 @@
 ---
-# task/generate_vault for hashistack_ca
+# task/generate_vault file for hashistack_ca
 - name: "Vault leaf certificates | Create certificate directory in for vault servers"
  ansible.builtin.file:
    path: "{{ hashistack_ca_vault_dir }}"
--- a/roles/hashistack_ca/tasks/main.yml
+++ b/roles/hashistack_ca/tasks/main.yml
@ -39,3 +39,9 @@
  when:
    - hashistack_ca_generate_leaf
    - "'vault_servers' in group_names"
+
+- name: "Consul leaf certificates | Import renew_consul.yml"
+  ansible.builtin.include_tasks: renew/renew_consul.yml
+  when:
+    - hashistack_ca_renew_leaf
+    - "('consul_servers' in group_names) or ('consul_agents' in group_names)"
--- a/roles/hashistack_ca/tasks/renew/renew_consul.yml
+++ b/roles/hashistack_ca/tasks/renew/renew_consul.yml
@ -0,0 +1,55 @@
+---
+# tasks/renew/renew_consul file for hashistack_ca
+- name: "Consul leaf certificates | Check if certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_consul_cert_path }}"
+  register: _hashistack_ca_consul_cert_stat
+
+- name: "Consul leaf certificates | Check if intermediate CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_intermediate_cert_path }}"
+  register: _hashistack_ca_intermediate_cert_stat
+
+- name: "Consul leaf certificates | Check certificate for renewal"
+  when:
+    - _hashistack_ca_consul_cert_stat.stat.exists
+    - _hashistack_ca_consul_cert_stat.stat.isreg
+    - _hashistack_ca_intermediate_cert_stat.stat.exists
+    - _hashistack_ca_intermediate_cert_stat.stat.isreg
+  block:
+    - name: "Consul leaf certificates | Get certificate expiration date"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_consul_cert_path }}"
+        valid_at:
+          renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}"
+      register: _hashistack_ca_consul_cert_info
+
+    - name: "Intermediate CA | Get intermediate CA certificate info"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_intermediate_cert_path }}"
+      register: _hashistack_ca_intermediate_cert_info
+
+    - name: "Consul leaf certificates | Check if certificate is expiring within the threshold"
+      ansible.builtin.set_fact:
+        _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_consul_cert_info.valid_at.renew_threshold }}"
+
+    - name: "Consul leaf certificates | Check if intermediate CA has been renewed"
+      ansible.builtin.set_fact:
+        _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_consul_cert_info.not_before }}"
+
+- name: "Consul leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed"
+  when:
+    - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed
+  block:
+    - name: "Consul leaf certificates | Remove old certificate before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_consul_cert_path }}"
+        state: absent
+
+    - name: "Consul leaf certificates | Remove old certificate key before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_consul_key_path }}"
+        state: absent
+
+    - name: "Consul leaf certificates | Generate new consul leaf certificate"
+      ansible.builtin.include_tasks: ../generate/generate_consul.yml
--- a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml
+++ b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml
@ -1,5 +1,5 @@
 ---
-# tasks/renew/renew_intermediate.yml file for hashistack_ca
+# tasks/renew/renew_intermediate file for hashistack_ca
 - name: "Intermediate CA | Check if intermediate CA certificate exists"
  ansible.builtin.stat:
    path: "{{ hashistack_ca_intermediate_cert_path }}"
--- a/roles/hashistack_ca/tasks/renew/renew_nomad.yml
+++ b/roles/hashistack_ca/tasks/renew/renew_nomad.yml
@ -0,0 +1,55 @@
+---
+# tasks/renew/renew_nomad file for hashistack_ca
+- name: "Nomad leaf certificates | Check if certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_nomad_cert_path }}"
+  register: _hashistack_ca_nomad_cert_stat
+
+- name: "Nomad leaf certificates | Check if intermediate CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_intermediate_cert_path }}"
+  register: _hashistack_ca_intermediate_cert_stat
+
+- name: "Nomad leaf certificates | Check certificate for renewal"
+  when:
+    - _hashistack_ca_nomad_cert_stat.stat.exists
+    - _hashistack_ca_nomad_cert_stat.stat.isreg
+    - _hashistack_ca_intermediate_cert_stat.stat.exists
+    - _hashistack_ca_intermediate_cert_stat.stat.isreg
+  block:
+    - name: "Nomad leaf certificates | Get certificate expiration date"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_nomad_cert_path }}"
+        valid_at:
+          renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}"
+      register: _hashistack_ca_nomad_cert_info
+
+    - name: "Intermediate CA | Get intermediate CA certificate info"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_intermediate_cert_path }}"
+      register: _hashistack_ca_intermediate_cert_info
+
+    - name: "Nomad leaf certificates | Check if certificate is expiring within the threshold"
+      ansible.builtin.set_fact:
+        _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_nomad_cert_info.valid_at.renew_threshold }}"
+
+    - name: "Nomad leaf certificates | Check if intermediate CA has been renewed"
+      ansible.builtin.set_fact:
+        _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_nomad_cert_info.not_before }}"
+
+- name: "Nomad leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed"
+  when:
+    - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed
+  block:
+    - name: "Nomad leaf certificates | Remove old certificate before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_nomad_cert_path }}"
+        state: absent
+
+    - name: "Nomad leaf certificates | Remove old certificate key before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_nomad_key_path }}"
+        state: absent
+
+    - name: "Nomad leaf certificates | Generate new nomad leaf certificate"
+      ansible.builtin.include_tasks: ../generate/generate_nomad.yml
--- a/roles/hashistack_ca/tasks/renew/renew_root.yml
+++ b/roles/hashistack_ca/tasks/renew/renew_root.yml
@ -1,5 +1,5 @@
 ---
-# tasks/renew/renew_root.yml
+# tasks/renew/renew_root file for hashistack_ca
 - name: "Root CA | Check if root CA certificate exists"
  ansible.builtin.stat:
    path: "{{ hashistack_ca_root_cert_path }}"
--- a/roles/hashistack_ca/tasks/renew/renew_vault.yml
+++ b/roles/hashistack_ca/tasks/renew/renew_vault.yml
@ -0,0 +1,55 @@
+---
+# tasks/renew/renew_vault file for hashistack_ca
+- name: "Vault leaf certificates | Check if certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_vault_cert_path }}"
+  register: _hashistack_ca_vault_cert_stat
+
+- name: "Vault leaf certificates | Check if intermediate CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_intermediate_cert_path }}"
+  register: _hashistack_ca_intermediate_cert_stat
+
+- name: "Vault leaf certificates | Check certificate for renewal"
+  when:
+    - _hashistack_ca_vault_cert_stat.stat.exists
+    - _hashistack_ca_vault_cert_stat.stat.isreg
+    - _hashistack_ca_intermediate_cert_stat.stat.exists
+    - _hashistack_ca_intermediate_cert_stat.stat.isreg
+  block:
+    - name: "Vault leaf certificates | Get certificate expiration date"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_vault_cert_path }}"
+        valid_at:
+          renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}"
+      register: _hashistack_ca_vault_cert_info
+
+    - name: "Intermediate CA | Get intermediate CA certificate info"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_intermediate_cert_path }}"
+      register: _hashistack_ca_intermediate_cert_info
+
+    - name: "Vault leaf certificates | Check if certificate is expiring within the threshold"
+      ansible.builtin.set_fact:
+        _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_vault_cert_info.valid_at.renew_threshold }}"
+
+    - name: "Vault leaf certificates | Check if intermediate CA has been renewed"
+      ansible.builtin.set_fact:
+        _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_vault_cert_info.not_before }}"
+
+- name: "Vault leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed"
+  when:
+    - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed
+  block:
+    - name: "Vault leaf certificates | Remove old certificate before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_vault_cert_path }}"
+        state: absent
+
+    - name: "Vault leaf certificates | Remove old certificate key before renewal"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_vault_key_path }}"
+        state: absent
+
+    - name: "Vault leaf certificates | Generate new vault leaf certificate"
+      ansible.builtin.include_tasks: ../generate/generate_vault.yml