diff --git a/tasks/cacert.yaml b/tasks/cacert.yaml new file mode 100644 index 0000000..649a6d7 --- /dev/null +++ b/tasks/cacert.yaml @@ -0,0 +1,177 @@ +- name: Check if ssl dir exist + file: + name: "{{ consul_ssl_path }}" + state: directory + owner: consul + group: consul + when: consul_ssl + +- name: Add predefined ssl cert for Consul + copy: + src: "{{ consul_cert_name }}" + dest: "{{ consul_ssl_path }}/{{ consul_cert_name }}" + owner: consul + group: consul + notify: Restart consul + when: consul_cert is defined + +- name: Generate OpenSSL key and cert for Consul + when: "inventory_hostname == groups[consul_server_group]|first" + block: + - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + owner: consul + group: consul + when: consul_cert is not defined + register: consul_ca_key_gen + + - name: Generate an OpenSSL Certificate Signing Request + community.crypto.openssl_csr: + path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.csr" + privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + use_common_name_for_san: false + basic_constraints: + - 'CA:TRUE' + basic_constraints_critical: yes + key_usage: + - keyCertSign + key_usage_critical: true + common_name: "CA-{{ consul_self_signed_cert_name }}" + owner: consul + group: consul + register: consul_ca_csr + + - name: Generate a Self Signed OpenSSL CA certificate + community.crypto.x509_certificate: + path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt" + csr_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.csr" + privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + provider: selfsigned + owner: consul + group: consul + when: consul_cert is not defined + register: consul_ca_cert_gen + + - name: Generate an OpenSSL private client key with the default values (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key" + owner: consul + group: consul + when: consul_cert is not defined + register: consul_key_gen + + - name: Generate consul server subject_alt_ips + set_fact: + consul_server_subject_alt_ips: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + + - name: Generate consul server subject_alt_names + set_fact: + consul_server_subject_alt_names: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}" + + - name: Generate consul agent subject_alt_ips + set_fact: + consul_agent_subject_alt_ips: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + + - name: Generate consul agent subject_alt_names + set_fact: + consul_agent_subject_alt_names: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}" + + - name: Generate an OpenSSL Certificate Signing Request for client + community.crypto.openssl_csr: + path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.csr" + privatekey_path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key" + common_name: "{{ consul_self_signed_cert_name }}" + subject_alt_name: "{{ consul_server_subject_alt_ips + consul_server_subject_alt_names + consul_agent_subject_alt_ips + consul_agent_subject_alt_names }}" + owner: consul + group: consul + register: consul_csr + + - name: Generate an OpenSSL certificate for client signed with your own CA certificate + community.crypto.x509_certificate: + path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt" + csr_path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.csr" + ownca_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt" + ownca_privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + provider: ownca + owner: consul + group: consul + register: consul_cert + + - name: Get CA cert content + slurp: + src: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt" + register: consul_ca_cert_b64 + + - name: Get CA key content + slurp: + src: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + register: consul_ca_key_b64 + + - name: Get client cert content + slurp: + src: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt" + register: consul_cert_b64 + + - name: Get client key content + slurp: + src: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key" + register: consul_key_b64 + + - name: Set facts about key and cert + set_fact: + consul_ca_key: "{{ consul_ca_key_b64.content | b64decode }}" + consul_ca_cert: "{{ consul_ca_cert_b64.content | b64decode }}" + consul_key: "{{ consul_key_b64.content | b64decode }}" + consul_cert: "{{ consul_cert_b64.content | b64decode }}" + delegate_to: "{{ item }}" + delegate_facts: true + run_once: true + with_items: + - "{{ groups[consul_server_group] | default([]) }}" + - "{{ groups[consul_agent_group] | default([]) }}" + +- name: Put Consul CA OpenSSL key + copy: + content: "{{ consul_ca_key }}" + dest: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key" + owner: consul + group: consul + mode: 0600 + notify: Restart consul + +- name: Put Consul CA OpenSSL cert + copy: + content: "{{ consul_ca_cert }}" + dest: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt" + owner: consul + group: consul + notify: Restart consul + +- name: Put Consul CA OpenSSL cert to PKI + copy: + content: "{{ consul_ca_cert }}" + dest: "/etc/pki/ca-trust/source/anchors/CA-{{ consul_self_signed_cert_name }}.crt" + register: consul_ca_trust_anchors + notify: Restart consul + +- name: Update CA trust + shell: update-ca-trust extract + when: consul_ca_trust_anchors.changed + +- name: Put Consul OpenSSL key + copy: + content: "{{ consul_key }}" + dest: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key" + owner: consul + group: consul + mode: 0600 + notify: Restart consul + +- name: Put Consul OpenSSL cert + copy: + content: "{{ consul_cert }}" + dest: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt" + owner: consul + group: consul + notify: Restart consul