- name: Create CA when: inventory_hostname in groups[patroni_cacert_ca_host_group] block: - name: CA and certs | Install cryptography library package: name: python3-cryptography state: present - name: CA and certs | Check if ssl gen dir exist file: name: "{{ patroni_ssl_path }}" state: directory - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" register: patroni_cacert_ca_key_gen - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" use_common_name_for_san: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: yes key_usage: - keyCertSign key_usage_critical: true common_name: "CA-{{ patroni_self_signed_cert_name }}" register: patroni_cacert_ca_csr - name: Generate a Self Signed OpenSSL CA certificate community.crypto.x509_certificate: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" csr_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" provider: selfsigned register: patroni_cacert_ca_cert_gen - name: Get CA cert content slurp: src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" register: patroni_cacert_ca_cert_b64 - name: Get CA csr content slurp: src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" register: patroni_cacert_ca_csr_b64 - name: Get CA key content slurp: src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" register: patroni_cacert_ca_key_b64 - name: Set facts about key and cert set_fact: patroni_cacert_ca_key: "{{ patroni_cacert_ca_key_b64.content | b64decode }}" patroni_cacert_ca_csr: "{{ patroni_cacert_ca_csr_b64.content | b64decode }}" patroni_cacert_ca_cert: "{{ patroni_cacert_ca_cert_b64.content | b64decode }}" delegate_to: "{{ fact_item }}" delegate_facts: true with_items: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: fact_item - name: Distribute CA certificates become: true block: - name: CA and cert | Check if dest dir exist on remote host file: name: "{{ patroni_ssl_path }}" state: directory loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item - name: Put CA key copy: content: "{{ patroni_cacert_ca_key }}" dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" mode: 0600 owner: "{{ patroni_user }}" group: "{{ patroni_group }}" loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item - name: Put CA csr copy: content: "{{ patroni_cacert_ca_csr }}" dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" mode: 0644 owner: "{{ patroni_user }}" group: "{{ patroni_group }}" loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item - name: Put CA cert copy: content: "{{ patroni_cacert_ca_cert }}" dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" mode: 0644 owner: "{{ patroni_user }}" group: "{{ patroni_group }}" loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item - name: Put CA OpenSSL cert to PKI copy: content: "{{ patroni_cacert_ca_cert }}" dest: "{{ patroni_cacert_ca_trust_dir }}/CA-{{ patroni_self_signed_cert_name }}.crt" mode: 0644 loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item register: patroni_ca_trust_anchors - name: Update CA trust shell: "{{ patroni_cacert_update_ca_trust_command }}" loop: - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}" - "{{ groups[patroni_cacert_clients_group] | default([]) }}" loop_control: loop_var: host_item when: - patroni_ca_trust_anchors.changed - patroni_cacert_ca_trust_anchors_update