Bertrand Lanson
54a86d7af3
All checks were successful
development / Check commit compliance (push) Successful in 25s
22 KiB
22 KiB
📃 Role overview
hashistack_ca
Description: Not available.
Field | Value |
---|---|
Readme update | 26/08/2024 |
Defaults
These are static variables with lower priority
File: defaults/main.yml
Var | Type | Value | Required | Title |
---|---|---|---|---|
hashistack_ca_directory | str | /etc/hashistack/certificates |
n/a | n/a |
hashistack_ca_use_cryptography | bool | False |
n/a | n/a |
hashistack_ca_action | str | noop |
n/a | n/a |
hashistack_ca_domain | str | example.com |
n/a | n/a |
hashistack_ca_directory_owner | str | root |
n/a | n/a |
hashistack_ca_root_org_name | str | EDNZ Cloud |
n/a | n/a |
hashistack_ca_root_country | str | FR |
n/a | n/a |
hashistack_ca_root_locality | str | Paris |
n/a | n/a |
hashistack_ca_root_common_name | str | {{ hashistack_ca_domain }} Root CA |
n/a | n/a |
hashistack_ca_root_email | NoneType | None |
n/a | n/a |
hashistack_ca_root_key_usage | list | ['keyCertSign', 'cRLSign'] |
n/a | n/a |
hashistack_ca_root_key_usage_critical | bool | True |
n/a | n/a |
hashistack_ca_root_basic_constraints | list | ['CA:TRUE'] |
n/a | n/a |
hashistack_ca_root_basic_constraints_critical | bool | True |
n/a | n/a |
hashistack_ca_root_state_or_province_name | NoneType | None |
n/a | n/a |
hashistack_ca_root_email_address | NoneType | None |
n/a | n/a |
hashistack_ca_root_valid_for | str | 1825d |
n/a | n/a |
hashistack_ca_root_renew_threshold | str | 180d |
n/a | n/a |
hashistack_ca_intermediate_org_name | str | EDNZ Cloud Intermediate |
n/a | n/a |
hashistack_ca_intermediate_country | str | FR |
n/a | n/a |
hashistack_ca_intermediate_locality | str | Paris |
n/a | n/a |
hashistack_ca_intermediate_common_name | str | {{ hashistack_ca_domain }} Intermediate CA |
n/a | n/a |
hashistack_ca_intermediate_email | NoneType | None |
n/a | n/a |
hashistack_ca_intermediate_key_usage | list | ['keyCertSign', 'cRLSign'] |
n/a | n/a |
hashistack_ca_intermediate_key_usage_critical | bool | True |
n/a | n/a |
hashistack_ca_intermediate_basic_constraints | list | ['CA:TRUE', 'pathlen:0'] |
n/a | n/a |
hashistack_ca_intermediate_basic_constraints_critical | bool | True |
n/a | n/a |
hashistack_ca_intermediate_state_or_province_name | NoneType | None |
n/a | n/a |
hashistack_ca_intermediate_email_address | NoneType | None |
n/a | n/a |
hashistack_ca_intermediate_valid_for | str | 365d |
n/a | n/a |
hashistack_ca_intermediate_renew_threshold | str | 90d |
n/a | n/a |
hashistack_ca_intermediate_name_constraints_permitted | list | ['DNS:.{{ hashistack_ca_domain }}', 'DNS:.nomad', 'DNS:.consul', 'DNS:localhost', 'IP:192.168.0.0/16', 'IP:172.16.0.0/16', 'IP:10.0.0.0/8', 'IP:127.0.0.0/8'] |
n/a | n/a |
hashistack_ca_intermediate_name_constraints_critical | str | {{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }} |
n/a | n/a |
hashistack_ca_leaf_valid_for | str | 90d |
n/a | n/a |
hashistack_ca_leaf_renew_threshold | str | 30d |
n/a | n/a |
hashistack_ca_consul_org_name | str | {{ hashistack_ca_root_org_name }} |
n/a | n/a |
hashistack_ca_consul_common_name | str | {{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_consul_csr_sans | list | ['DNS:consul.service.consul', 'DNS:localhost', 'IP:127.0.0.1'] |
n/a | n/a |
hashistack_ca_nomad_org_name | str | {{ hashistack_ca_root_org_name }} |
n/a | n/a |
hashistack_ca_nomad_common_name | str | {{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_nomad_csr_sans | list | ['DNS:server.global.nomad', 'DNS:client.global.nomad', 'DNS:nomad.service.consul', 'DNS:localhost', 'IP:127.0.0.1'] |
n/a | n/a |
hashistack_ca_vault_org_name | str | {{ hashistack_ca_root_org_name }} |
n/a | n/a |
hashistack_ca_vault_common_name | str | {{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_vault_csr_sans | list | ['DNS:vault.service.consul', 'DNS:active.vault.service.consul', 'DNS:standby.vault.service.consul', 'DNS:localhost', 'IP:127.0.0.1'] |
n/a | n/a |
Vars
These are variables with higher priority
File: vars/main.yml
Var | Type | Value | Required | Title |
---|---|---|---|---|
hashistack_ca_action_list | str | {{ hashistack_ca_action.split(',') }} |
n/a | n/a |
hashistack_ca_generate_root | str | {{ 'root_ca' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_generate_intermediate | str | {{ 'int_ca' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_generate_leaf | str | {{ 'leaf_cert' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_renew_root | str | {{ 'renew_root' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_renew_intermediate | str | {{ 'renew_int' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_renew_leaf | str | {{ 'renew_leaf' in hashistack_ca_action_list }} |
n/a | n/a |
hashistack_ca_public_dir | str | {{ hashistack_ca_directory }}/ca |
n/a | n/a |
hashistack_ca_root_dir | str | {{ hashistack_ca_directory }}/root |
n/a | n/a |
hashistack_ca_root_backup_dir | str | {{ hashistack_ca_root_dir }}/backup |
n/a | n/a |
hashistack_ca_root_key_path | str | {{ hashistack_ca_root_dir }}/ca.key |
n/a | n/a |
hashistack_ca_root_cert_path | str | {{ hashistack_ca_root_dir }}/ca.crt |
n/a | n/a |
hashistack_ca_intermediate_dir | str | {{ hashistack_ca_directory }}/intermediate |
n/a | n/a |
hashistack_ca_intermediate_backup_dir | str | {{ hashistack_ca_intermediate_dir }}/backup |
n/a | n/a |
hashistack_ca_intermediate_key_path | str | {{ hashistack_ca_intermediate_dir }}/ca.key |
n/a | n/a |
hashistack_ca_intermediate_csr_path | str | {{ hashistack_ca_intermediate_dir }}/ca.csr |
n/a | n/a |
hashistack_ca_intermediate_cert_path | str | {{ hashistack_ca_intermediate_dir }}/ca.crt |
n/a | n/a |
hashistack_ca_consul_dir | str | {{ hashistack_ca_directory }}/consul/{{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_consul_key_path | str | {{ hashistack_ca_consul_dir }}/cert.key |
n/a | n/a |
hashistack_ca_consul_cert_path | str | {{ hashistack_ca_consul_dir }}/cert.crt |
n/a | n/a |
hashistack_ca_consul_fullchain_path | str | {{ hashistack_ca_consul_dir }}/fullchain.crt |
n/a | n/a |
hashistack_ca_nomad_dir | str | {{ hashistack_ca_directory }}/nomad/{{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_nomad_key_path | str | {{ hashistack_ca_nomad_dir }}/cert.key |
n/a | n/a |
hashistack_ca_nomad_cert_path | str | {{ hashistack_ca_nomad_dir }}/cert.crt |
n/a | n/a |
hashistack_ca_nomad_fullchain_path | str | {{ hashistack_ca_nomad_dir }}/fullchain.crt |
n/a | n/a |
hashistack_ca_vault_dir | str | {{ hashistack_ca_directory }}/vault/{{ inventory_hostname }} |
n/a | n/a |
hashistack_ca_vault_key_path | str | {{ hashistack_ca_vault_dir }}/cert.key |
n/a | n/a |
hashistack_ca_vault_cert_path | str | {{ hashistack_ca_vault_dir }}/cert.crt |
n/a | n/a |
hashistack_ca_vault_fullchain_path | str | {{ hashistack_ca_vault_dir }}/fullchain.crt |
n/a | n/a |
Tasks
File: tasks/prepare_ca_to_copy.yml
Name | Module | Has Conditions |
---|---|---|
CA | Check if CA directory exists | ansible.builtin.stat | False |
CA | Find custom CA certificates to copy | ansible.builtin.find | True |
CA | Ensure public CA directory exists | ansible.builtin.file | False |
CA | Copy root CA certificates | ansible.builtin.copy | True |
File: tasks/main.yml
Name | Module | Has Conditions |
---|---|---|
CA | Import generate_root.yml | ansible.builtin.include_tasks | True |
CA | Import generate_intermediate.yml | ansible.builtin.include_tasks | True |
CA | Import renew_root.yml | ansible.builtin.include_tasks | True |
CA | Import renew_intermediate.yml | ansible.builtin.include_tasks | True |
CA | Import prepare_ca_to_copy.yml | ansible.builtin.include_tasks | False |
CA | Import cleanup_backups.yml | ansible.builtin.include_tasks | False |
Consul leaf certificates | Import generate/generate_consul.yml | ansible.builtin.include_tasks | True |
Nomad leaf certificates | Import generate/generate_nomad.yml | ansible.builtin.include_tasks | True |
Vault leaf certificates | Import generate/generate_vault.yml | ansible.builtin.include_tasks | True |
Consul leaf certificates | Import renew_consul.yml | ansible.builtin.include_tasks | True |
File: tasks/cleanup_backups.yml
Name | Module | Has Conditions |
---|---|---|
Cleanup | Check if root CA backup directory exists | ansible.builtin.stat | False |
Cleanup | Check if intermediate CA backup directory exists | ansible.builtin.stat | False |
Cleanup | Root CA backups | block | True |
Root CA | Find root CA backup certificates | ansible.builtin.find | False |
Root CA | Check expiration for root CA backup certificates | when | True |
Root CA | Remove expired root CA backup certificates | when | True |
Cleanup | Intermediate CA backups | block | True |
Intermediate CA | Find intermediate CA backup certificates | ansible.builtin.find | False |
Intermediate CA | Check expiration for intermediate CA backup certificates | when | True |
Intermediate CA | Remove expired intermediate CA backup certificates | when | True |
File: tasks/generate/generate_consul.yml
Name | Module | Has Conditions |
---|---|---|
Consul leaf certificates | Create certificate directory in for consul servers | ansible.builtin.file | False |
Consul leaf certificates | Create Consul certificates | block | False |
Consul leaf certificates | Create Consul certificate keys | community.crypto.openssl_privatekey | False |
Consul leaf certificates | Create CSRs for Consul servers | community.crypto.openssl_csr_pipe | False |
Consul leaf certificates | Sign certificates with internal CA | community.crypto.x509_certificate | False |
Consul leaf certificates | Generate fullchain certificate | block | False |
Consul leaf certificates | Read content of root ca certificate | ansible.builtin.slurp | False |
Consul leaf certificates | Read content of intermediate ca certificate | ansible.builtin.slurp | False |
Consul leaf certificates | Read content of leaf certificate | ansible.builtin.slurp | False |
Consul leaf certificates | Concatenate certificates | ansible.builtin.copy | False |
File: tasks/generate/generate_intermediate.yml
Name | Module | Has Conditions |
---|---|---|
Intermediate CA | Create temporary cert directory in {{ hashistack_ca_directory }}/intermediate | ansible.builtin.file | False |
Intermediate CA | Generate internal certificates | block | False |
Intermediate CA | Create intermediate CA private key | community.crypto.openssl_privatekey | False |
Intermediate CA | Create intermediate CA signing request | community.crypto.openssl_csr_pipe | False |
Intermediate CA | Create signed intermediate CA certificate from CSR | community.crypto.x509_certificate | False |
File: tasks/generate/generate_nomad.yml
Name | Module | Has Conditions |
---|---|---|
Nomad leaf certificates | Create certificate directory in for nomad servers | ansible.builtin.file | False |
Nomad leaf certificates | Create Nomad certificates | block | False |
Nomad leaf certificates | Create Nomad certificate keys | community.crypto.openssl_privatekey | False |
Nomad leaf certificates | Create CSRs for Nomad servers | community.crypto.openssl_csr_pipe | False |
Nomad leaf certificates | Sign certificates with internal CA | community.crypto.x509_certificate | False |
Nomad leaf certificates | Generate fullchain certificate | block | False |
Nomad leaf certificates | Read content of root ca certificate | ansible.builtin.slurp | False |
Nomad leaf certificates | Read content of intermediate ca certificate | ansible.builtin.slurp | False |
Nomad leaf certificates | Read content of leaf certificate | ansible.builtin.slurp | False |
Nomad leaf certificates | Concatenate certificates | ansible.builtin.copy | False |
File: tasks/generate/generate_vault.yml
Name | Module | Has Conditions |
---|---|---|
Vault leaf certificates | Create certificate directory in for vault servers | ansible.builtin.file | False |
Vault leaf certificates | Create Vault certificates | block | False |
Vault leaf certificates | Create Vault certificate keys | community.crypto.openssl_privatekey | False |
Vault leaf certificates | Create CSRs for Vault servers | community.crypto.openssl_csr_pipe | False |
Vault leaf certificates | Sign certificates with internal CA | community.crypto.x509_certificate | False |
Vault leaf certificates | Generate fullchain certificate | block | False |
Vault leaf certificates | Read content of root ca certificate | ansible.builtin.slurp | False |
Vault leaf certificates | Read content of intermediate ca certificate | ansible.builtin.slurp | False |
Vault leaf certificates | Read content of leaf certificate | ansible.builtin.slurp | False |
Vault leaf certificates | Concatenate certificates | ansible.builtin.copy | False |
File: tasks/generate/generate_root.yml
Name | Module | Has Conditions |
---|---|---|
Root CA | Create temporary cert directory in {{ hashistack_ca_directory }} | ansible.builtin.file | False |
Root CA | Generate root Authority | block | False |
Root CA | Create CA private key | community.crypto.openssl_privatekey | False |
Root CA | Create CA signing request | community.crypto.openssl_csr_pipe | False |
Root CA | Create self-signed CA certificate from CSR | community.crypto.x509_certificate | False |
Root CA | Create self-signed CA certificate from CSR | community.crypto.x509_certificate | False |
File: tasks/renew/renew_root.yml
Name | Module | Has Conditions |
---|---|---|
Root CA | Check if root CA certificate exists | ansible.builtin.stat | False |
Root CA | Check CA for renewal | block | True |
Root CA | Get root CA certificate expiration date | community.crypto.x509_certificate_info | False |
Root CA | Check if root CA certificate is expiring within the threshold | ansible.builtin.set_fact | False |
Root CA | Renew CA if expiring soon | block | True |
Root CA | Create backup directory for root CA | ansible.builtin.file | False |
Root CA | Format expiration date for backup | ansible.builtin.set_fact | False |
Root CA | Rename existing root CA certificate | ansible.builtin.command | False |
Root CA | Remove existing root CA key | ansible.builtin.file | False |
Root CA | Generate new root CA if renaming was successful | ansible.builtin.include_tasks | False |
Root CA | Generate new intermediate CA | ansible.builtin.include_tasks | False |
File: tasks/renew/renew_consul.yml
Name | Module | Has Conditions |
---|---|---|
Consul leaf certificates | Check if certificate exists | ansible.builtin.stat | False |
Consul leaf certificates | Check if intermediate CA certificate exists | ansible.builtin.stat | False |
Consul leaf certificates | Check certificate for renewal | block | True |
Consul leaf certificates | Get certificate expiration date | community.crypto.x509_certificate_info | False |
Intermediate CA | Get intermediate CA certificate info | community.crypto.x509_certificate_info | False |
Consul leaf certificates | Check if certificate is expiring within the threshold | ansible.builtin.set_fact | False |
Consul leaf certificates | Check if intermediate CA has been renewed | ansible.builtin.set_fact | False |
Consul leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed | block | True |
Consul leaf certificates | Remove old certificate before renewal | ansible.builtin.file | False |
Consul leaf certificates | Remove old certificate key before renewal | ansible.builtin.file | False |
Consul leaf certificates | Generate new consul leaf certificate | ansible.builtin.include_tasks | False |
File: tasks/renew/renew_nomad.yml
Name | Module | Has Conditions |
---|---|---|
Nomad leaf certificates | Check if certificate exists | ansible.builtin.stat | False |
Nomad leaf certificates | Check if intermediate CA certificate exists | ansible.builtin.stat | False |
Nomad leaf certificates | Check certificate for renewal | block | True |
Nomad leaf certificates | Get certificate expiration date | community.crypto.x509_certificate_info | False |
Intermediate CA | Get intermediate CA certificate info | community.crypto.x509_certificate_info | False |
Nomad leaf certificates | Check if certificate is expiring within the threshold | ansible.builtin.set_fact | False |
Nomad leaf certificates | Check if intermediate CA has been renewed | ansible.builtin.set_fact | False |
Nomad leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed | block | True |
Nomad leaf certificates | Remove old certificate before renewal | ansible.builtin.file | False |
Nomad leaf certificates | Remove old certificate key before renewal | ansible.builtin.file | False |
Nomad leaf certificates | Generate new nomad leaf certificate | ansible.builtin.include_tasks | False |
File: tasks/renew/renew_intermediate.yml
Name | Module | Has Conditions |
---|---|---|
Intermediate CA | Check if intermediate CA certificate exists | ansible.builtin.stat | False |
Intermediate CA | Check if root CA certificate exists | ansible.builtin.stat | False |
Intermediate CA | Check CA for renewal | block | True |
Intermediate CA | Get intermediate CA certificate expiration date | community.crypto.x509_certificate_info | False |
Root CA | Get root CA certificate info | community.crypto.x509_certificate_info | False |
Intermediate CA | Check if intermediate CA certificate is expiring within the threshold | ansible.builtin.set_fact | False |
Intermediate CA | Check if root CA has been renewed | ansible.builtin.set_fact | False |
Intermediate CA | Renew CA if expiring soon or root CA has been renewed | block | True |
Intermediate CA | Create backup directory for intermediate CA | ansible.builtin.file | False |
Intermediate CA | Format expiration date for backup | ansible.builtin.set_fact | False |
Intermediate CA | Backup existing intermediate CA certificate | ansible.builtin.command | False |
Intermediate CA | Backup existing intermediate CA key | ansible.builtin.command | False |
Intermediate CA | Generate new intermediate CA if backups were successful | ansible.builtin.include_tasks | False |
Intermediate CA | Generate new consul leaf certificates | ansible.builtin.include_tasks | False |
Intermediate CA | Generate new nomad leaf certificates | ansible.builtin.include_tasks | False |
Intermediate CA | Generate new vault leaf certificates | ansible.builtin.include_tasks | False |
File: tasks/renew/renew_vault.yml
Name | Module | Has Conditions |
---|---|---|
Vault leaf certificates | Check if certificate exists | ansible.builtin.stat | False |
Vault leaf certificates | Check if intermediate CA certificate exists | ansible.builtin.stat | False |
Vault leaf certificates | Check certificate for renewal | block | True |
Vault leaf certificates | Get certificate expiration date | community.crypto.x509_certificate_info | False |
Intermediate CA | Get intermediate CA certificate info | community.crypto.x509_certificate_info | False |
Vault leaf certificates | Check if certificate is expiring within the threshold | ansible.builtin.set_fact | False |
Vault leaf certificates | Check if intermediate CA has been renewed | ansible.builtin.set_fact | False |
Vault leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed | block | True |
Vault leaf certificates | Remove old certificate before renewal | ansible.builtin.file | False |
Vault leaf certificates | Remove old certificate key before renewal | ansible.builtin.file | False |
Vault leaf certificates | Generate new vault leaf certificate | ansible.builtin.include_tasks | False |