feat: add leaf certificate genearation
All checks were successful
development / Check commit compliance (push) Successful in 29s

This commit is contained in:
Bertrand Lanson 2024-08-17 12:16:52 +02:00
parent 9371296d80
commit d194e5ef23
Signed by: lanson
SSH Key Fingerprint: SHA256:/nqc6HGqld/PS208F6FUOvZlUzTS0rGpNNwR5O2bQBw
14 changed files with 396 additions and 37 deletions

View File

@ -6,3 +6,5 @@
- name: "Include ednz_cloud.hashistack.hashistack_ca" - name: "Include ednz_cloud.hashistack.hashistack_ca"
ansible.builtin.include_role: ansible.builtin.include_role:
name: "ednz_cloud.hashistack.hashistack_ca" name: "ednz_cloud.hashistack.hashistack_ca"
apply:
delegate_to: localhost

View File

@ -1,9 +1,9 @@
--- ---
# defaults file for hashistack_ca
hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates" hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates"
hashistack_ca_use_cryptography: false hashistack_ca_use_cryptography: false
hashistack_ca_action: "noop" hashistack_ca_action: "noop"
hashistack_ca_domain: ednz.fr hashistack_ca_domain: ednz.fr
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
############################## ##############################
# Root Certificate Authority # # Root Certificate Authority #
@ -26,8 +26,8 @@ hashistack_ca_root_state_or_province_name:
hashistack_ca_root_email_address: hashistack_ca_root_email_address:
# Validity # Validity
hashistack_ca_root_valid_for: 0d hashistack_ca_root_valid_for: 1825d
hashistack_ca_root_renew_threshold: 0d hashistack_ca_root_renew_threshold: 180d
###################################### ######################################
# Intermediate Certificate Authority # # Intermediate Certificate Authority #
@ -56,12 +56,56 @@ hashistack_ca_intermediate_renew_threshold: 90d
# Name Constraints # Name Constraints
hashistack_ca_intermediate_name_constraints_permitted: hashistack_ca_intermediate_name_constraints_permitted:
- "DNS:.{{ hashistack_ca_domain }}"
- DNS:.nomad - DNS:.nomad
- DNS:.consul - DNS:.consul
- DNS:.example.com
- DNS:localhost - DNS:localhost
- IP:192.168.0.0/16 - IP:192.168.0.0/16
- IP:172.16.0.0/16 - IP:172.16.0.0/16
- IP:10.0.0.0/8 - IP:10.0.0.0/8
- IP:127.0.0.0/8 - IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
#####################
# Leaf certificates #
#####################
hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d
############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- "DNS:consul.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- DNS:server.global.nomad
- DNS:client.global.nomad
- "DNS:nomad.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- "DNS:vault.service.consul"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"

View File

@ -6,7 +6,7 @@ dependency:
driver: driver:
name: docker name: docker
platforms: platforms:
- name: instance - name: consul-vault
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: "" command: ""
volumes: volumes:
@ -14,6 +14,34 @@ platforms:
cgroupns_mode: host cgroupns_mode: host
privileged: true privileged: true
pre_build_image: true pre_build_image: true
groups:
- common
- consul_servers
- vault_servers
- name: vault-nomad
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
groups:
- common
- nomad_clients
- vault_servers
- name: nomad-consul
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
groups:
- common
- nomad_clients
- consul_agents
provisioner: provisioner:
name: ansible name: ansible
config_options: config_options:

View File

@ -4,6 +4,7 @@ hashistack_ca_directory: "/etc/hashistack/certificates"
hashistack_ca_use_cryptography: false hashistack_ca_use_cryptography: false
hashistack_ca_action: "noop" hashistack_ca_action: "noop"
hashistack_ca_domain: example.com hashistack_ca_domain: example.com
hashistack_ca_directory_owner: root
############################## ##############################
# Root Certificate Authority # # Root Certificate Authority #
@ -56,12 +57,53 @@ hashistack_ca_intermediate_renew_threshold: 90d
# Name Constraints # Name Constraints
hashistack_ca_intermediate_name_constraints_permitted: hashistack_ca_intermediate_name_constraints_permitted:
- "DNS:.{{ hashistack_ca_domain }}"
- DNS:.nomad - DNS:.nomad
- DNS:.consul - DNS:.consul
- DNS:.example.com
- DNS:localhost - DNS:localhost
- IP:192.168.0.0/16 - IP:192.168.0.0/16
- IP:172.16.0.0/16 - IP:172.16.0.0/16
- IP:10.0.0.0/8 - IP:10.0.0.0/8
- IP:127.0.0.0/8 - IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
#####################
# Leaf certificates #
#####################
hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d
############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans:
- "DNS:consul.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans:
- DNS:server.global.nomad
- DNS:client.global.nomad
- "DNS:nomad.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans:
- "DNS:vault.service.consul"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"

View File

@ -0,0 +1,73 @@
---
# task/generate_consul for hashistack_ca
- name: "Consul leaf certificates | Create certificate directory in for consul servers"
ansible.builtin.file:
path: "{{ hashistack_ca_consul_dir }}"
state: directory
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0755"
- name: "Consul leaf certificates | Create Consul certificates"
block:
- name: "Consul leaf certificates | Create Consul certificate keys"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_consul_key_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
- name: "Consul leaf certificates | Create CSRs for Consul servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_consul_key_path }}"
common_name: "{{ hashistack_ca_consul_common_name }}"
subject_alt_name: "{{ hashistack_ca_consul_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: "{{ hashistack_ca_consul_org_name }}"
use_common_name_for_san: false
register: _hashistack_ca_consul_csr
- name: "Consul leaf certificates | Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_consul_cert_path }}"
csr_content: "{{ _hashistack_ca_consul_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
ownca_not_before: "-1d"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"
- name: "Consul leaf certificates | Generate fullchain certificate"
block:
- name: "Consul leaf certificates | Read content of root ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_root_key_path }}"
register: _hashistack_ca_root_crt
- name: "Consul leaf certificates | Read content of intermediate ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_intermediate_cert_path }}"
register: _hashistack_ca_intermediate_crt
- name: "Consul leaf certificates | Read content of leaf certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_consul_cert_path }}"
register: _hashistack_ca_consul_crt
- name: "Consul leaf certificates | Concatenate certificates"
ansible.builtin.copy:
content: |
{{ _hashistack_ca_consul_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
dest: "{{ hashistack_ca_consul_fullchain_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"

View File

@ -4,19 +4,17 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_ca_intermediate_dir }}" path: "{{ hashistack_ca_intermediate_dir }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: "0755" mode: "0755"
delegate_to: localhost
- name: "Intermediate CA | Generate internal certificates" - name: "Intermediate CA | Generate internal certificates"
delegate_to: localhost
block: block:
- name: "Intermediate CA | Create intermediate CA private key" - name: "Intermediate CA | Create intermediate CA private key"
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_intermediate_key_path }}" path: "{{ hashistack_ca_intermediate_key_path }}"
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
- name: "Intermediate CA | Create intermediate CA signing request" - name: "Intermediate CA | Create intermediate CA signing request"
community.crypto.openssl_csr_pipe: community.crypto.openssl_csr_pipe:
@ -44,6 +42,6 @@
ownca_path: "{{ hashistack_ca_root_cert_path }}" ownca_path: "{{ hashistack_ca_root_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}" ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}"
provider: ownca provider: ownca
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}" ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}"

View File

@ -0,0 +1,70 @@
---
# task/generate_nomad for hashistack_ca
- name: "Nomad leaf certificates | Create certificate directory in for nomad servers"
ansible.builtin.file:
path: "{{ hashistack_ca_nomad_dir }}"
state: directory
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0755"
- name: "Nomad leaf certificates | Create Nomad certificates"
block:
- name: "Nomad leaf certificates | Create Nomad certificate keys"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_nomad_key_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
- name: "Nomad leaf certificates | Create CSRs for Nomad servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_nomad_key_path }}"
common_name: "{{ hashistack_ca_nomad_common_name }}"
subject_alt_name: "{{ hashistack_ca_nomad_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: "{{ hashistack_ca_nomad_org_name }}"
use_common_name_for_san: false
register: _hashistack_ca_nomad_csr
- name: "Nomad leaf certificates | Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_nomad_cert_path }}"
csr_content: "{{ _hashistack_ca_nomad_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
ownca_not_before: "-1d"
- name: "Nomad leaf certificates | Generate fullchain certificate"
block:
- name: "Nomad leaf certificates | Read content of root ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_root_key_path }}"
register: _hashistack_ca_root_crt
- name: "Nomad leaf certificates | Read content of intermediate ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_intermediate_cert_path }}"
register: _hashistack_ca_intermediate_crt
- name: "Nomad leaf certificates | Read content of leaf certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_nomad_cert_path }}"
register: _hashistack_ca_nomad_crt
- name: "Nomad leaf certificates | Concatenate certificates"
ansible.builtin.copy:
content: |
{{ _hashistack_ca_nomad_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
dest: "{{ hashistack_ca_nomad_fullchain_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"

View File

@ -4,20 +4,18 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_ca_root_dir }}" path: "{{ hashistack_ca_root_dir }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: "0755" mode: "0755"
delegate_to: localhost
- name: "Root CA | Generate root Authority" - name: "Root CA | Generate root Authority"
delegate_to: localhost
run_once: true run_once: true
block: block:
- name: "Root CA | Create CA private key" - name: "Root CA | Create CA private key"
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_root_key_path }}" path: "{{ hashistack_ca_root_key_path }}"
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
- name: "Root CA | Create CA signing request" - name: "Root CA | Create CA signing request"
community.crypto.openssl_csr_pipe: community.crypto.openssl_csr_pipe:
@ -42,8 +40,8 @@
csr_content: "{{ _hashistack_root_ca_csr.csr }}" csr_content: "{{ _hashistack_root_ca_csr.csr }}"
privatekey_path: "{{ hashistack_ca_root_key_path }}" privatekey_path: "{{ hashistack_ca_root_key_path }}"
provider: selfsigned provider: selfsigned
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
- name: "Root CA | Create self-signed CA certificate from CSR" - name: "Root CA | Create self-signed CA certificate from CSR"
community.crypto.x509_certificate: community.crypto.x509_certificate:
@ -52,5 +50,5 @@
privatekey_path: "{{ hashistack_ca_root_key_path }}" privatekey_path: "{{ hashistack_ca_root_key_path }}"
selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}" selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}"
provider: selfsigned provider: selfsigned
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"

View File

@ -0,0 +1,73 @@
---
# task/generate_vault for hashistack_ca
- name: "Vault leaf certificates | Create certificate directory in for vault servers"
ansible.builtin.file:
path: "{{ hashistack_ca_vault_dir }}"
state: directory
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0755"
- name: "Vault leaf certificates | Create Vault certificates"
block:
- name: "Vault leaf certificates | Create Vault certificate keys"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_vault_key_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
- name: "Vault leaf certificates | Create CSRs for Vault servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_vault_key_path }}"
common_name: "{{ hashistack_ca_vault_common_name }}"
subject_alt_name: "{{ hashistack_ca_vault_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: "{{ hashistack_ca_vault_org_name }}"
use_common_name_for_san: false
register: _hashistack_ca_vault_csr
- name: "Vault leaf certificates | Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_vault_cert_path }}"
csr_content: "{{ _hashistack_ca_vault_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
ownca_not_before: "-1d"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"
- name: "Vault leaf certificates | Generate fullchain certificate"
block:
- name: "Vault leaf certificates | Read content of root ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_root_key_path }}"
register: _hashistack_ca_root_crt
- name: "Vault leaf certificates | Read content of intermediate ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_intermediate_cert_path }}"
register: _hashistack_ca_intermediate_crt
- name: "Vault leaf certificates | Read content of leaf certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_vault_cert_path }}"
register: _hashistack_ca_vault_crt
- name: "Vault leaf certificates | Concatenate certificates"
ansible.builtin.copy:
content: |
{{ _hashistack_ca_vault_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
dest: "{{ hashistack_ca_vault_fullchain_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"

View File

@ -21,3 +21,21 @@
- name: "CA | Import cleanup_backups.yml" - name: "CA | Import cleanup_backups.yml"
ansible.builtin.include_tasks: cleanup_backups.yml ansible.builtin.include_tasks: cleanup_backups.yml
- name: "Consul leaf certificates | Import generate/generate_consul.yml"
ansible.builtin.include_tasks: generate/generate_consul.yml
when:
- hashistack_ca_generate_leaf
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
- name: "Nomad leaf certificates | Import generate/generate_nomad.yml"
ansible.builtin.include_tasks: generate/generate_nomad.yml
when:
- hashistack_ca_generate_leaf
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
- name: "Vault leaf certificates | Import generate/generate_vault.yml"
ansible.builtin.include_tasks: generate/generate_vault.yml
when:
- hashistack_ca_generate_leaf
- "'vault_servers' in group_names"

View File

@ -18,8 +18,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_ca_public_dir }}" path: "{{ hashistack_ca_public_dir }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: 0755 mode: 0755
delegate_to: localhost delegate_to: localhost
@ -27,8 +27,8 @@
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item.path }}" src: "{{ item.path }}"
dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}" dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}"
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: 0644 mode: 0644
loop: "{{ hashistack_ca_root_dir_files.files }}" loop: "{{ hashistack_ca_root_dir_files.files }}"
delegate_to: localhost delegate_to: localhost

View File

@ -49,8 +49,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_ca_intermediate_backup_dir }}" path: "{{ hashistack_ca_intermediate_backup_dir }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: "0755" mode: "0755"
- name: "Intermediate CA | Format expiration date for backup" - name: "Intermediate CA | Format expiration date for backup"

View File

@ -23,10 +23,6 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
_hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}" _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}"
- name: "Root CA | Debug certificate expiration status"
ansible.builtin.debug:
msg: "Is root CA certificate expiring soon? {{ _hashistack_ca_is_expiring_soon }}"
- name: "Root CA | Renew CA if expiring soon" - name: "Root CA | Renew CA if expiring soon"
when: when:
- _hashistack_ca_is_expiring_soon - _hashistack_ca_is_expiring_soon
@ -36,8 +32,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_ca_root_backup_dir }}" path: "{{ hashistack_ca_root_backup_dir }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ hashistack_ca_directory_owner }}"
mode: "0755" mode: "0755"
- name: "Root CA | Format expiration date for backup" - name: "Root CA | Format expiration date for backup"

View File

@ -5,8 +5,10 @@ hashistack_ca_action_list: "{{ hashistack_ca_action.split(',') }}"
# possible actions # possible actions
hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}" hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}"
hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}" hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}"
hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}" hashistack_ca_generate_leaf: "{{ 'leaf_cert' in hashistack_ca_action_list }}"
hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}" hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}"
hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}"
hashistack_ca_renew_leaf: "{{ 'renew_leaf' in hashistack_ca_action_list }}"
hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca" hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca"
@ -20,3 +22,18 @@ hashistack_ca_intermediate_backup_dir: "{{ hashistack_ca_intermediate_dir }}/bac
hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key" hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key"
hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr" hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr"
hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt" hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt"
hashistack_ca_consul_dir: "{{ hashistack_ca_directory }}/consul/{{ inventory_hostname }}"
hashistack_ca_consul_key_path: "{{ hashistack_ca_consul_dir }}/cert.key"
hashistack_ca_consul_cert_path: "{{ hashistack_ca_consul_dir }}/cert.crt"
hashistack_ca_consul_fullchain_path: "{{ hashistack_ca_consul_dir }}/fullchain.crt"
hashistack_ca_nomad_dir: "{{ hashistack_ca_directory }}/nomad/{{ inventory_hostname }}"
hashistack_ca_nomad_key_path: "{{ hashistack_ca_nomad_dir }}/cert.key"
hashistack_ca_nomad_cert_path: "{{ hashistack_ca_nomad_dir }}/cert.crt"
hashistack_ca_nomad_fullchain_path: "{{ hashistack_ca_nomad_dir }}/fullchain.crt"
hashistack_ca_vault_dir: "{{ hashistack_ca_directory }}/vault/{{ inventory_hostname }}"
hashistack_ca_vault_key_path: "{{ hashistack_ca_vault_dir }}/cert.key"
hashistack_ca_vault_cert_path: "{{ hashistack_ca_vault_dir }}/cert.crt"
hashistack_ca_vault_fullchain_path: "{{ hashistack_ca_vault_dir }}/fullchain.crt"