ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity

feat(certs): generate_certs playbook now generate internal CA for vault

Browse Source
This commit is contained in:
Bertrand Lanson 2024-04-03 23:55:01 +02:00
parent c465b5339b
commit 812a2bb04a
8 changed files with 189 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/cert.pem
View File

0
molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/key.pem
View File

3
molecule/no_tls_multi_node/prepare.yml
View File

@ -1,4 +1,7 @@
--- ---
- name: Include certificate generation playbook
ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml
- name: Include bootstrap playbook - name: Include bootstrap playbook
ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml

190
playbooks/generate_certs.yml
View File

@ -6,11 +6,21 @@
gather_facts: true gather_facts: true
become: true become: true
tasks: tasks:
- name: "Generate self-signed certificates" # noqa: run-once[task] - name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/external"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
delegate_to: localhost
run_once: true
- name: "Generate external certificates" # noqa: run-once[task]
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
block: block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" - name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file: ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/external" path: "{{ sub_configuration_directories['certificates'] }}/external"
state: directory state: directory
@ -18,43 +28,161 @@
group: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}"
mode: "0755" mode: "0755"
- name: "Generate self-signed certificate" - name: "Create private keys"
community.crypto.openssl_privatekey:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create certificate signing request"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
common_name: "{{ item.fqdn }}"
organization_name: EDNZ Cloud
register: csr
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create self-signed certificate from CSR"
community.crypto.x509_certificate:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
csr_content: "{{ item.csr }}"
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
provider: selfsigned
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop: "{{ csr.results }}"
- name: "Generate internal certificates"
tags:
- never
- internal
delegate_to: localhost
vars:
hashistack_ca_key_path: "{{ sub_configuration_directories['certificates'] }}/internal/ca.key"
hashistack_ca_cert_path: "{{ sub_configuration_directories['certificates'] }}/internal/ca.pem"
block:
- name: "Create internal CA" # noqa: run-once[task]
run_once: true
block: block:
- name: "Create private keys" - name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
community.crypto.openssl_privatekey: ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key" path: "{{ sub_configuration_directories['certificates'] }}/internal"
state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}"
loop: mode: "0755"
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create certificate signing request" - name: "Create CA private key"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CA signing request"
community.crypto.openssl_csr_pipe: community.crypto.openssl_csr_pipe:
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key" privatekey_path: "{{ hashistack_ca_key_path }}"
common_name: "{{ item.fqdn }}" common_name: "CA"
organization_name: Ansible, Inc. organization_name: EDNZ Cloud
register: csr use_common_name_for_san: false
loop: basic_constraints:
- name: nomad - CA:TRUE
fqdn: "{{ nomad_fqdn }}" basic_constraints_critical: true
- name: vault key_usage:
fqdn: "{{ vault_fqdn }}" - keyCertSign
- name: consul key_usage_critical: true
fqdn: "{{ consul_fqdn }}" register: ca_csr
- name: "Create self-signed certificate from CSR" - name: "Create self-signed CA certificate from CSR"
community.crypto.x509_certificate: community.crypto.x509_certificate:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem" path: "{{ hashistack_ca_cert_path }}"
csr_content: "{{ item.csr }}" csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key" privatekey_path: "{{ hashistack_ca_key_path }}"
provider: selfsigned provider: selfsigned
owner: "{{ lookup('env', 'USER') }}" owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}"
loop: "{{ csr.results }}"
- fail: - name: "Create Vault certificates"
when:
- "'vault_servers' in group_names"
vars:
vault_private_key_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
vault_certificate_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Vault certificate keys"
community.crypto.openssl_privatekey:
path: "{{ vault_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Vault servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ vault_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ inventory_hostname }}"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:vault.service.consul"
- "DNS:localhost"
- "IP:{{ api_interface_address }}"
- "IP:127.0.0.1"
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: vault_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ vault_certificate_path }}"
csr_content: "{{ vault_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.pem"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_pem_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ vault_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_pem_content['content'] | b64decode }}
dest: "{{ vault_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
- fail:

2
playbooks/group_vars/all/globals.yml
View File

@ -165,7 +165,6 @@ vault_service_registration_configuration:
################# #################
vault_enable_plugins: true vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"
########### ###########
# logging # # logging #
@ -189,3 +188,4 @@ extra_vault_container_volumes: []
##################### #####################
vault_extra_configuration: {} vault_extra_configuration: {}
vault_extra_files_list: []

24
playbooks/group_vars/all/vault.yml
View File

@ -31,6 +31,24 @@ vault_external_backend_servers: |
{% endfor %} {% endfor %}
] ]
######################
# vault internal tls #
######################
vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ hashi_vault_config_dir }}/tls/cert"
#################
# vault plugins #
#################
vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir:
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
dest: "{{ hashi_vault_config_dir }}/plugin"
######################## ########################
# vault role variables # # vault role variables #
######################## ########################
@ -42,6 +60,12 @@ hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d" hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault" hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true hashi_vault_extra_files: true
hashi_vault_extra_files_list: "{{ ([] +
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
}}"
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config" hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config" hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}" hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"

2
roles/hashicorp_consul

@ -1 +1 @@
Subproject commit a322d3c144806ea2524651996e19ff9885b90e16 Subproject commit 59868f06aa64f72e1f8547bcd78c48f26ce58b9c

2
roles/hashicorp_vault

@ -1 +1 @@
Subproject commit db96aa6bf3af97c282407a559a199b34da34c15e Subproject commit 36b74e452acb204bf7d76e8037ffa8449e5508f5