feat: add leaf certificate genearation
All checks were successful
development / Check commit compliance (push) Successful in 29s
All checks were successful
development / Check commit compliance (push) Successful in 29s
This commit is contained in:
parent
9371296d80
commit
d194e5ef23
@ -6,3 +6,5 @@
|
|||||||
- name: "Include ednz_cloud.hashistack.hashistack_ca"
|
- name: "Include ednz_cloud.hashistack.hashistack_ca"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: "ednz_cloud.hashistack.hashistack_ca"
|
name: "ednz_cloud.hashistack.hashistack_ca"
|
||||||
|
apply:
|
||||||
|
delegate_to: localhost
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
# defaults file for hashistack_ca
|
|
||||||
hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates"
|
hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates"
|
||||||
hashistack_ca_use_cryptography: false
|
hashistack_ca_use_cryptography: false
|
||||||
hashistack_ca_action: "noop"
|
hashistack_ca_action: "noop"
|
||||||
hashistack_ca_domain: ednz.fr
|
hashistack_ca_domain: ednz.fr
|
||||||
|
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
# Root Certificate Authority #
|
# Root Certificate Authority #
|
||||||
@ -26,8 +26,8 @@ hashistack_ca_root_state_or_province_name:
|
|||||||
hashistack_ca_root_email_address:
|
hashistack_ca_root_email_address:
|
||||||
|
|
||||||
# Validity
|
# Validity
|
||||||
hashistack_ca_root_valid_for: 0d
|
hashistack_ca_root_valid_for: 1825d
|
||||||
hashistack_ca_root_renew_threshold: 0d
|
hashistack_ca_root_renew_threshold: 180d
|
||||||
|
|
||||||
######################################
|
######################################
|
||||||
# Intermediate Certificate Authority #
|
# Intermediate Certificate Authority #
|
||||||
@ -56,12 +56,56 @@ hashistack_ca_intermediate_renew_threshold: 90d
|
|||||||
|
|
||||||
# Name Constraints
|
# Name Constraints
|
||||||
hashistack_ca_intermediate_name_constraints_permitted:
|
hashistack_ca_intermediate_name_constraints_permitted:
|
||||||
|
- "DNS:.{{ hashistack_ca_domain }}"
|
||||||
- DNS:.nomad
|
- DNS:.nomad
|
||||||
- DNS:.consul
|
- DNS:.consul
|
||||||
- DNS:.example.com
|
|
||||||
- DNS:localhost
|
- DNS:localhost
|
||||||
- IP:192.168.0.0/16
|
- IP:192.168.0.0/16
|
||||||
- IP:172.16.0.0/16
|
- IP:172.16.0.0/16
|
||||||
- IP:10.0.0.0/8
|
- IP:10.0.0.0/8
|
||||||
- IP:127.0.0.0/8
|
- IP:127.0.0.0/8
|
||||||
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# Leaf certificates #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
hashistack_ca_leaf_valid_for: 90d
|
||||||
|
hashistack_ca_leaf_renew_threshold: 30d
|
||||||
|
|
||||||
|
############################
|
||||||
|
# Consul Leaf Certificates #
|
||||||
|
############################
|
||||||
|
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_consul_csr_sans:
|
||||||
|
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||||
|
- "DNS:consul.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Nomad Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_nomad_csr_sans:
|
||||||
|
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||||
|
- DNS:server.global.nomad
|
||||||
|
- DNS:client.global.nomad
|
||||||
|
- "DNS:nomad.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Vault Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_vault_csr_sans:
|
||||||
|
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||||
|
- "DNS:vault.service.consul"
|
||||||
|
- "DNS:active.vault.service.consul"
|
||||||
|
- "DNS:standby.vault.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
@ -6,7 +6,7 @@ dependency:
|
|||||||
driver:
|
driver:
|
||||||
name: docker
|
name: docker
|
||||||
platforms:
|
platforms:
|
||||||
- name: instance
|
- name: consul-vault
|
||||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||||
command: ""
|
command: ""
|
||||||
volumes:
|
volumes:
|
||||||
@ -14,6 +14,34 @@ platforms:
|
|||||||
cgroupns_mode: host
|
cgroupns_mode: host
|
||||||
privileged: true
|
privileged: true
|
||||||
pre_build_image: true
|
pre_build_image: true
|
||||||
|
groups:
|
||||||
|
- common
|
||||||
|
- consul_servers
|
||||||
|
- vault_servers
|
||||||
|
- name: vault-nomad
|
||||||
|
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||||
|
command: ""
|
||||||
|
volumes:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||||
|
cgroupns_mode: host
|
||||||
|
privileged: true
|
||||||
|
pre_build_image: true
|
||||||
|
groups:
|
||||||
|
- common
|
||||||
|
- nomad_clients
|
||||||
|
- vault_servers
|
||||||
|
- name: nomad-consul
|
||||||
|
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||||
|
command: ""
|
||||||
|
volumes:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||||
|
cgroupns_mode: host
|
||||||
|
privileged: true
|
||||||
|
pre_build_image: true
|
||||||
|
groups:
|
||||||
|
- common
|
||||||
|
- nomad_clients
|
||||||
|
- consul_agents
|
||||||
provisioner:
|
provisioner:
|
||||||
name: ansible
|
name: ansible
|
||||||
config_options:
|
config_options:
|
||||||
|
@ -4,6 +4,7 @@ hashistack_ca_directory: "/etc/hashistack/certificates"
|
|||||||
hashistack_ca_use_cryptography: false
|
hashistack_ca_use_cryptography: false
|
||||||
hashistack_ca_action: "noop"
|
hashistack_ca_action: "noop"
|
||||||
hashistack_ca_domain: example.com
|
hashistack_ca_domain: example.com
|
||||||
|
hashistack_ca_directory_owner: root
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
# Root Certificate Authority #
|
# Root Certificate Authority #
|
||||||
@ -56,12 +57,53 @@ hashistack_ca_intermediate_renew_threshold: 90d
|
|||||||
|
|
||||||
# Name Constraints
|
# Name Constraints
|
||||||
hashistack_ca_intermediate_name_constraints_permitted:
|
hashistack_ca_intermediate_name_constraints_permitted:
|
||||||
|
- "DNS:.{{ hashistack_ca_domain }}"
|
||||||
- DNS:.nomad
|
- DNS:.nomad
|
||||||
- DNS:.consul
|
- DNS:.consul
|
||||||
- DNS:.example.com
|
|
||||||
- DNS:localhost
|
- DNS:localhost
|
||||||
- IP:192.168.0.0/16
|
- IP:192.168.0.0/16
|
||||||
- IP:172.16.0.0/16
|
- IP:172.16.0.0/16
|
||||||
- IP:10.0.0.0/8
|
- IP:10.0.0.0/8
|
||||||
- IP:127.0.0.0/8
|
- IP:127.0.0.0/8
|
||||||
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# Leaf certificates #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
hashistack_ca_leaf_valid_for: 90d
|
||||||
|
hashistack_ca_leaf_renew_threshold: 30d
|
||||||
|
|
||||||
|
############################
|
||||||
|
# Consul Leaf Certificates #
|
||||||
|
############################
|
||||||
|
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_consul_csr_sans:
|
||||||
|
- "DNS:consul.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Nomad Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_nomad_csr_sans:
|
||||||
|
- DNS:server.global.nomad
|
||||||
|
- DNS:client.global.nomad
|
||||||
|
- "DNS:nomad.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Vault Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_vault_csr_sans:
|
||||||
|
- "DNS:vault.service.consul"
|
||||||
|
- "DNS:active.vault.service.consul"
|
||||||
|
- "DNS:standby.vault.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:127.0.0.1"
|
||||||
|
@ -0,0 +1,73 @@
|
|||||||
|
---
|
||||||
|
# task/generate_consul for hashistack_ca
|
||||||
|
- name: "Consul leaf certificates | Create certificate directory in for consul servers"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hashistack_ca_consul_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Create Consul certificates"
|
||||||
|
block:
|
||||||
|
- name: "Consul leaf certificates | Create Consul certificate keys"
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ hashistack_ca_consul_key_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Create CSRs for Consul servers"
|
||||||
|
community.crypto.openssl_csr_pipe:
|
||||||
|
privatekey_path: "{{ hashistack_ca_consul_key_path }}"
|
||||||
|
common_name: "{{ hashistack_ca_consul_common_name }}"
|
||||||
|
subject_alt_name: "{{ hashistack_ca_consul_csr_sans }}"
|
||||||
|
key_usage_critical: true
|
||||||
|
key_usage:
|
||||||
|
- Digital Signature
|
||||||
|
- Key Encipherment
|
||||||
|
- Key Agreement
|
||||||
|
extended_key_usage:
|
||||||
|
- TLS Web Server Authentication
|
||||||
|
- TLS Web Client Authentication
|
||||||
|
organization_name: "{{ hashistack_ca_consul_org_name }}"
|
||||||
|
use_common_name_for_san: false
|
||||||
|
register: _hashistack_ca_consul_csr
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Sign certificates with internal CA"
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ hashistack_ca_consul_cert_path }}"
|
||||||
|
csr_content: "{{ _hashistack_ca_consul_csr.csr }}"
|
||||||
|
provider: ownca
|
||||||
|
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
|
||||||
|
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
|
||||||
|
ownca_not_before: "-1d"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Generate fullchain certificate"
|
||||||
|
block:
|
||||||
|
- name: "Consul leaf certificates | Read content of root ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_root_key_path }}"
|
||||||
|
register: _hashistack_ca_root_crt
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Read content of intermediate ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
register: _hashistack_ca_intermediate_crt
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Read content of leaf certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_consul_cert_path }}"
|
||||||
|
register: _hashistack_ca_consul_crt
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Concatenate certificates"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
{{ _hashistack_ca_consul_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
|
||||||
|
dest: "{{ hashistack_ca_consul_fullchain_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0644"
|
@ -4,19 +4,17 @@
|
|||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ hashistack_ca_intermediate_dir }}"
|
path: "{{ hashistack_ca_intermediate_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Intermediate CA | Generate internal certificates"
|
- name: "Intermediate CA | Generate internal certificates"
|
||||||
delegate_to: localhost
|
|
||||||
block:
|
block:
|
||||||
- name: "Intermediate CA | Create intermediate CA private key"
|
- name: "Intermediate CA | Create intermediate CA private key"
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
path: "{{ hashistack_ca_intermediate_key_path }}"
|
path: "{{ hashistack_ca_intermediate_key_path }}"
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
- name: "Intermediate CA | Create intermediate CA signing request"
|
- name: "Intermediate CA | Create intermediate CA signing request"
|
||||||
community.crypto.openssl_csr_pipe:
|
community.crypto.openssl_csr_pipe:
|
||||||
@ -44,6 +42,6 @@
|
|||||||
ownca_path: "{{ hashistack_ca_root_cert_path }}"
|
ownca_path: "{{ hashistack_ca_root_cert_path }}"
|
||||||
ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
||||||
provider: ownca
|
provider: ownca
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}"
|
ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}"
|
||||||
|
@ -0,0 +1,70 @@
|
|||||||
|
---
|
||||||
|
# task/generate_nomad for hashistack_ca
|
||||||
|
- name: "Nomad leaf certificates | Create certificate directory in for nomad servers"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hashistack_ca_nomad_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Create Nomad certificates"
|
||||||
|
block:
|
||||||
|
- name: "Nomad leaf certificates | Create Nomad certificate keys"
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ hashistack_ca_nomad_key_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Create CSRs for Nomad servers"
|
||||||
|
community.crypto.openssl_csr_pipe:
|
||||||
|
privatekey_path: "{{ hashistack_ca_nomad_key_path }}"
|
||||||
|
common_name: "{{ hashistack_ca_nomad_common_name }}"
|
||||||
|
subject_alt_name: "{{ hashistack_ca_nomad_csr_sans }}"
|
||||||
|
key_usage_critical: true
|
||||||
|
key_usage:
|
||||||
|
- Digital Signature
|
||||||
|
- Key Encipherment
|
||||||
|
- Key Agreement
|
||||||
|
extended_key_usage:
|
||||||
|
- TLS Web Server Authentication
|
||||||
|
- TLS Web Client Authentication
|
||||||
|
organization_name: "{{ hashistack_ca_nomad_org_name }}"
|
||||||
|
use_common_name_for_san: false
|
||||||
|
register: _hashistack_ca_nomad_csr
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Sign certificates with internal CA"
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ hashistack_ca_nomad_cert_path }}"
|
||||||
|
csr_content: "{{ _hashistack_ca_nomad_csr.csr }}"
|
||||||
|
provider: ownca
|
||||||
|
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
|
||||||
|
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
|
||||||
|
ownca_not_before: "-1d"
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Generate fullchain certificate"
|
||||||
|
block:
|
||||||
|
- name: "Nomad leaf certificates | Read content of root ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_root_key_path }}"
|
||||||
|
register: _hashistack_ca_root_crt
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Read content of intermediate ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
register: _hashistack_ca_intermediate_crt
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Read content of leaf certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_nomad_cert_path }}"
|
||||||
|
register: _hashistack_ca_nomad_crt
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Concatenate certificates"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
{{ _hashistack_ca_nomad_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
|
||||||
|
dest: "{{ hashistack_ca_nomad_fullchain_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0644"
|
@ -4,20 +4,18 @@
|
|||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ hashistack_ca_root_dir }}"
|
path: "{{ hashistack_ca_root_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Root CA | Generate root Authority"
|
- name: "Root CA | Generate root Authority"
|
||||||
delegate_to: localhost
|
|
||||||
run_once: true
|
run_once: true
|
||||||
block:
|
block:
|
||||||
- name: "Root CA | Create CA private key"
|
- name: "Root CA | Create CA private key"
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
path: "{{ hashistack_ca_root_key_path }}"
|
path: "{{ hashistack_ca_root_key_path }}"
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
- name: "Root CA | Create CA signing request"
|
- name: "Root CA | Create CA signing request"
|
||||||
community.crypto.openssl_csr_pipe:
|
community.crypto.openssl_csr_pipe:
|
||||||
@ -42,8 +40,8 @@
|
|||||||
csr_content: "{{ _hashistack_root_ca_csr.csr }}"
|
csr_content: "{{ _hashistack_root_ca_csr.csr }}"
|
||||||
privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
- name: "Root CA | Create self-signed CA certificate from CSR"
|
- name: "Root CA | Create self-signed CA certificate from CSR"
|
||||||
community.crypto.x509_certificate:
|
community.crypto.x509_certificate:
|
||||||
@ -52,5 +50,5 @@
|
|||||||
privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
privatekey_path: "{{ hashistack_ca_root_key_path }}"
|
||||||
selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}"
|
selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}"
|
||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
@ -0,0 +1,73 @@
|
|||||||
|
---
|
||||||
|
# task/generate_vault for hashistack_ca
|
||||||
|
- name: "Vault leaf certificates | Create certificate directory in for vault servers"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hashistack_ca_vault_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Create Vault certificates"
|
||||||
|
block:
|
||||||
|
- name: "Vault leaf certificates | Create Vault certificate keys"
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ hashistack_ca_vault_key_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Create CSRs for Vault servers"
|
||||||
|
community.crypto.openssl_csr_pipe:
|
||||||
|
privatekey_path: "{{ hashistack_ca_vault_key_path }}"
|
||||||
|
common_name: "{{ hashistack_ca_vault_common_name }}"
|
||||||
|
subject_alt_name: "{{ hashistack_ca_vault_csr_sans }}"
|
||||||
|
key_usage_critical: true
|
||||||
|
key_usage:
|
||||||
|
- Digital Signature
|
||||||
|
- Key Encipherment
|
||||||
|
- Key Agreement
|
||||||
|
extended_key_usage:
|
||||||
|
- TLS Web Server Authentication
|
||||||
|
- TLS Web Client Authentication
|
||||||
|
organization_name: "{{ hashistack_ca_vault_org_name }}"
|
||||||
|
use_common_name_for_san: false
|
||||||
|
register: _hashistack_ca_vault_csr
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Sign certificates with internal CA"
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ hashistack_ca_vault_cert_path }}"
|
||||||
|
csr_content: "{{ _hashistack_ca_vault_csr.csr }}"
|
||||||
|
provider: ownca
|
||||||
|
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
|
||||||
|
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
|
||||||
|
ownca_not_before: "-1d"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Generate fullchain certificate"
|
||||||
|
block:
|
||||||
|
- name: "Vault leaf certificates | Read content of root ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_root_key_path }}"
|
||||||
|
register: _hashistack_ca_root_crt
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Read content of intermediate ca certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_intermediate_cert_path }}"
|
||||||
|
register: _hashistack_ca_intermediate_crt
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Read content of leaf certificate"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_vault_cert_path }}"
|
||||||
|
register: _hashistack_ca_vault_crt
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Concatenate certificates"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
{{ _hashistack_ca_vault_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
|
||||||
|
dest: "{{ hashistack_ca_vault_fullchain_path }}"
|
||||||
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
|
mode: "0644"
|
@ -21,3 +21,21 @@
|
|||||||
|
|
||||||
- name: "CA | Import cleanup_backups.yml"
|
- name: "CA | Import cleanup_backups.yml"
|
||||||
ansible.builtin.include_tasks: cleanup_backups.yml
|
ansible.builtin.include_tasks: cleanup_backups.yml
|
||||||
|
|
||||||
|
- name: "Consul leaf certificates | Import generate/generate_consul.yml"
|
||||||
|
ansible.builtin.include_tasks: generate/generate_consul.yml
|
||||||
|
when:
|
||||||
|
- hashistack_ca_generate_leaf
|
||||||
|
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||||
|
|
||||||
|
- name: "Nomad leaf certificates | Import generate/generate_nomad.yml"
|
||||||
|
ansible.builtin.include_tasks: generate/generate_nomad.yml
|
||||||
|
when:
|
||||||
|
- hashistack_ca_generate_leaf
|
||||||
|
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
||||||
|
|
||||||
|
- name: "Vault leaf certificates | Import generate/generate_vault.yml"
|
||||||
|
ansible.builtin.include_tasks: generate/generate_vault.yml
|
||||||
|
when:
|
||||||
|
- hashistack_ca_generate_leaf
|
||||||
|
- "'vault_servers' in group_names"
|
||||||
|
@ -18,8 +18,8 @@
|
|||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ hashistack_ca_public_dir }}"
|
path: "{{ hashistack_ca_public_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
@ -27,8 +27,8 @@
|
|||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: "{{ item.path }}"
|
src: "{{ item.path }}"
|
||||||
dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}"
|
dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}"
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
loop: "{{ hashistack_ca_root_dir_files.files }}"
|
loop: "{{ hashistack_ca_root_dir_files.files }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -49,8 +49,8 @@
|
|||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ hashistack_ca_intermediate_backup_dir }}"
|
path: "{{ hashistack_ca_intermediate_backup_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: "Intermediate CA | Format expiration date for backup"
|
- name: "Intermediate CA | Format expiration date for backup"
|
||||||
|
@ -23,10 +23,6 @@
|
|||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}"
|
_hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}"
|
||||||
|
|
||||||
- name: "Root CA | Debug certificate expiration status"
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "Is root CA certificate expiring soon? {{ _hashistack_ca_is_expiring_soon }}"
|
|
||||||
|
|
||||||
- name: "Root CA | Renew CA if expiring soon"
|
- name: "Root CA | Renew CA if expiring soon"
|
||||||
when:
|
when:
|
||||||
- _hashistack_ca_is_expiring_soon
|
- _hashistack_ca_is_expiring_soon
|
||||||
@ -36,8 +32,8 @@
|
|||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ hashistack_ca_root_backup_dir }}"
|
path: "{{ hashistack_ca_root_backup_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ hashistack_ca_directory_owner }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ hashistack_ca_directory_owner }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: "Root CA | Format expiration date for backup"
|
- name: "Root CA | Format expiration date for backup"
|
||||||
|
@ -5,8 +5,10 @@ hashistack_ca_action_list: "{{ hashistack_ca_action.split(',') }}"
|
|||||||
# possible actions
|
# possible actions
|
||||||
hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}"
|
hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}"
|
||||||
hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}"
|
hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}"
|
||||||
hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}"
|
hashistack_ca_generate_leaf: "{{ 'leaf_cert' in hashistack_ca_action_list }}"
|
||||||
hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}"
|
hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}"
|
||||||
|
hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}"
|
||||||
|
hashistack_ca_renew_leaf: "{{ 'renew_leaf' in hashistack_ca_action_list }}"
|
||||||
|
|
||||||
hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca"
|
hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca"
|
||||||
|
|
||||||
@ -20,3 +22,18 @@ hashistack_ca_intermediate_backup_dir: "{{ hashistack_ca_intermediate_dir }}/bac
|
|||||||
hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key"
|
hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key"
|
||||||
hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr"
|
hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr"
|
||||||
hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt"
|
hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt"
|
||||||
|
|
||||||
|
hashistack_ca_consul_dir: "{{ hashistack_ca_directory }}/consul/{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_consul_key_path: "{{ hashistack_ca_consul_dir }}/cert.key"
|
||||||
|
hashistack_ca_consul_cert_path: "{{ hashistack_ca_consul_dir }}/cert.crt"
|
||||||
|
hashistack_ca_consul_fullchain_path: "{{ hashistack_ca_consul_dir }}/fullchain.crt"
|
||||||
|
|
||||||
|
hashistack_ca_nomad_dir: "{{ hashistack_ca_directory }}/nomad/{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_nomad_key_path: "{{ hashistack_ca_nomad_dir }}/cert.key"
|
||||||
|
hashistack_ca_nomad_cert_path: "{{ hashistack_ca_nomad_dir }}/cert.crt"
|
||||||
|
hashistack_ca_nomad_fullchain_path: "{{ hashistack_ca_nomad_dir }}/fullchain.crt"
|
||||||
|
|
||||||
|
hashistack_ca_vault_dir: "{{ hashistack_ca_directory }}/vault/{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_vault_key_path: "{{ hashistack_ca_vault_dir }}/cert.key"
|
||||||
|
hashistack_ca_vault_cert_path: "{{ hashistack_ca_vault_dir }}/cert.crt"
|
||||||
|
hashistack_ca_vault_fullchain_path: "{{ hashistack_ca_vault_dir }}/fullchain.crt"
|
||||||
|
Loading…
Reference in New Issue
Block a user