hcp-ansible/roles/hashistack_ca/tasks/generate/generate_consul.yml

74 lines
3.2 KiB
YAML
Raw Normal View History

2024-08-17 10:16:52 +00:00
---
# task/generate_consul for hashistack_ca
- name: "Consul leaf certificates | Create certificate directory in for consul servers"
ansible.builtin.file:
path: "{{ hashistack_ca_consul_dir }}"
state: directory
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0755"
- name: "Consul leaf certificates | Create Consul certificates"
block:
- name: "Consul leaf certificates | Create Consul certificate keys"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_consul_key_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
- name: "Consul leaf certificates | Create CSRs for Consul servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_consul_key_path }}"
common_name: "{{ hashistack_ca_consul_common_name }}"
subject_alt_name: "{{ hashistack_ca_consul_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: "{{ hashistack_ca_consul_org_name }}"
use_common_name_for_san: false
register: _hashistack_ca_consul_csr
- name: "Consul leaf certificates | Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_consul_cert_path }}"
csr_content: "{{ _hashistack_ca_consul_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
ownca_not_before: "-1d"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"
- name: "Consul leaf certificates | Generate fullchain certificate"
block:
- name: "Consul leaf certificates | Read content of root ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_root_key_path }}"
register: _hashistack_ca_root_crt
- name: "Consul leaf certificates | Read content of intermediate ca certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_intermediate_cert_path }}"
register: _hashistack_ca_intermediate_crt
- name: "Consul leaf certificates | Read content of leaf certificate"
ansible.builtin.slurp:
src: "{{ hashistack_ca_consul_cert_path }}"
register: _hashistack_ca_consul_crt
- name: "Consul leaf certificates | Concatenate certificates"
ansible.builtin.copy:
content: |
{{ _hashistack_ca_consul_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
dest: "{{ hashistack_ca_consul_fullchain_path }}"
owner: "{{ hashistack_ca_directory_owner }}"
group: "{{ hashistack_ca_directory_owner }}"
mode: "0644"