2024-08-17 10:16:52 +00:00
|
|
|
---
|
|
|
|
# task/generate_consul for hashistack_ca
|
|
|
|
- name: "Consul leaf certificates | Create certificate directory in for consul servers"
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: "{{ hashistack_ca_consul_dir }}"
|
|
|
|
state: directory
|
|
|
|
owner: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
group: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
mode: "0755"
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Create Consul certificates"
|
|
|
|
block:
|
|
|
|
- name: "Consul leaf certificates | Create Consul certificate keys"
|
|
|
|
community.crypto.openssl_privatekey:
|
|
|
|
path: "{{ hashistack_ca_consul_key_path }}"
|
|
|
|
owner: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
group: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Create CSRs for Consul servers"
|
|
|
|
community.crypto.openssl_csr_pipe:
|
|
|
|
privatekey_path: "{{ hashistack_ca_consul_key_path }}"
|
|
|
|
common_name: "{{ hashistack_ca_consul_common_name }}"
|
|
|
|
subject_alt_name: "{{ hashistack_ca_consul_csr_sans }}"
|
|
|
|
key_usage_critical: true
|
|
|
|
key_usage:
|
|
|
|
- Digital Signature
|
|
|
|
- Key Encipherment
|
|
|
|
- Key Agreement
|
|
|
|
extended_key_usage:
|
|
|
|
- TLS Web Server Authentication
|
|
|
|
- TLS Web Client Authentication
|
|
|
|
organization_name: "{{ hashistack_ca_consul_org_name }}"
|
|
|
|
use_common_name_for_san: false
|
|
|
|
register: _hashistack_ca_consul_csr
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Sign certificates with internal CA"
|
|
|
|
community.crypto.x509_certificate:
|
|
|
|
path: "{{ hashistack_ca_consul_cert_path }}"
|
|
|
|
csr_content: "{{ _hashistack_ca_consul_csr.csr }}"
|
|
|
|
provider: ownca
|
|
|
|
ownca_path: "{{ hashistack_ca_intermediate_cert_path }}"
|
|
|
|
ownca_privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
|
|
|
|
ownca_not_after: "+{{ hashistack_ca_leaf_valid_for }}"
|
|
|
|
ownca_not_before: "-1d"
|
|
|
|
owner: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
group: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
mode: "0644"
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Generate fullchain certificate"
|
|
|
|
block:
|
|
|
|
- name: "Consul leaf certificates | Read content of root ca certificate"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_root_key_path }}"
|
|
|
|
register: _hashistack_ca_root_crt
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Read content of intermediate ca certificate"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_intermediate_cert_path }}"
|
|
|
|
register: _hashistack_ca_intermediate_crt
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Read content of leaf certificate"
|
|
|
|
ansible.builtin.slurp:
|
|
|
|
src: "{{ hashistack_ca_consul_cert_path }}"
|
|
|
|
register: _hashistack_ca_consul_crt
|
|
|
|
|
|
|
|
- name: "Consul leaf certificates | Concatenate certificates"
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: |
|
|
|
|
{{ _hashistack_ca_consul_crt['content'] | b64decode }}{{ _hashistack_ca_intermediate_crt['content'] | b64decode }}{{ _hashistack_ca_root_crt['content'] | b64decode }}
|
|
|
|
dest: "{{ hashistack_ca_consul_fullchain_path }}"
|
|
|
|
owner: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
group: "{{ hashistack_ca_directory_owner }}"
|
|
|
|
mode: "0644"
|