From 0852eae2fcc5422c3efda5d8a3e7f99a4ad5c531 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 4 Aug 2024 01:19:11 +0200 Subject: [PATCH] feat(roles): add hashistack_ca role to manage clusters certificates --- roles/hashistack_ca/defaults/main.yml | 67 +++++++++++++++++ roles/hashistack_ca/handlers/main.yml | 2 + roles/hashistack_ca/meta/main.yml | 2 + roles/hashistack_ca/tasks/cleanup_backups.yml | 73 +++++++++++++++++++ .../tasks/generate/generate_consul.yml | 0 .../tasks/generate/generate_intermediate.yml | 49 +++++++++++++ .../tasks/generate/generate_nomad.yml | 0 .../tasks/generate/generate_root.yml | 56 ++++++++++++++ .../tasks/generate/generate_vault.yml | 0 roles/hashistack_ca/tasks/main.yml | 23 ++++++ .../tasks/prepare_ca_to_copy.yml | 35 +++++++++ .../tasks/renew/renew_intermediate.yml | 71 ++++++++++++++++++ .../hashistack_ca/tasks/renew/renew_root.yml | 62 ++++++++++++++++ roles/hashistack_ca/vars/main.yml | 22 ++++++ 14 files changed, 462 insertions(+) create mode 100644 roles/hashistack_ca/defaults/main.yml create mode 100644 roles/hashistack_ca/handlers/main.yml create mode 100644 roles/hashistack_ca/meta/main.yml create mode 100644 roles/hashistack_ca/tasks/cleanup_backups.yml create mode 100644 roles/hashistack_ca/tasks/generate/generate_consul.yml create mode 100644 roles/hashistack_ca/tasks/generate/generate_intermediate.yml create mode 100644 roles/hashistack_ca/tasks/generate/generate_nomad.yml create mode 100644 roles/hashistack_ca/tasks/generate/generate_root.yml create mode 100644 roles/hashistack_ca/tasks/generate/generate_vault.yml create mode 100644 roles/hashistack_ca/tasks/main.yml create mode 100644 roles/hashistack_ca/tasks/prepare_ca_to_copy.yml create mode 100644 roles/hashistack_ca/tasks/renew/renew_intermediate.yml create mode 100644 roles/hashistack_ca/tasks/renew/renew_root.yml create mode 100644 roles/hashistack_ca/vars/main.yml diff --git a/roles/hashistack_ca/defaults/main.yml b/roles/hashistack_ca/defaults/main.yml new file mode 100644 index 0000000..6b9aacd --- /dev/null +++ b/roles/hashistack_ca/defaults/main.yml @@ -0,0 +1,67 @@ +--- +# defaults file for hashistack_ca +hashistack_ca_directory: "/etc/hashistack/certificates" +hashistack_ca_use_cryptography: false +hashistack_ca_action: "noop" +hashistack_ca_domain: example.com + +############################## +# Root Certificate Authority # +############################## +hashistack_ca_root_org_name: EDNZ Cloud +hashistack_ca_root_country: FR +hashistack_ca_root_locality: Paris +hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA" +hashistack_ca_root_email: +hashistack_ca_root_key_usage: + - keyCertSign + - cRLSign +hashistack_ca_root_key_usage_critical: true +hashistack_ca_root_basic_constraints: + - CA:TRUE +hashistack_ca_root_basic_constraints_critical: true + +# Optional fields +hashistack_ca_root_state_or_province_name: +hashistack_ca_root_email_address: + +# Validity +hashistack_ca_root_valid_for: 1825d +hashistack_ca_root_renew_threshold: 180d + +###################################### +# Intermediate Certificate Authority # +###################################### +hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate +hashistack_ca_intermediate_country: FR +hashistack_ca_intermediate_locality: Paris +hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA" +hashistack_ca_intermediate_email: +hashistack_ca_intermediate_key_usage: + - keyCertSign + - cRLSign +hashistack_ca_intermediate_key_usage_critical: true +hashistack_ca_intermediate_basic_constraints: + - CA:TRUE + - pathlen:0 +hashistack_ca_intermediate_basic_constraints_critical: true + +# Optional fields +hashistack_ca_intermediate_state_or_province_name: +hashistack_ca_intermediate_email_address: + +# Validity +hashistack_ca_intermediate_valid_for: 365d +hashistack_ca_intermediate_renew_threshold: 90d + +# Name Constraints +hashistack_ca_intermediate_name_constraints_permitted: + - DNS:.nomad + - DNS:.consul + - DNS:.example.com + - DNS:localhost + - IP:192.168.0.0/16 + - IP:172.16.0.0/16 + - IP:10.0.0.0/8 + - IP:127.0.0.0/8 +hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" diff --git a/roles/hashistack_ca/handlers/main.yml b/roles/hashistack_ca/handlers/main.yml new file mode 100644 index 0000000..d422281 --- /dev/null +++ b/roles/hashistack_ca/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for hashistack_ca diff --git a/roles/hashistack_ca/meta/main.yml b/roles/hashistack_ca/meta/main.yml new file mode 100644 index 0000000..b1fb702 --- /dev/null +++ b/roles/hashistack_ca/meta/main.yml @@ -0,0 +1,2 @@ +--- +# meta file for hashistack_ca diff --git a/roles/hashistack_ca/tasks/cleanup_backups.yml b/roles/hashistack_ca/tasks/cleanup_backups.yml new file mode 100644 index 0000000..f4bac6b --- /dev/null +++ b/roles/hashistack_ca/tasks/cleanup_backups.yml @@ -0,0 +1,73 @@ +--- +# tasks/cleanup_backups file for hashistack_ca +- name: "Cleanup | Check if root CA backup directory exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_root_backup_dir }}" + register: _hashistack_ca_root_backup_dir_stat + delegate_to: localhost + +- name: "Cleanup | Check if intermediate CA backup directory exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_intermediate_backup_dir }}" + register: _hashistack_ca_intermediate_backup_dir_stat + delegate_to: localhost + +- name: "Cleanup | Root CA backups" + when: + - _hashistack_ca_root_backup_dir_stat.stat.exists + - _hashistack_ca_root_backup_dir_stat.stat.isdir + delegate_to: localhost + block: + - name: "Root CA | Find root CA backup certificates" + ansible.builtin.find: + paths: "{{ hashistack_ca_root_backup_dir }}" + patterns: "*.crt" + register: _root_backup_files + + - name: "Root CA | Check expiration for root CA backup certificates" + when: _root_backup_files.matched > 0 + community.crypto.x509_certificate_info: + path: "{{ item.path }}" + register: _root_cert_info + loop: "{{ _root_backup_files.files }}" + loop_control: + label: "{{ item.path }}" + failed_when: false + ignore_errors: true + + - name: "Root CA | Remove expired root CA backup certificates" + when: item.item.expired | default(false) + ansible.builtin.file: + path: "{{ item.item.path }}" + state: absent + loop: "{{ _root_cert_info.results }}" + +- name: "Cleanup | Intermediate CA backups" + when: + - _hashistack_ca_intermediate_backup_dir_stat.stat.exists + - _hashistack_ca_intermediate_backup_dir_stat.stat.isdir + delegate_to: localhost + block: + - name: "Intermediate CA | Find intermediate CA backup certificates" + ansible.builtin.find: + paths: "{{ hashistack_ca_intermediate_backup_dir }}" + patterns: "*.crt" + register: _intermediate_backup_files + + - name: "Intermediate CA | Check expiration for intermediate CA backup certificates" + when: _intermediate_backup_files.matched > 0 + community.crypto.x509_certificate_info: + path: "{{ item.path }}" + register: _intermediate_cert_info + loop: "{{ _intermediate_backup_files.files }}" + loop_control: + label: "{{ item.path }}" + failed_when: false + ignore_errors: true + + - name: "Intermediate CA | Remove expired intermediate CA backup certificates" + when: item.item.expired | default(false) + ansible.builtin.file: + path: "{{ item.item.path }}" + state: absent + loop: "{{ _intermediate_cert_info.results }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_consul.yml b/roles/hashistack_ca/tasks/generate/generate_consul.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/hashistack_ca/tasks/generate/generate_intermediate.yml b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml new file mode 100644 index 0000000..db42ca9 --- /dev/null +++ b/roles/hashistack_ca/tasks/generate/generate_intermediate.yml @@ -0,0 +1,49 @@ +--- +# task/generate_intermediate for hashistack_ca +- name: "Intermediate CA | Create temporary cert directory in {{ hashistack_ca_directory }}/intermediate" + ansible.builtin.file: + path: "{{ hashistack_ca_intermediate_dir }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0755" + delegate_to: localhost + +- name: "Intermediate CA | Generate internal certificates" + delegate_to: localhost + block: + - name: "Intermediate CA | Create intermediate CA private key" + community.crypto.openssl_privatekey: + path: "{{ hashistack_ca_intermediate_key_path }}" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + + - name: "Intermediate CA | Create intermediate CA signing request" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ hashistack_ca_intermediate_key_path }}" + common_name: "{{ omit if hashistack_ca_intermediate_common_name is not defined else hashistack_ca_intermediate_common_name }}" + organization_name: "{{ omit if hashistack_ca_intermediate_org_name is not defined else hashistack_ca_intermediate_org_name }}" + country_name: "{{ omit if hashistack_ca_intermediate_country is not defined else hashistack_ca_intermediate_country }}" + locality_name: "{{ omit if hashistack_ca_intermediate_locality is not defined else hashistack_ca_intermediate_locality }}" + state_or_province_name: "{{ omit if hashistack_ca_intermediate_state_or_province_name is not defined else hashistack_ca_intermediate_state_or_province_name }}" + email_address: "{{ omit if hashistack_ca_intermediate_email is not defined else hashistack_ca_intermediate_email }}" + basic_constraints: "{{ hashistack_ca_intermediate_basic_constraints }}" + basic_constraints_critical: true + name_constraints_permitted: "{{ hashistack_ca_intermediate_name_constraints_permitted if hashistack_ca_intermediate_name_constraints_permitted | length > 0 else omit }}" + name_constraints_critical: "{{ hashistack_ca_intermediate_name_constraints_critical }}" + key_usage: "{{ hashistack_ca_intermediate_key_usage }}" + key_usage_critical: true + use_common_name_for_san: false + select_crypto_backend: "{{ 'cryptography' if hashistack_ca_use_cryptography else 'auto' }}" + register: _hashistack_intermediate_ca_csr + + - name: "Intermediate CA | Create signed intermediate CA certificate from CSR" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_intermediate_cert_path }}" + csr_content: "{{ _hashistack_intermediate_ca_csr.csr }}" + ownca_path: "{{ hashistack_ca_root_cert_path }}" + ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}" + provider: ownca + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_nomad.yml b/roles/hashistack_ca/tasks/generate/generate_nomad.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/hashistack_ca/tasks/generate/generate_root.yml b/roles/hashistack_ca/tasks/generate/generate_root.yml new file mode 100644 index 0000000..796db1e --- /dev/null +++ b/roles/hashistack_ca/tasks/generate/generate_root.yml @@ -0,0 +1,56 @@ +--- +# task/generate_root for hashistack_ca +- name: "Root CA | Create temporary cert directory in {{ hashistack_ca_directory }}" # noqa: run-once[task] + ansible.builtin.file: + path: "{{ hashistack_ca_root_dir }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0755" + delegate_to: localhost + +- name: "Root CA | Generate root Authority" + delegate_to: localhost + run_once: true + block: + - name: "Root CA | Create CA private key" + community.crypto.openssl_privatekey: + path: "{{ hashistack_ca_root_key_path }}" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + + - name: "Root CA | Create CA signing request" + community.crypto.openssl_csr_pipe: + privatekey_path: "{{ hashistack_ca_root_key_path }}" + common_name: "{{ omit if hashistack_ca_root_common_name is not defined else hashistack_ca_root_common_name }}" + organization_name: "{{ omit if hashistack_ca_root_org_name is not defined else hashistack_ca_root_org_name }}" + country_name: "{{ omit if hashistack_ca_root_country is not defined else hashistack_ca_root_country }}" + locality_name: "{{ omit if hashistack_ca_root_locality is not defined else hashistack_ca_root_locality }}" + state_or_province_name: "{{ omit if hashistack_ca_root_state is not defined else hashistack_ca_root_state }}" + email_address: "{{ omit if hashistack_ca_root_email is not defined else hashistack_ca_root_email }}" + basic_constraints: "{{ hashistack_ca_root_basic_constraints }}" + basic_constraints_critical: true + key_usage: "{{ hashistack_ca_root_key_usage }}" + key_usage_critical: true + use_common_name_for_san: false + select_crypto_backend: "{{ 'cryptography' if hashistack_ca_use_cryptography else 'auto' }}" + register: _hashistack_root_ca_csr + + - name: "Root CA | Create self-signed CA certificate from CSR" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_root_cert_path }}" + csr_content: "{{ _hashistack_root_ca_csr.csr }}" + privatekey_path: "{{ hashistack_ca_root_key_path }}" + provider: selfsigned + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + + - name: "Root CA | Create self-signed CA certificate from CSR" + community.crypto.x509_certificate: + path: "{{ hashistack_ca_root_cert_path }}" + csr_content: "{{ _hashistack_root_ca_csr.csr }}" + privatekey_path: "{{ hashistack_ca_root_key_path }}" + selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}" + provider: selfsigned + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" diff --git a/roles/hashistack_ca/tasks/generate/generate_vault.yml b/roles/hashistack_ca/tasks/generate/generate_vault.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/hashistack_ca/tasks/main.yml b/roles/hashistack_ca/tasks/main.yml new file mode 100644 index 0000000..4cdd3db --- /dev/null +++ b/roles/hashistack_ca/tasks/main.yml @@ -0,0 +1,23 @@ +--- +# task/main file for hashistack_ca +- name: "CA | Import generate_root.yml" + ansible.builtin.include_tasks: generate/generate_root.yml + when: hashistack_ca_generate_root + +- name: "CA | Import generate_intermediate.yml" + ansible.builtin.include_tasks: generate/generate_intermediate.yml + when: hashistack_ca_generate_intermediate + +- name: "CA | Import renew_root.yml" + ansible.builtin.include_tasks: renew/renew_root.yml + when: hashistack_ca_renew_root + +- name: "CA | Import renew_intermediate.yml" + ansible.builtin.include_tasks: renew/renew_intermediate.yml + when: hashistack_ca_renew_intermediate + +- name: "CA | Import prepare_ca_to_copy.yml" + ansible.builtin.include_tasks: prepare_ca_to_copy.yml + +- name: "CA | Import cleanup_backups.yml" + ansible.builtin.include_tasks: cleanup_backups.yml diff --git a/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml b/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml new file mode 100644 index 0000000..f85c1a6 --- /dev/null +++ b/roles/hashistack_ca/tasks/prepare_ca_to_copy.yml @@ -0,0 +1,35 @@ +--- +# task/prepare_ca_to_copy file for hashistack_ca +- name: "CA | Check if CA directory exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_root_dir }}" + register: _hashistack_ca_root_dir + delegate_to: localhost + +- name: "CA | Find custom CA certificates to copy" + ansible.builtin.find: + paths: "{{ hashistack_ca_root_dir }}" + patterns: "*.crt" + register: hashistack_ca_root_dir_files + delegate_to: localhost + when: _hashistack_ca_root_dir.stat.exists and _hashistack_ca_root_dir.stat.isdir + +- name: "CA | Ensure public CA directory exists" + ansible.builtin.file: + path: "{{ hashistack_ca_public_dir }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: 0755 + delegate_to: localhost + +- name: "CA | Copy root CA certificates" + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: 0644 + loop: "{{ hashistack_ca_root_dir_files.files }}" + delegate_to: localhost + when: not hashistack_ca_root_dir_files.skipped | default(False) diff --git a/roles/hashistack_ca/tasks/renew/renew_intermediate.yml b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml new file mode 100644 index 0000000..6eb616c --- /dev/null +++ b/roles/hashistack_ca/tasks/renew/renew_intermediate.yml @@ -0,0 +1,71 @@ +--- +# tasks/renew/renew_intermediate.yml file for hashistack_ca +- name: "Intermediate CA | Check if intermediate CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_intermediate_cert_path }}" + register: _hashistack_ca_intermediate_cert_stat + delegate_to: localhost + +- name: "Intermediate CA | Check if root CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_root_cert_path }}" + register: _hashistack_ca_root_cert_stat + delegate_to: localhost + +- name: "Intermediate CA | Check CA for renewal" + when: + - _hashistack_ca_intermediate_cert_stat.stat.exists + - _hashistack_ca_intermediate_cert_stat.stat.isreg + - _hashistack_ca_root_cert_stat.stat.exists + - _hashistack_ca_root_cert_stat.stat.isreg + delegate_to: localhost + block: + - name: "Intermediate CA | Get intermediate CA certificate expiration date" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_intermediate_cert_path }}" + valid_at: + renew_threshold: "+{{ hashistack_ca_intermediate_renew_threshold }}" + register: _hashistack_ca_intermediate_cert_info + + - name: "Root CA | Get root CA certificate info" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_root_cert_path }}" + register: _hashistack_ca_root_cert_info + + - name: "Intermediate CA | Check if intermediate CA certificate is expiring within the threshold" + ansible.builtin.set_fact: + _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_intermediate_cert_info.valid_at.renew_threshold }}" + + - name: "Intermediate CA | Check if root CA has been renewed" + ansible.builtin.set_fact: + _hashistack_ca_root_renewed: "{{ _hashistack_ca_root_cert_info.not_before > _hashistack_ca_intermediate_cert_info.not_before }}" + +- name: "Intermediate CA | Renew CA if expiring soon or root CA has been renewed" + when: + - _hashistack_ca_is_expiring_soon or _hashistack_ca_root_renewed + delegate_to: localhost + block: + - name: "Intermediate CA | Create backup directory for intermediate CA" + ansible.builtin.file: + path: "{{ hashistack_ca_intermediate_backup_dir }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0755" + + - name: "Intermediate CA | Format expiration date for backup" + ansible.builtin.set_fact: + _hashistack_ca_intermediate_expiration_date: "{{ _hashistack_ca_intermediate_cert_info.not_after[:8] | regex_replace('^([0-9]{4})([0-9]{2})([0-9]{2})$', '\\1_\\2_\\3') }}" + + - name: "Intermediate CA | Backup existing intermediate CA certificate" + ansible.builtin.command: + cmd: mv {{ hashistack_ca_intermediate_cert_path }} {{ hashistack_ca_intermediate_backup_dir }}/intermediate_ca_expire_{{ _hashistack_ca_intermediate_expiration_date }}.crt + changed_when: false + + - name: "Intermediate CA | Backup existing intermediate CA key" + ansible.builtin.command: + cmd: mv {{ hashistack_ca_intermediate_key_path }} {{ hashistack_ca_intermediate_backup_dir }}/intermediate_ca_expire_{{ _hashistack_ca_intermediate_expiration_date }}.key + changed_when: false + + - name: "Intermediate CA | Generate new intermediate CA if backups were successful" + ansible.builtin.include_tasks: ../generate/generate_intermediate.yml diff --git a/roles/hashistack_ca/tasks/renew/renew_root.yml b/roles/hashistack_ca/tasks/renew/renew_root.yml new file mode 100644 index 0000000..d4b345d --- /dev/null +++ b/roles/hashistack_ca/tasks/renew/renew_root.yml @@ -0,0 +1,62 @@ +--- +# tasks/renew/renew_root.yml +- name: "Root CA | Check if root CA certificate exists" + ansible.builtin.stat: + path: "{{ hashistack_ca_root_cert_path }}" + register: _hashistack_ca_root_cert_stat + delegate_to: localhost + +- name: "Root CA | Check CA for renewal" + when: + - _hashistack_ca_root_cert_stat.stat.exists + - _hashistack_ca_root_cert_stat.stat.isreg + delegate_to: localhost + block: + - name: "Root CA | Get root CA certificate expiration date" + community.crypto.x509_certificate_info: + path: "{{ hashistack_ca_root_cert_path }}" + valid_at: + renew_threshold: "+{{ hashistack_ca_root_renew_threshold }}" + register: _hashistack_ca_root_cert_info + + - name: "Root CA | Check if root CA certificate is expiring within the threshold" + ansible.builtin.set_fact: + _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}" + + - name: "Root CA | Debug certificate expiration status" + ansible.builtin.debug: + msg: "Is root CA certificate expiring soon? {{ _hashistack_ca_is_expiring_soon }}" + +- name: "Root CA | Renew CA if expiring soon" + when: + - _hashistack_ca_is_expiring_soon + delegate_to: localhost + block: + - name: "Root CA | Create backup directory for root CA" + ansible.builtin.file: + path: "{{ hashistack_ca_root_backup_dir }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0755" + + - name: "Root CA | Format expiration date for backup" + ansible.builtin.set_fact: + _hashistack_ca_root_expiration_date: "{{ _hashistack_ca_root_cert_info.not_after[:8] | regex_replace('^([0-9]{4})([0-9]{2})([0-9]{2})$', '\\1_\\2_\\3') }}" + + - name: "Root CA | Rename existing root CA certificate" + ansible.builtin.command: + cmd: mv {{ hashistack_ca_root_cert_path }} {{ hashistack_ca_root_backup_dir }}/ca_expire_{{ _hashistack_ca_root_expiration_date }}.crt + changed_when: false + + - name: "Root CA | Remove existing root CA key" + ansible.builtin.file: + path: "{{ hashistack_ca_root_key_path }}" + state: absent + changed_when: false + + - name: "Root CA | Generate new root CA if renaming was successful" + ansible.builtin.include_tasks: ../generate/generate_root.yml + + - name: "Root CA | Generate new intermediate CA" + ansible.builtin.include_tasks: ../generate/generate_intermediate.yml diff --git a/roles/hashistack_ca/vars/main.yml b/roles/hashistack_ca/vars/main.yml new file mode 100644 index 0000000..a5e766a --- /dev/null +++ b/roles/hashistack_ca/vars/main.yml @@ -0,0 +1,22 @@ +--- +# vars file for hashistack_ca +hashistack_ca_action_list: "{{ hashistack_ca_action.split(',') }}" + +# possible actions +hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}" +hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}" +hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}" +hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}" + +hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca" + +hashistack_ca_root_dir: "{{ hashistack_ca_directory }}/root" +hashistack_ca_root_backup_dir: "{{ hashistack_ca_root_dir }}/backup" +hashistack_ca_root_key_path: "{{ hashistack_ca_root_dir }}/ca.key" +hashistack_ca_root_cert_path: "{{ hashistack_ca_root_dir }}/ca.crt" + +hashistack_ca_intermediate_dir: "{{ hashistack_ca_directory }}/intermediate" +hashistack_ca_intermediate_backup_dir: "{{ hashistack_ca_intermediate_dir }}/backup" +hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key" +hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr" +hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt"