hcp-ansible/playbooks/group_vars/all/hashistack_ca.yml

---
# defaults
hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
hashistack_ca_use_cryptography: false
# hashistack_ca_action: "noop"
hashistack_ca_domain: example.com
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"

##############################
# Root Certificate Authority #
##############################
hashistack_ca_root_org_name: EDNZ Cloud
hashistack_ca_root_country: FR
hashistack_ca_root_locality: Paris
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
hashistack_ca_root_email:
hashistack_ca_root_key_usage:
  - keyCertSign
  - cRLSign
hashistack_ca_root_key_usage_critical: true
hashistack_ca_root_basic_constraints:
  - CA:TRUE
hashistack_ca_root_basic_constraints_critical: true

# Optional fields
hashistack_ca_root_state_or_province_name:
hashistack_ca_root_email_address:

# Validity
hashistack_ca_root_valid_for: 1825d
hashistack_ca_root_renew_threshold: 180d

######################################
# Intermediate Certificate Authority #
######################################
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
hashistack_ca_intermediate_country: FR
hashistack_ca_intermediate_locality: Paris
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
hashistack_ca_intermediate_email:
hashistack_ca_intermediate_key_usage:
  - keyCertSign
  - cRLSign
hashistack_ca_intermediate_key_usage_critical: true
hashistack_ca_intermediate_basic_constraints:
  - CA:TRUE
  - pathlen:0
hashistack_ca_intermediate_basic_constraints_critical: true

# Optional fields
hashistack_ca_intermediate_state_or_province_name:
hashistack_ca_intermediate_email_address:

# Validity
hashistack_ca_intermediate_valid_for: 365d
hashistack_ca_intermediate_renew_threshold: 90d

# Name Constraints
hashistack_ca_intermediate_name_constraints_permitted:
  - "DNS:.{{ hashistack_ca_domain }}"
  - DNS:.nomad
  - DNS:.consul
  - DNS:localhost
  - IP:192.168.0.0/16
  - IP:172.16.0.0/16
  - IP:10.0.0.0/8
  - IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"

#####################
# Leaf certificates #
#####################

hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d

############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans: >
  {{
    [
      "DNS:" + inventory_hostname,
      "DNS:consul.service.consul",
      "DNS:localhost",
      "IP:" + api_interface_address,
      "IP:127.0.0.1"
    ]
    + ([ "DNS:server." + consul_datacenter + "." + consul_domain ] if consul_enable_server else [])
  }}

###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans: >
  {{
    [
      "DNS:" + inventory_hostname,
      "DNS:localhost",
      "IP:" + api_interface_address,
      "IP:127.0.0.1"
    ]
    + ([ "DNS:server." + nomad_region + ".nomad" ] if nomad_enable_server else [])
    + ([ "DNS:client." + nomad_region + ".nomad" ] if nomad_enable_client else [])
    + ([ "DNS:nomad.service.consul" ] if (nomad_enable_server and enable_consul) else [])
  }}

###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans: >
  {{
    [
      "DNS:" + inventory_hostname,
      "DNS:localhost",
      "IP:" + api_interface_address,
      "IP:127.0.0.1"
    ]
    + ([
      "DNS:active.vault.service.consul",
      "DNS:standby.vault.service.consul",
      "DNS:vault.service.consul"
      ] if enable_consul else [])
  }}
feat: organise group_vars 2024-08-17 12:05:44 +00:00			`---`
			`# defaults`
feat: simplify hashistack_ca default SANs for nomad and consul 2024-10-30 18:31:28 +00:00			`hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"`
feat: organise group_vars 2024-08-17 12:05:44 +00:00			`hashistack_ca_use_cryptography: false`
fix: allow override of the hashistack_ca_action via extra-vars flag 2024-11-10 21:51:35 +00:00			`# hashistack_ca_action: "noop"`
feat: organise group_vars 2024-08-17 12:05:44 +00:00			`hashistack_ca_domain: example.com`
fix(group_vars/hashistack_ca): update default owner for pkito avoid permission issues 2024-10-30 18:34:45 +00:00			`hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"`
feat: organise group_vars 2024-08-17 12:05:44 +00:00
			`##############################`
			`# Root Certificate Authority #`
			`##############################`
			`hashistack_ca_root_org_name: EDNZ Cloud`
			`hashistack_ca_root_country: FR`
			`hashistack_ca_root_locality: Paris`
			`hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"`
			`hashistack_ca_root_email:`
			`hashistack_ca_root_key_usage:`
			`- keyCertSign`
			`- cRLSign`
			`hashistack_ca_root_key_usage_critical: true`
			`hashistack_ca_root_basic_constraints:`
			`- CA:TRUE`
			`hashistack_ca_root_basic_constraints_critical: true`

			`# Optional fields`
			`hashistack_ca_root_state_or_province_name:`
			`hashistack_ca_root_email_address:`

			`# Validity`
			`hashistack_ca_root_valid_for: 1825d`
			`hashistack_ca_root_renew_threshold: 180d`

			`######################################`
			`# Intermediate Certificate Authority #`
			`######################################`
			`hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate`
			`hashistack_ca_intermediate_country: FR`
			`hashistack_ca_intermediate_locality: Paris`
			`hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"`
			`hashistack_ca_intermediate_email:`
			`hashistack_ca_intermediate_key_usage:`
			`- keyCertSign`
			`- cRLSign`
			`hashistack_ca_intermediate_key_usage_critical: true`
			`hashistack_ca_intermediate_basic_constraints:`
			`- CA:TRUE`
			`- pathlen:0`
			`hashistack_ca_intermediate_basic_constraints_critical: true`

			`# Optional fields`
			`hashistack_ca_intermediate_state_or_province_name:`
			`hashistack_ca_intermediate_email_address:`

			`# Validity`
			`hashistack_ca_intermediate_valid_for: 365d`
			`hashistack_ca_intermediate_renew_threshold: 90d`

			`# Name Constraints`
			`hashistack_ca_intermediate_name_constraints_permitted:`
			`- "DNS:.{{ hashistack_ca_domain }}"`
			`- DNS:.nomad`
			`- DNS:.consul`
			`- DNS:localhost`
			`- IP:192.168.0.0/16`
			`- IP:172.16.0.0/16`
			`- IP:10.0.0.0/8`
			`- IP:127.0.0.0/8`
			`hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted \| length > 0) }}"`

			`#####################`
			`# Leaf certificates #`
			`#####################`

			`hashistack_ca_leaf_valid_for: 90d`
			`hashistack_ca_leaf_renew_threshold: 30d`

			`############################`
			`# Consul Leaf Certificates #`
			`############################`
			`hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"`
			`hashistack_ca_consul_common_name: "{{ inventory_hostname }}"`
fix: allow override of the hashistack_ca_action via extra-vars flag 2024-11-10 21:51:35 +00:00			`hashistack_ca_consul_csr_sans: >`
			`{{`
			`[`
			`"DNS:" + inventory_hostname,`
			`"DNS:consul.service.consul",`
			`"DNS:localhost",`
			`"IP:" + api_interface_address,`
			`"IP:127.0.0.1"`
			`]`
			`+ ([ "DNS:server." + consul_datacenter + "." + consul_domain ] if consul_enable_server else [])`
			`}}`
feat: organise group_vars 2024-08-17 12:05:44 +00:00
			`###########################`
			`# Nomad Leaf Certificates #`
			`###########################`
			`hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"`
			`hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"`
fix: allow override of the hashistack_ca_action via extra-vars flag 2024-11-10 21:51:35 +00:00			`hashistack_ca_nomad_csr_sans: >`
			`{{`
			`[`
			`"DNS:" + inventory_hostname,`
			`"DNS:localhost",`
			`"IP:" + api_interface_address,`
			`"IP:127.0.0.1"`
			`]`
			`+ ([ "DNS:server." + nomad_region + ".nomad" ] if nomad_enable_server else [])`
			`+ ([ "DNS:client." + nomad_region + ".nomad" ] if nomad_enable_client else [])`
			`+ ([ "DNS:nomad.service.consul" ] if (nomad_enable_server and enable_consul) else [])`
			`}}`
feat: organise group_vars 2024-08-17 12:05:44 +00:00
			`###########################`
			`# Vault Leaf Certificates #`
			`###########################`
			`hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"`
			`hashistack_ca_vault_common_name: "{{ inventory_hostname }}"`
fix: allow override of the hashistack_ca_action via extra-vars flag 2024-11-10 21:51:35 +00:00			`hashistack_ca_vault_csr_sans: >`
			`{{`
			`[`
			`"DNS:" + inventory_hostname,`
			`"DNS:localhost",`
			`"IP:" + api_interface_address,`
			`"IP:127.0.0.1"`
			`]`
			`+ ([`
			`"DNS:active.vault.service.consul",`
			`"DNS:standby.vault.service.consul",`
			`"DNS:vault.service.consul"`
			`] if enable_consul else [])`
			`}}`