mirror of
https://gitea.0xace.cc/ansible-galaxy/cacert.git
synced 2024-11-25 07:16:40 +00:00
rewrite role with group cert support
This commit is contained in:
parent
01ec4a120f
commit
6b643863fd
64
README.md
64
README.md
@ -1,36 +1,38 @@
|
|||||||
Inventory example:
|
Inventory example:
|
||||||
|
|
||||||
cacert_ca_name: "kojiCA"
|
cacert_ca_name: "myCA"
|
||||||
cacert_ca_copy_to:
|
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
|
||||||
cacert_ca_trust_anchors_update: True
|
cacert_ca_trust_anchors_update: True
|
||||||
|
|
||||||
cacert_certs:
|
cacert_ca_copy_to:
|
||||||
- name: kojiadmin
|
hosts:
|
||||||
dest:
|
- { host: "server-1", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
- { host: "server-2", path: "/opt/certs" }
|
||||||
- { host: "dev-1", name: "client", path: "/opt/koji/certs", concat: "crt" }
|
groups:
|
||||||
- name: koji.lan
|
- { group: "cacert_clients", path: "/opt/certs" }
|
||||||
dest:
|
- { group: "mygroupname", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
|
||||||
- { host: "dev-1", path: "/etc/haproxy/ssl", concat: "pem" }
|
cacert_cn_certs:
|
||||||
- name: koji-hub.lan
|
- name: mycertname.example.com
|
||||||
subject_alt_names:
|
hosts:
|
||||||
- koji-files.lan
|
- { host: "server-1", path: "/opt/certs" }
|
||||||
dest:
|
- { host: "server-2", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
- { host: "server-1", path: "/opt/certs", concat: "pem" }
|
||||||
- { host: "dev-1", path: "/etc/haproxy/ssl", concat: "pem" }
|
- { host: "server-2", path: "/opt/certs", concat: "pem" }
|
||||||
- name: koji-web.lan
|
groups:
|
||||||
dest:
|
- { group: "cacert_clients", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
- { group: "mygroupname", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/etc/haproxy/ssl", concat: "pem" }
|
|
||||||
- { host: "dev-1", path: "/opt/koji/certs", concat: "pem" }
|
cacert_group_certs:
|
||||||
- name: kojibuilder1.lan
|
- name: mygroupcert
|
||||||
dest:
|
host_groups:
|
||||||
- { host: "kojibuilder1.lan", path: "/opt/koji/certs" }
|
- consul
|
||||||
- { host: "kojibuilder1.lan", path: "/opt/koji/certs", concat: "pem" }
|
- patroni
|
||||||
- name: kojira.lan
|
hosts:
|
||||||
dest:
|
- { host: "server-1", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs" }
|
- { host: "server-2", path: "/opt/certs" }
|
||||||
- { host: "dev-1", path: "/opt/koji/certs", concat: "pem" }
|
- { host: "server-1", path: "/opt/certs", concat: "pem" }
|
||||||
|
- { host: "server-2", path: "/opt/certs", concat: "pem" }
|
||||||
|
groups:
|
||||||
|
- { group: "cacert_clients", path: "/opt/certs" }
|
||||||
|
- { group: "mygroupname", path: "/opt/certs" }
|
||||||
|
|
||||||
|
@ -1,16 +1,39 @@
|
|||||||
|
cacert_ca_group: cacert_ca
|
||||||
|
cacert_clients_group: cacert_clients
|
||||||
cacert_ssl_gen_path: "/tmp/cacert"
|
cacert_ssl_gen_path: "/tmp/cacert"
|
||||||
cacert_ca_name: "myCA"
|
cacert_ca_name: "myCA"
|
||||||
cacert_ca_trust_anchors_update: False
|
cacert_ca_trust_anchors_update: False
|
||||||
|
|
||||||
#cacert_ca_copy_to:
|
#cacert_ca_copy_to:
|
||||||
# - { host: "host-1", path: "/tmp" }
|
# hosts:
|
||||||
|
# - { host: "server-1", path: "/opt/certs" }
|
||||||
|
# - { host: "server-2", path: "/opt/certs" }
|
||||||
|
# groups:
|
||||||
|
# - { group: "cacert_clients", path: "/opt/certs" }
|
||||||
|
# - { group: "mygroupname", path: "/opt/certs" }
|
||||||
#
|
#
|
||||||
#cacert_certs:
|
#cacert_cn_certs:
|
||||||
# - name: example1.com
|
# - name: mycertname.example.com
|
||||||
# dest:
|
# hosts:
|
||||||
# - { host: "host-1", path: "/tmp" }
|
# - { host: "server-1", path: "/opt/certs" }
|
||||||
# - { host: "host-1", name: "newname", path: "/tmp", concat: "pem" }
|
# - { host: "server-2", path: "/opt/certs" }
|
||||||
# - name: example2.com
|
# - { host: "server-1", path: "/opt/certs", concat: "pem" }
|
||||||
# dest:
|
# - { host: "server-2", path: "/opt/certs", concat: "pem" }
|
||||||
# - { host: "host-1", path: "/tmp" }
|
# groups:
|
||||||
|
# - { group: "cacert_clients", path: "/opt/certs" }
|
||||||
|
# - { group: "mygroupname", path: "/opt/certs" }
|
||||||
|
#
|
||||||
|
#cacert_group_certs:
|
||||||
|
# - name: mygroupcert
|
||||||
|
# host_groups:
|
||||||
|
# - consul
|
||||||
|
# - patroni
|
||||||
|
# hosts:
|
||||||
|
# - { host: "server-1", path: "/opt/certs" }
|
||||||
|
# - { host: "server-2", path: "/opt/certs" }
|
||||||
|
# - { host: "server-1", path: "/opt/certs", concat: "pem" }
|
||||||
|
# - { host: "server-2", path: "/opt/certs", concat: "pem" }
|
||||||
|
# groups:
|
||||||
|
# - { group: "cacert_clients", path: "/opt/certs" }
|
||||||
|
# - { group: "mygroupname", path: "/opt/certs" }
|
||||||
|
|
||||||
|
123
tasks/ca.yaml
123
tasks/ca.yaml
@ -1,4 +1,5 @@
|
|||||||
- name: Create CA {{ cacert_ca_name }}
|
- name: Create CA {{ cacert_ca_name }}
|
||||||
|
when: inventory_hostname in groups[cacert_ca_group]
|
||||||
block:
|
block:
|
||||||
- name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
|
- name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
@ -27,41 +28,113 @@
|
|||||||
provider: selfsigned
|
provider: selfsigned
|
||||||
register: cacert_ca_cert_gen
|
register: cacert_ca_cert_gen
|
||||||
|
|
||||||
- name: Distribute CA
|
- name: Get CA cert content
|
||||||
become: true
|
slurp:
|
||||||
block:
|
|
||||||
- name: CA and cert | Check if dest dir exist on remote hosts
|
|
||||||
file:
|
|
||||||
name: "{{ item.path }}"
|
|
||||||
state: directory
|
|
||||||
delegate_to: "{{ item.host }}"
|
|
||||||
loop: "{{ cacert_ca_copy_to }}"
|
|
||||||
when:
|
|
||||||
- cacert_ca_copy_to is defined
|
|
||||||
|
|
||||||
- name: Put CA OpenSSL cert
|
|
||||||
copy:
|
|
||||||
src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
||||||
dest: "{{ item.path }}/{{ cacert_ca_name }}.crt"
|
register: cacert_ca_cert_b64
|
||||||
delegate_to: "{{ item.host }}"
|
|
||||||
loop: "{{ cacert_ca_copy_to }}"
|
- name: Get CA key content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
|
||||||
|
register: cacert_ca_key_b64
|
||||||
|
|
||||||
|
- name: Set facts about key and cert
|
||||||
|
set_fact:
|
||||||
|
cacert_ca_key: "{{ cacert_ca_key_b64.content | b64decode }}"
|
||||||
|
cacert_ca_cert: "{{ cacert_ca_cert_b64.content | b64decode }}"
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
run_once: true
|
||||||
|
with_items:
|
||||||
|
- "{{ groups[cacert_ca_group] | default([]) }}"
|
||||||
|
- "{{ groups[cacert_clients_group] | default([]) }}"
|
||||||
|
|
||||||
|
- name: Distribute CA certificate to hosts
|
||||||
|
become: true
|
||||||
|
when: inventory_hostname in groups.cacert_clients
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host
|
||||||
|
file:
|
||||||
|
name: "{{ host_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ cacert_ca_copy_to.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
when:
|
when:
|
||||||
- cacert_ca_copy_to is defined
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put CA cert for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_ca_cert }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ cacert_ca_name }}.crt"
|
||||||
|
loop: "{{ cacert_ca_copy_to.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
- name: Put CA OpenSSL cert to PKI
|
- name: Put CA OpenSSL cert to PKI
|
||||||
copy:
|
copy:
|
||||||
src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
content: "{{ cacert_ca_cert }}"
|
||||||
dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt"
|
dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt"
|
||||||
when:
|
loop: "{{ cacert_ca_copy_to.hosts }}"
|
||||||
- cacert_ca_trust_anchors_update
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
register: ca_trust_anchors
|
register: ca_trust_anchors
|
||||||
delegate_to: "{{ item.host }}"
|
when:
|
||||||
loop: "{{ cacert_ca_copy_to }}"
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
- name: Update CA trust
|
- name: Update CA trust
|
||||||
shell: update-ca-trust extract
|
shell: update-ca-trust extract
|
||||||
|
loop: "{{ cacert_ca_copy_to.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
when:
|
when:
|
||||||
- ca_trust_anchors.changed
|
- ca_trust_anchors.changed
|
||||||
- cacert_ca_trust_anchors_update
|
- cacert_ca_trust_anchors_update
|
||||||
delegate_to: "{{ item.host }}"
|
- inventory_hostname == host_item.host
|
||||||
loop: "{{ cacert_ca_copy_to }}"
|
|
||||||
|
- name: Distribute CA certificate to groups
|
||||||
|
become: true
|
||||||
|
when: inventory_hostname in groups[cacert_clients_group]
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host in group
|
||||||
|
file:
|
||||||
|
name: "{{ group_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ cacert_ca_copy_to.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put CA cert for host in group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_ca_cert }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ cacert_ca_name }}.crt"
|
||||||
|
loop: "{{ cacert_ca_copy_to.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put CA OpenSSL cert to PKI
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_ca_cert }}"
|
||||||
|
dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt"
|
||||||
|
loop: "{{ cacert_ca_copy_to.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
register: ca_trust_anchors
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Update CA trust
|
||||||
|
shell: update-ca-trust extract
|
||||||
|
loop: "{{ cacert_ca_copy_to.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- ca_trust_anchors.changed
|
||||||
|
- cacert_ca_trust_anchors_update
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
108
tasks/certs.yaml
108
tasks/certs.yaml
@ -1,108 +0,0 @@
|
|||||||
- name: CA and cert | Check if dest dir exist on remote hosts
|
|
||||||
become: true
|
|
||||||
file:
|
|
||||||
name: "{{ dest.path }}"
|
|
||||||
state: directory
|
|
||||||
delegate_to: "{{ dest.host }}"
|
|
||||||
loop: "{{ item.dest }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: dest
|
|
||||||
|
|
||||||
- name: CA and certs | Generate clients certs and keys
|
|
||||||
block:
|
|
||||||
- name: Generate an OpenSSL private client key with the default values (4096 bits, RSA)
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
||||||
when: cacert_cert is not defined
|
|
||||||
register: cacert_client_key_gen
|
|
||||||
|
|
||||||
- name: Generate subject_alt_ips
|
|
||||||
set_fact:
|
|
||||||
client_subject_alt_ips: "{{ item.subject_alt_ips | map('regex_replace', '^', 'IP:') | list }}"
|
|
||||||
when: item.subject_alt_ips is defined
|
|
||||||
|
|
||||||
- name: Generate subject_alt_names
|
|
||||||
set_fact:
|
|
||||||
client_subject_alt_names: "{{ item.subject_alt_names | map('regex_replace', '^', 'DNS:') | list }}"
|
|
||||||
when: item.subject_alt_names is defined
|
|
||||||
|
|
||||||
- name: Generate an OpenSSL Certificate Signing Request for client
|
|
||||||
community.crypto.openssl_csr:
|
|
||||||
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
|
||||||
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
||||||
common_name: "{{ item.name }}"
|
|
||||||
register: cacert_client_csr
|
|
||||||
when:
|
|
||||||
- item.subject_alt_names is not defined
|
|
||||||
- item.subject_alt_ips is not defined
|
|
||||||
|
|
||||||
- name: Generate an OpenSSL Certificate Signing Request for client with subject_alt_name
|
|
||||||
community.crypto.openssl_csr:
|
|
||||||
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
|
||||||
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
||||||
common_name: "{{ item.name }}"
|
|
||||||
subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]) + (['DNS:' ~ item.name]))) }}"
|
|
||||||
register: cacert_client_csr
|
|
||||||
when: item.subject_alt_names is defined or item.subject_alt_ips is defined
|
|
||||||
|
|
||||||
- name: Generate an OpenSSL certificate for client signed with your own CA certificate
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
|
||||||
csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
|
||||||
ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
|
||||||
ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
|
|
||||||
provider: ownca
|
|
||||||
register: cacert_client_cert
|
|
||||||
|
|
||||||
- name: Get {{ item.name }} OpenSSL crt and key content
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key}
|
|
||||||
register: concated_crt_key
|
|
||||||
changed_when: false
|
|
||||||
|
|
||||||
- name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file
|
|
||||||
copy:
|
|
||||||
content: "{{ concated_crt_key.stdout }}"
|
|
||||||
dest: "{{ cacert_ssl_gen_path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}"
|
|
||||||
loop: "{{ item.dest }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: dest
|
|
||||||
when:
|
|
||||||
- dest.concat is defined
|
|
||||||
|
|
||||||
- name: Distribute client certs
|
|
||||||
become: true
|
|
||||||
block:
|
|
||||||
- name: Write {{ item.name }} OpenSSL key
|
|
||||||
copy:
|
|
||||||
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
||||||
dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.key"
|
|
||||||
mode: 0600
|
|
||||||
delegate_to: "{{ dest.host }}"
|
|
||||||
loop: "{{ item.dest }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: dest
|
|
||||||
when:
|
|
||||||
- dest.concat is not defined
|
|
||||||
|
|
||||||
- name: Write {{ item.name }} OpenSSL crt
|
|
||||||
copy:
|
|
||||||
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
|
||||||
dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.crt"
|
|
||||||
delegate_to: "{{ dest.host }}"
|
|
||||||
loop: "{{ item.dest }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: dest
|
|
||||||
when:
|
|
||||||
- dest.concat is not defined
|
|
||||||
|
|
||||||
- name: Write concatenated {{ item.name }} OpenSSL crt and key
|
|
||||||
copy:
|
|
||||||
src: "{{ cacert_ssl_gen_path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}"
|
|
||||||
dest: "{{ dest.path }}/{{ dest.name | default(item.name) }}.{{ dest.concat }}"
|
|
||||||
delegate_to: "{{ dest.host }}"
|
|
||||||
loop: "{{ item.dest }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: dest
|
|
||||||
when:
|
|
||||||
- dest.concat is defined
|
|
170
tasks/cn_certs.yaml
Normal file
170
tasks/cn_certs.yaml
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
- name: CA and certs | Generate CN certs and keys
|
||||||
|
when: inventory_hostname in groups[cacert_ca_group]
|
||||||
|
block:
|
||||||
|
- name: Generate an OpenSSL private client key with the default values (4096 bits, RSA)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
when: cacert_cert is not defined
|
||||||
|
register: cacert_client_key_gen
|
||||||
|
|
||||||
|
- name: Generate subject_alt_ips
|
||||||
|
set_fact:
|
||||||
|
client_subject_alt_ips: "{{ item.subject_alt_ips | map('regex_replace', '^', 'IP:') | list }}"
|
||||||
|
when: item.subject_alt_ips is defined
|
||||||
|
|
||||||
|
- name: Generate subject_alt_names
|
||||||
|
set_fact:
|
||||||
|
client_subject_alt_names: "{{ item.subject_alt_names | map('regex_replace', '^', 'DNS:') | list }}"
|
||||||
|
when: item.subject_alt_names is defined
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL Certificate Signing Request for client
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
||||||
|
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
common_name: "{{ item.name }}"
|
||||||
|
register: cacert_client_csr
|
||||||
|
when:
|
||||||
|
- item.subject_alt_names is not defined
|
||||||
|
- item.subject_alt_ips is not defined
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL Certificate Signing Request for client with subject_alt_name
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
||||||
|
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
common_name: "{{ item.name }}"
|
||||||
|
subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]) + (['DNS:' ~ item.name]))) }}"
|
||||||
|
register: cacert_client_csr
|
||||||
|
when: item.subject_alt_names is defined or item.subject_alt_ips is defined
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL certificate for client signed with your own CA certificate
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
||||||
|
csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
||||||
|
ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
||||||
|
ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
|
||||||
|
provider: ownca
|
||||||
|
register: cacert_client_cert
|
||||||
|
|
||||||
|
- name: Get {{ item.name }} OpenSSL crt and key content
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key}
|
||||||
|
register: concated_crt_key
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file
|
||||||
|
copy:
|
||||||
|
content: "{{ concated_crt_key.stdout }}"
|
||||||
|
dest: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
||||||
|
|
||||||
|
- name: Get CN key content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
register: cacert_cn_certs_key_b64
|
||||||
|
|
||||||
|
- name: Get CN cert content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
||||||
|
register: cacert_cn_certs_cert_b64
|
||||||
|
|
||||||
|
- name: Get CN cert and key concat content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
||||||
|
register: cacert_cn_certs_concat_b64
|
||||||
|
|
||||||
|
- name: Set facts about key and cert
|
||||||
|
set_fact:
|
||||||
|
cacert_cn_certs_key: "{{ cacert_cn_certs_key_b64.content | b64decode }}"
|
||||||
|
cacert_cn_certs_cert: "{{ cacert_cn_certs_cert_b64.content | b64decode }}"
|
||||||
|
cacert_cn_certs_concat: "{{ cacert_cn_certs_concat_b64.content | b64decode }}"
|
||||||
|
delegate_to: "{{ fact_item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
run_once: true
|
||||||
|
with_items:
|
||||||
|
- "{{ groups[cacert_ca_group] | default([]) }}"
|
||||||
|
- "{{ groups[cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: fact_item
|
||||||
|
|
||||||
|
- name: Distribute CN certificates
|
||||||
|
become: true
|
||||||
|
when: inventory_hostname in groups[cacert_clients_group]
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote hosts
|
||||||
|
file:
|
||||||
|
name: "{{ host_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote hosts for groups
|
||||||
|
file:
|
||||||
|
name: "{{ group_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put CN key for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_key }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.key"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put CN cert for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_cert }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.crt"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put CN key and cert concat for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_concat }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.{{ host_item.concat | default('pem') }}"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put CN key for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_key }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.key"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put CN cert for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_cert }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.crt"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put CN key and cert concat for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_cn_certs_concat }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.{{ group_item.concat | default('pem') }}"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
173
tasks/group_certs.yaml
Normal file
173
tasks/group_certs.yaml
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
- name: CA and certs | Generate group certs and keys
|
||||||
|
when: inventory_hostname in groups[cacert_ca_group]
|
||||||
|
block:
|
||||||
|
- name: Generate subject_alt_ips
|
||||||
|
set_fact:
|
||||||
|
client_subject_alt_ips: "{{ groups[group_item] | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}"
|
||||||
|
loop: "{{ item.host_groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- groups[group_item] is defined
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: "{{ client_subject_alt_ips }}"
|
||||||
|
|
||||||
|
- name: Generate subject_alt_names
|
||||||
|
set_fact:
|
||||||
|
client_subject_alt_names: "{{ groups[group_item] | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}"
|
||||||
|
loop: "{{ item.host_groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- groups[group_item] is defined
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: "{{ client_subject_alt_names }}"
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL private client key with the default values (4096 bits, RSA)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
register: cacert_client_key_gen
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL Certificate Signing Request for client with subject_alt_name
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
||||||
|
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
common_name: "{{ item.name }}"
|
||||||
|
subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]))) }}"
|
||||||
|
register: cacert_client_csr
|
||||||
|
|
||||||
|
- name: Generate an OpenSSL certificate for client signed with your own CA certificate
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
||||||
|
csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
||||||
|
ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
||||||
|
ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
|
||||||
|
provider: ownca
|
||||||
|
register: cacert_client_cert
|
||||||
|
|
||||||
|
- name: Get {{ item.name }} OpenSSL crt and key content
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key}
|
||||||
|
register: concated_crt_key
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file
|
||||||
|
copy:
|
||||||
|
content: "{{ concated_crt_key.stdout }}"
|
||||||
|
dest: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
||||||
|
|
||||||
|
- name: Get group key content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
||||||
|
register: cacert_group_certs_key_b64
|
||||||
|
|
||||||
|
- name: Get group cert content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
||||||
|
register: cacert_group_certs_cert_b64
|
||||||
|
|
||||||
|
- name: Get group cert and key concat content
|
||||||
|
slurp:
|
||||||
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
||||||
|
register: cacert_group_certs_concat_b64
|
||||||
|
|
||||||
|
- name: Set facts about key and cert
|
||||||
|
set_fact:
|
||||||
|
cacert_group_certs_key: "{{ cacert_group_certs_key_b64.content | b64decode }}"
|
||||||
|
cacert_group_certs_cert: "{{ cacert_group_certs_cert_b64.content | b64decode }}"
|
||||||
|
cacert_group_certs_concat: "{{ cacert_group_certs_concat_b64.content | b64decode }}"
|
||||||
|
delegate_to: "{{ fact_item }}"
|
||||||
|
delegate_facts: true
|
||||||
|
run_once: true
|
||||||
|
with_items:
|
||||||
|
- "{{ groups[cacert_ca_group] | default([]) }}"
|
||||||
|
- "{{ groups[cacert_clients_group] | default([]) }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: fact_item
|
||||||
|
|
||||||
|
- name: Distribute group certificates
|
||||||
|
become: true
|
||||||
|
when: inventory_hostname in groups[cacert_clients_group]
|
||||||
|
block:
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host
|
||||||
|
file:
|
||||||
|
name: "{{ host_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: CA and cert | Check if dest dir exist on remote host for group
|
||||||
|
file:
|
||||||
|
name: "{{ group_item.path }}"
|
||||||
|
state: directory
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put group key for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_key }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.key"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put group cert for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_cert }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.crt"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put group key and cert concat for host
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_concat }}"
|
||||||
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.{{ host_item.concat | default('pem') }}"
|
||||||
|
loop: "{{ item.hosts }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
when:
|
||||||
|
- inventory_hostname == host_item.host
|
||||||
|
|
||||||
|
- name: Put group key for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_key }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.key"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put group cert for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_cert }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.crt"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
||||||
|
- name: Put group key and cert concat for group
|
||||||
|
copy:
|
||||||
|
content: "{{ cacert_group_certs_concat }}"
|
||||||
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.{{ group_item.concat | default('pem') }}"
|
||||||
|
loop: "{{ item.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group_item
|
||||||
|
when:
|
||||||
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
||||||
|
|
@ -2,12 +2,20 @@
|
|||||||
file:
|
file:
|
||||||
name: "{{ cacert_ssl_gen_path }}"
|
name: "{{ cacert_ssl_gen_path }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
when:
|
||||||
|
- inventory_hostname in groups[cacert_ca_group]
|
||||||
|
|
||||||
- name: CA and certs | Include CA creation
|
- name: CA and certs | Include CA
|
||||||
include_tasks: ca.yaml
|
include_tasks: ca.yaml
|
||||||
when: "inventory_hostname in groups.cacert_ca"
|
|
||||||
|
|
||||||
- name: CA and certs | Include certs creation
|
- name: CA and certs | Include CN certs
|
||||||
include_tasks: certs.yaml
|
include_tasks: cn_certs.yaml
|
||||||
loop: "{{ cacert_certs }}"
|
loop: "{{ cacert_cn_certs }}"
|
||||||
when: "inventory_hostname in groups.cacert_ca"
|
when:
|
||||||
|
- cacert_cn_certs is defined
|
||||||
|
|
||||||
|
- name: CA and certs | Include group certs
|
||||||
|
include_tasks: group_certs.yaml
|
||||||
|
loop: "{{ cacert_group_certs }}"
|
||||||
|
when:
|
||||||
|
- cacert_group_certs is defined
|
||||||
|
Loading…
Reference in New Issue
Block a user