From d194e5ef237c7346b5aeb39882628c9e9ac2b77b Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sat, 17 Aug 2024 12:16:52 +0200 Subject: [PATCH] feat: add leaf certificate genearation --- molecule/hashistack_ca_default/converge.yml | 2 + .../hashistack_ca_default/group_vars/all.yml | 52 ++++++++++++- molecule/hashistack_ca_default/molecule.yml | 30 +++++++- roles/hashistack_ca/defaults/main.yml | 44 ++++++++++- .../tasks/generate/generate_consul.yml | 73 +++++++++++++++++++ .../tasks/generate/generate_intermediate.yml | 14 ++-- .../tasks/generate/generate_nomad.yml | 70 ++++++++++++++++++ .../tasks/generate/generate_root.yml | 18 ++--- .../tasks/generate/generate_vault.yml | 73 +++++++++++++++++++ roles/hashistack_ca/tasks/main.yml | 18 +++++ .../tasks/prepare_ca_to_copy.yml | 8 +- .../tasks/renew/renew_intermediate.yml | 4 +- .../hashistack_ca/tasks/renew/renew_root.yml | 8 +- roles/hashistack_ca/vars/main.yml | 19 ++++- 14 files changed, 396 insertions(+), 37 deletions(-) diff --git a/molecule/hashistack_ca_default/converge.yml b/molecule/hashistack_ca_default/converge.yml index b8f9f43..980542b 100644 --- a/molecule/hashistack_ca_default/converge.yml +++ b/molecule/hashistack_ca_default/converge.yml @@ -6,3 +6,5 @@ - name: "Include ednz_cloud.hashistack.hashistack_ca" ansible.builtin.include_role: name: "ednz_cloud.hashistack.hashistack_ca" + apply: + delegate_to: localhost diff --git a/molecule/hashistack_ca_default/group_vars/all.yml b/molecule/hashistack_ca_default/group_vars/all.yml index 74f1f2a..1ed4e3d 100644 --- a/molecule/hashistack_ca_default/group_vars/all.yml +++ b/molecule/hashistack_ca_default/group_vars/all.yml @@ -1,9 +1,9 @@ --- -# defaults file for hashistack_ca hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates" hashistack_ca_use_cryptography: false hashistack_ca_action: "noop" hashistack_ca_domain: ednz.fr +hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}" ############################## # Root Certificate Authority # @@ -26,8 +26,8 @@ hashistack_ca_root_state_or_province_name: hashistack_ca_root_email_address: # Validity -hashistack_ca_root_valid_for: 0d -hashistack_ca_root_renew_threshold: 0d +hashistack_ca_root_valid_for: 1825d +hashistack_ca_root_renew_threshold: 180d ###################################### # Intermediate Certificate Authority # @@ -56,12 +56,56 @@ hashistack_ca_intermediate_renew_threshold: 90d # Name Constraints hashistack_ca_intermediate_name_constraints_permitted: + - "DNS:.{{ hashistack_ca_domain }}" - DNS:.nomad - DNS:.consul - - DNS:.example.com - DNS:localhost - IP:192.168.0.0/16 - IP:172.16.0.0/16 - IP:10.0.0.0/8 - IP:127.0.0.0/8 hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" + +##################### +# Leaf certificates # +##################### + +hashistack_ca_leaf_valid_for: 90d +hashistack_ca_leaf_renew_threshold: 30d + +############################ +# Consul Leaf Certificates # +############################ +hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_consul_common_name: "{{ inventory_hostname }}" +hashistack_ca_consul_csr_sans: + - "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}" + - "DNS:consul.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" + +########################### +# Nomad Leaf Certificates # +########################### +hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_nomad_common_name: "{{ inventory_hostname }}" +hashistack_ca_nomad_csr_sans: + - "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}" + - DNS:server.global.nomad + - DNS:client.global.nomad + - "DNS:nomad.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" + +########################### +# Vault Leaf Certificates # +########################### +hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_vault_common_name: "{{ inventory_hostname }}" +hashistack_ca_vault_csr_sans: + - "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}" + - "DNS:vault.service.consul" + - "DNS:active.vault.service.consul" + - "DNS:standby.vault.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" diff --git a/molecule/hashistack_ca_default/molecule.yml b/molecule/hashistack_ca_default/molecule.yml index c84ca7b..1f90d9e 100644 --- a/molecule/hashistack_ca_default/molecule.yml +++ b/molecule/hashistack_ca_default/molecule.yml @@ -6,7 +6,7 @@ dependency: driver: name: docker platforms: - - name: instance + - name: consul-vault image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible command: "" volumes: @@ -14,6 +14,34 @@ platforms: cgroupns_mode: host privileged: true pre_build_image: true + groups: + - common + - consul_servers + - vault_servers + - name: vault-nomad + image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible + command: "" + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup + cgroupns_mode: host + privileged: true + pre_build_image: true + groups: + - common + - nomad_clients + - vault_servers + - name: nomad-consul + image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible + command: "" + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup + cgroupns_mode: host + privileged: true + pre_build_image: true + groups: + - common + - nomad_clients + - consul_agents provisioner: name: ansible config_options: diff --git a/roles/hashistack_ca/defaults/main.yml b/roles/hashistack_ca/defaults/main.yml index 6b9aacd..9020363 100644 --- a/roles/hashistack_ca/defaults/main.yml +++ b/roles/hashistack_ca/defaults/main.yml @@ -4,6 +4,7 @@ hashistack_ca_directory: "/etc/hashistack/certificates" hashistack_ca_use_cryptography: false hashistack_ca_action: "noop" hashistack_ca_domain: example.com +hashistack_ca_directory_owner: root ############################## # Root Certificate Authority # @@ -56,12 +57,53 @@ hashistack_ca_intermediate_renew_threshold: 90d # Name Constraints hashistack_ca_intermediate_name_constraints_permitted: + - "DNS:.{{ hashistack_ca_domain }}" - DNS:.nomad - DNS:.consul - - DNS:.example.com - DNS:localhost - IP:192.168.0.0/16 - IP:172.16.0.0/16 - IP:10.0.0.0/8 - IP:127.0.0.0/8 hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" + +##################### +# Leaf certificates # +##################### + +hashistack_ca_leaf_valid_for: 90d +hashistack_ca_leaf_renew_threshold: 30d + +############################ +# Consul Leaf Certificates # +############################ +hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_consul_common_name: "{{ inventory_hostname }}" +hashistack_ca_consul_csr_sans: + - "DNS:consul.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" + +########################### +# Nomad Leaf Certificates # +########################### +hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_nomad_common_name: "{{ inventory_hostname }}" +hashistack_ca_nomad_csr_sans: + - DNS:server.global.nomad + - DNS:client.global.nomad + - "DNS:nomad.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" + +########################### +# Vault Leaf Certificates # +########################### +hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_vault_common_name: "{{ inventory_hostname }}" +hashistack_ca_vault_csr_sans: + - "DNS:vault.service.consul" + - "DNS:active.vault.service.consul" + - "DNS:standby.vault.service.consul" + - "DNS:localhost" + - "IP:127.0.0.1" diff --git a/roles/hashistack_ca/tasks/generate/generate_consul.yml b/roles/hashistack_ca/tasks/generate/generate_consul.yml index e69de29..0ea58b9 100644 --- a/roles/hashistack_ca/tasks/generate/generate_consul.yml +++ b/roles/hashistack_ca/tasks/generate/generate_consul.yml @@ -0,0 +1,73 @@ +--- +# task/generate_consul for hashistack_ca +- name: "Consul leaf certificates | Create certificate directory in for consul servers" + ansible.builtin.file: + path: "{{ hashistack_ca_consul_dir }}" + state: directory + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0755" + +- name: "Consul leaf certificates | Create Consul certificates" + block: + - name: "Consul leaf certificates | Create Consul certificate keys" + community.crypto.openssl_privatekey: + path: "{{ hashistack_ca_consul_key_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + + - name: "Consul leaf certificates | Create CSRs for Consul servers" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ hashistack_ca_consul_key_path }}" + common_name: "{{ hashistack_ca_consul_common_name }}" + subject_alt_name: "{{ hashistack_ca_consul_csr_sans }}" + key_usage_critical: true + key_usage: + - Digital Signature + - Key Encipherment + - Key Agreement + extended_key_usage: + - TLS Web Server Authentication + - TLS Web Client Authentication + organization_name: "{{ hashistack_ca_consul_org_name }}" + use_common_name_for_san: false + register: _hashistack_ca_consul_csr + + - name: "Consul leaf certificates | Sign certificates with internal CA" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_consul_cert_path }}" + csr_content: "{{ _hashistack_ca_consul_csr.csr }}" + provider: ownca + ownca_path: "{{ hashistack_ca_intermediate_cert_path }}" + ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}" + ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}" + ownca_not_before: "-1d" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" + + - name: "Consul leaf certificates | Generate fullchain certificate" + block: + - name: "Consul leaf certificates | Read content of root ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_root_key_path }}" + register: _hashistack_ca_root_crt + + - name: "Consul leaf certificates | Read content of intermediate ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_crt + + - name: "Consul leaf certificates | Read content of leaf certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_consul_cert_path }}" + register: _hashistack_ca_consul_crt + + - name: "Consul leaf certificates | Concatenate certificates" + ansible.builtin.copy: + content: | + {{ _hashistack_ca_consul_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }} + dest: "{{ hashistack_ca_consul_fullchain_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" diff --git a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml index db42ca9..5245d7a 100644 --- a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml +++ b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml @@ -4,19 +4,17 @@ ansible.builtin.file: path: "{{ hashistack_ca_intermediate_dir }}" state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: "0755" - delegate_to: localhost - name: "Intermediate CA | Generate internal certificates" - delegate_to: localhost block: - name: "Intermediate CA | Create intermediate CA private key" community.crypto.openssl_privatekey: path: "{{ hashistack_ca_intermediate_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" - name: "Intermediate CA | Create intermediate CA signing request" community.crypto.openssl_csr_pipe: @@ -44,6 +42,6 @@ ownca_path: "{{ hashistack_ca_root_cert_path }}" ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}" provider: ownca - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_nomad.yml b/roles/hashistack_ca/tasks/generate/generate_nomad.yml index e69de29..111ab2b 100644 --- a/roles/hashistack_ca/tasks/generate/generate_nomad.yml +++ b/roles/hashistack_ca/tasks/generate/generate_nomad.yml @@ -0,0 +1,70 @@ +--- +# task/generate_nomad for hashistack_ca +- name: "Nomad leaf certificates | Create certificate directory in for nomad servers" + ansible.builtin.file: + path: "{{ hashistack_ca_nomad_dir }}" + state: directory + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0755" + +- name: "Nomad leaf certificates | Create Nomad certificates" + block: + - name: "Nomad leaf certificates | Create Nomad certificate keys" + community.crypto.openssl_privatekey: + path: "{{ hashistack_ca_nomad_key_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + + - name: "Nomad leaf certificates | Create CSRs for Nomad servers" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ hashistack_ca_nomad_key_path }}" + common_name: "{{ hashistack_ca_nomad_common_name }}" + subject_alt_name: "{{ hashistack_ca_nomad_csr_sans }}" + key_usage_critical: true + key_usage: + - Digital Signature + - Key Encipherment + - Key Agreement + extended_key_usage: + - TLS Web Server Authentication + - TLS Web Client Authentication + organization_name: "{{ hashistack_ca_nomad_org_name }}" + use_common_name_for_san: false + register: _hashistack_ca_nomad_csr + + - name: "Nomad leaf certificates | Sign certificates with internal CA" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_nomad_cert_path }}" + csr_content: "{{ _hashistack_ca_nomad_csr.csr }}" + provider: ownca + ownca_path: "{{ hashistack_ca_intermediate_cert_path }}" + ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}" + ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}" + ownca_not_before: "-1d" + + - name: "Nomad leaf certificates | Generate fullchain certificate" + block: + - name: "Nomad leaf certificates | Read content of root ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_root_key_path }}" + register: _hashistack_ca_root_crt + + - name: "Nomad leaf certificates | Read content of intermediate ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_crt + + - name: "Nomad leaf certificates | Read content of leaf certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_nomad_cert_path }}" + register: _hashistack_ca_nomad_crt + + - name: "Nomad leaf certificates | Concatenate certificates" + ansible.builtin.copy: + content: | + {{ _hashistack_ca_nomad_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }} + dest: "{{ hashistack_ca_nomad_fullchain_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" diff --git a/roles/hashistack_ca/tasks/generate/generate_root.yml b/roles/hashistack_ca/tasks/generate/generate_root.yml index 796db1e..9711c1b 100644 --- a/roles/hashistack_ca/tasks/generate/generate_root.yml +++ b/roles/hashistack_ca/tasks/generate/generate_root.yml @@ -4,20 +4,18 @@ ansible.builtin.file: path: "{{ hashistack_ca_root_dir }}" state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: "0755" - delegate_to: localhost - name: "Root CA | Generate root Authority" - delegate_to: localhost run_once: true block: - name: "Root CA | Create CA private key" community.crypto.openssl_privatekey: path: "{{ hashistack_ca_root_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" - name: "Root CA | Create CA signing request" community.crypto.openssl_csr_pipe: @@ -42,8 +40,8 @@ csr_content: "{{ _hashistack_root_ca_csr.csr }}" privatekey_path: "{{ hashistack_ca_root_key_path }}" provider: selfsigned - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" - name: "Root CA | Create self-signed CA certificate from CSR" community.crypto.x509_certificate: @@ -52,5 +50,5 @@ privatekey_path: "{{ hashistack_ca_root_key_path }}" selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}" provider: selfsigned - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_vault.yml b/roles/hashistack_ca/tasks/generate/generate_vault.yml index e69de29..abb42f5 100644 --- a/roles/hashistack_ca/tasks/generate/generate_vault.yml +++ b/roles/hashistack_ca/tasks/generate/generate_vault.yml @@ -0,0 +1,73 @@ +--- +# task/generate_vault for hashistack_ca +- name: "Vault leaf certificates | Create certificate directory in for vault servers" + ansible.builtin.file: + path: "{{ hashistack_ca_vault_dir }}" + state: directory + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0755" + +- name: "Vault leaf certificates | Create Vault certificates" + block: + - name: "Vault leaf certificates | Create Vault certificate keys" + community.crypto.openssl_privatekey: + path: "{{ hashistack_ca_vault_key_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + + - name: "Vault leaf certificates | Create CSRs for Vault servers" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ hashistack_ca_vault_key_path }}" + common_name: "{{ hashistack_ca_vault_common_name }}" + subject_alt_name: "{{ hashistack_ca_vault_csr_sans }}" + key_usage_critical: true + key_usage: + - Digital Signature + - Key Encipherment + - Key Agreement + extended_key_usage: + - TLS Web Server Authentication + - TLS Web Client Authentication + organization_name: "{{ hashistack_ca_vault_org_name }}" + use_common_name_for_san: false + register: _hashistack_ca_vault_csr + + - name: "Vault leaf certificates | Sign certificates with internal CA" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_vault_cert_path }}" + csr_content: "{{ _hashistack_ca_vault_csr.csr }}" + provider: ownca + ownca_path: "{{ hashistack_ca_intermediate_cert_path }}" + ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}" + ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}" + ownca_not_before: "-1d" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" + + - name: "Vault leaf certificates | Generate fullchain certificate" + block: + - name: "Vault leaf certificates | Read content of root ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_root_key_path }}" + register: _hashistack_ca_root_crt + + - name: "Vault leaf certificates | Read content of intermediate ca certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_crt + + - name: "Vault leaf certificates | Read content of leaf certificate" + ansible.builtin.slurp: + src: "{{ hashistack_ca_vault_cert_path }}" + register: _hashistack_ca_vault_crt + + - name: "Vault leaf certificates | Concatenate certificates" + ansible.builtin.copy: + content: | + {{ _hashistack_ca_vault_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }} + dest: "{{ hashistack_ca_vault_fullchain_path }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" + mode: "0644" diff --git a/roles/hashistack_ca/tasks/main.yml b/roles/hashistack_ca/tasks/main.yml index 4cdd3db..ac20f28 100644 --- a/roles/hashistack_ca/tasks/main.yml +++ b/roles/hashistack_ca/tasks/main.yml @@ -21,3 +21,21 @@ - name: "CA | Import cleanup_backups.yml" ansible.builtin.include_tasks: cleanup_backups.yml + +- name: "Consul leaf certificates | Import generate/generate_consul.yml" + ansible.builtin.include_tasks: generate/generate_consul.yml + when: + - hashistack_ca_generate_leaf + - "('consul_servers' in group_names) or ('consul_agents' in group_names)" + +- name: "Nomad leaf certificates | Import generate/generate_nomad.yml" + ansible.builtin.include_tasks: generate/generate_nomad.yml + when: + - hashistack_ca_generate_leaf + - "('nomad_servers' in group_names) or ('nomad_clients' in group_names)" + +- name: "Vault leaf certificates | Import generate/generate_vault.yml" + ansible.builtin.include_tasks: generate/generate_vault.yml + when: + - hashistack_ca_generate_leaf + - "'vault_servers' in group_names" diff --git a/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml b/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml index f85c1a6..70dd013 100644 --- a/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml +++ b/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml @@ -18,8 +18,8 @@ ansible.builtin.file: path: "{{ hashistack_ca_public_dir }}" state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: 0755 delegate_to: localhost @@ -27,8 +27,8 @@ ansible.builtin.copy: src: "{{ item.path }}" dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: 0644 loop: "{{ hashistack_ca_root_dir_files.files }}" delegate_to: localhost diff --git a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml index 6eb616c..2240733 100644 --- a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml +++ b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml @@ -49,8 +49,8 @@ ansible.builtin.file: path: "{{ hashistack_ca_intermediate_backup_dir }}" state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: "0755" - name: "Intermediate CA | Format expiration date for backup" diff --git a/roles/hashistack_ca/tasks/renew/renew_root.yml b/roles/hashistack_ca/tasks/renew/renew_root.yml index d4b345d..e2593fd 100644 --- a/roles/hashistack_ca/tasks/renew/renew_root.yml +++ b/roles/hashistack_ca/tasks/renew/renew_root.yml @@ -23,10 +23,6 @@ ansible.builtin.set_fact: _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}" - - name: "Root CA | Debug certificate expiration status" - ansible.builtin.debug: - msg: "Is root CA certificate expiring soon? {{ _hashistack_ca_is_expiring_soon }}" - - name: "Root CA | Renew CA if expiring soon" when: - _hashistack_ca_is_expiring_soon @@ -36,8 +32,8 @@ ansible.builtin.file: path: "{{ hashistack_ca_root_backup_dir }}" state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" + owner: "{{ hashistack_ca_directory_owner }}" + group: "{{ hashistack_ca_directory_owner }}" mode: "0755" - name: "Root CA | Format expiration date for backup" diff --git a/roles/hashistack_ca/vars/main.yml b/roles/hashistack_ca/vars/main.yml index a5e766a..290cdc9 100644 --- a/roles/hashistack_ca/vars/main.yml +++ b/roles/hashistack_ca/vars/main.yml @@ -5,8 +5,10 @@ hashistack_ca_action_list: "{{ hashistack_ca_action.split(',') }}" # possible actions hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}" hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}" -hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}" +hashistack_ca_generate_leaf: "{{ 'leaf_cert' in hashistack_ca_action_list }}" hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}" +hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}" +hashistack_ca_renew_leaf: "{{ 'renew_leaf' in hashistack_ca_action_list }}" hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca" @@ -20,3 +22,18 @@ hashistack_ca_intermediate_backup_dir: "{{ hashistack_ca_intermediate_dir }}/bac hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key" hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr" hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt" + +hashistack_ca_consul_dir: "{{ hashistack_ca_directory }}/consul/{{ inventory_hostname }}" +hashistack_ca_consul_key_path: "{{ hashistack_ca_consul_dir }}/cert.key" +hashistack_ca_consul_cert_path: "{{ hashistack_ca_consul_dir }}/cert.crt" +hashistack_ca_consul_fullchain_path: "{{ hashistack_ca_consul_dir }}/fullchain.crt" + +hashistack_ca_nomad_dir: "{{ hashistack_ca_directory }}/nomad/{{ inventory_hostname }}" +hashistack_ca_nomad_key_path: "{{ hashistack_ca_nomad_dir }}/cert.key" +hashistack_ca_nomad_cert_path: "{{ hashistack_ca_nomad_dir }}/cert.crt" +hashistack_ca_nomad_fullchain_path: "{{ hashistack_ca_nomad_dir }}/fullchain.crt" + +hashistack_ca_vault_dir: "{{ hashistack_ca_directory }}/vault/{{ inventory_hostname }}" +hashistack_ca_vault_key_path: "{{ hashistack_ca_vault_dir }}/cert.key" +hashistack_ca_vault_cert_path: "{{ hashistack_ca_vault_dir }}/cert.crt" +hashistack_ca_vault_fullchain_path: "{{ hashistack_ca_vault_dir }}/fullchain.crt"