Bertrand Lanson
bd2028c3af
All checks were successful
development / Check commit compliance (push) Successful in 6s
276 lines
12 KiB
YAML
276 lines
12 KiB
YAML
---
|
|
# hashistack generate certificates playbook
|
|
- name: "Generate certificates"
|
|
hosts: all
|
|
strategy: linear
|
|
gather_facts: true
|
|
become: true
|
|
tasks:
|
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
ansible.builtin.file:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/external"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0755"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: "Generate external certificates" # noqa: run-once[task]
|
|
delegate_to: localhost
|
|
run_once: true
|
|
block:
|
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
ansible.builtin.file:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/external"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0755"
|
|
|
|
- name: "Create private keys"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
loop:
|
|
- name: nomad
|
|
fqdn: "{{ nomad_fqdn }}"
|
|
- name: vault
|
|
fqdn: "{{ vault_fqdn }}"
|
|
- name: consul
|
|
fqdn: "{{ consul_fqdn }}"
|
|
|
|
- name: "Create certificate signing request"
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
|
common_name: "{{ item.fqdn }}"
|
|
organization_name: EDNZ Cloud
|
|
register: csr
|
|
loop:
|
|
- name: nomad
|
|
fqdn: "{{ nomad_fqdn }}"
|
|
- name: vault
|
|
fqdn: "{{ vault_fqdn }}"
|
|
- name: consul
|
|
fqdn: "{{ consul_fqdn }}"
|
|
|
|
- name: "Create self-signed certificate from CSR"
|
|
community.crypto.x509_certificate:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
|
|
csr_content: "{{ item.csr }}"
|
|
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
|
|
provider: selfsigned
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
loop: "{{ csr.results }}"
|
|
|
|
- name: "Generate internal certificates"
|
|
tags:
|
|
- never
|
|
- internal
|
|
delegate_to: localhost
|
|
vars:
|
|
hashistack_ca_key_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.key"
|
|
hashistack_ca_cert_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.crt"
|
|
block:
|
|
- name: "Create internal CA" # noqa: run-once[task]
|
|
run_once: true
|
|
block:
|
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
ansible.builtin.file:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0755"
|
|
|
|
- name: "Create CA private key"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ hashistack_ca_key_path }}"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
- name: "Create CA signing request"
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
common_name: "CA"
|
|
organization_name: EDNZ Cloud
|
|
use_common_name_for_san: false
|
|
basic_constraints:
|
|
- CA:TRUE
|
|
basic_constraints_critical: true
|
|
key_usage:
|
|
- keyCertSign
|
|
key_usage_critical: true
|
|
register: ca_csr
|
|
|
|
- name: "Create self-signed CA certificate from CSR"
|
|
community.crypto.x509_certificate:
|
|
path: "{{ hashistack_ca_cert_path }}"
|
|
csr_content: "{{ ca_csr.csr }}"
|
|
privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
provider: selfsigned
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
- name: "Create Vault certificates"
|
|
when:
|
|
- "'vault_servers' in group_names"
|
|
vars:
|
|
vault_private_key_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
|
|
vault_certificate_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
|
|
block:
|
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
ansible.builtin.file:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0755"
|
|
|
|
- name: "Create Vault certificate keys"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ vault_private_key_path }}"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
- name: "Create CSRs for Vault servers"
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: "{{ vault_private_key_path }}"
|
|
common_name: "{{ inventory_hostname }}"
|
|
subject_alt_name:
|
|
- "DNS:{{ inventory_hostname }}"
|
|
- "DNS:active.vault.service.consul"
|
|
- "DNS:standby.vault.service.consul"
|
|
- "DNS:vault.service.consul"
|
|
- "DNS:localhost"
|
|
- "IP:{{ api_interface_address }}"
|
|
- "IP:127.0.0.1"
|
|
key_usage_critical: true
|
|
key_usage:
|
|
- Digital Signature
|
|
- Key Encipherment
|
|
- Key Agreement
|
|
extended_key_usage:
|
|
- TLS Web Server Authentication
|
|
- TLS Web Client Authentication
|
|
organization_name: EDNZ Cloud
|
|
use_common_name_for_san: false
|
|
register: vault_csr
|
|
|
|
- name: "Sign certificates with internal CA"
|
|
community.crypto.x509_certificate:
|
|
path: "{{ vault_certificate_path }}"
|
|
csr_content: "{{ vault_csr.csr }}"
|
|
provider: ownca
|
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
ownca_not_after: "+365d"
|
|
ownca_not_before: "-1d"
|
|
|
|
- name: "Concatenate CA and Child certificates"
|
|
block:
|
|
- name: "Read content of ca.crt"
|
|
ansible.builtin.slurp:
|
|
src: "{{ hashistack_ca_cert_path }}"
|
|
register: ca_crt_content
|
|
|
|
- name: "Read content of cert.pem"
|
|
ansible.builtin.slurp:
|
|
src: "{{ vault_certificate_path }}"
|
|
register: cert_pem_content
|
|
|
|
- name: "Concatenate certificates"
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
dest: "{{ vault_certificate_path }}"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0644"
|
|
|
|
- name: "Create Consul certificates"
|
|
when:
|
|
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
|
vars:
|
|
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
|
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
|
block:
|
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
ansible.builtin.file:
|
|
path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0755"
|
|
|
|
- name: "Create Consul certificate keys"
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ consul_private_key_path }}"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
|
|
- name: "Create CSRs for Consul servers"
|
|
vars:
|
|
consul_csr_sans: >-
|
|
{%- set sans_list = [
|
|
'DNS:' + inventory_hostname,
|
|
'DNS:consul.service.consul',
|
|
'DNS:localhost',
|
|
'IP:' + api_interface_address,
|
|
'IP:127.0.0.1'
|
|
] -%}
|
|
{%- if hashi_consul_configuration.server -%}
|
|
{%- set _ = sans_list.append('DNS:server.' ~ hashi_consul_configuration.datacenter ~ '.' ~ hashi_consul_configuration.domain) -%}
|
|
{%- endif -%}
|
|
{{ sans_list }}
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: "{{ consul_private_key_path }}"
|
|
common_name: "{{ inventory_hostname }}"
|
|
subject_alt_name: "{{ consul_csr_sans }}"
|
|
key_usage_critical: true
|
|
key_usage:
|
|
- Digital Signature
|
|
- Key Encipherment
|
|
- Key Agreement
|
|
extended_key_usage:
|
|
- TLS Web Server Authentication
|
|
- TLS Web Client Authentication
|
|
organization_name: EDNZ Cloud
|
|
use_common_name_for_san: false
|
|
register: consul_csr
|
|
|
|
- name: "Sign certificates with internal CA"
|
|
community.crypto.x509_certificate:
|
|
path: "{{ consul_certificate_path }}"
|
|
csr_content: "{{ consul_csr.csr }}"
|
|
provider: ownca
|
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
ownca_not_after: "+365d"
|
|
ownca_not_before: "-1d"
|
|
|
|
- name: "Concatenate CA and Child certificates"
|
|
block:
|
|
- name: "Read content of ca.crt"
|
|
ansible.builtin.slurp:
|
|
src: "{{ hashistack_ca_cert_path }}"
|
|
register: ca_crt_content
|
|
|
|
- name: "Read content of cert.pem"
|
|
ansible.builtin.slurp:
|
|
src: "{{ consul_certificate_path }}"
|
|
register: cert_pem_content
|
|
|
|
- name: "Concatenate certificates"
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
dest: "{{ consul_certificate_path }}"
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: "0644"
|
|
|
|
# - fail:
|