- name: Check if ssl dir exist file: name: "{{ patroni_ssl_path }}" state: directory owner: postgres group: postgres when: patroni_ssl - name: Add predefined ssl cert for Patroni copy: src: "{{ patroni_cert_name }}" dest: "{{ patroni_ssl_path }}/{{ patroni_cert_name }}" owner: postgres group: postgres notify: Restart Patroni when: patroni_cert is defined - name: Generate OpenSSL key and cert for Patroni when: "inventory_hostname == groups.patroni|first" block: - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" owner: postgres group: postgres when: patroni_cert is not defined register: patroni_ca_key_gen - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" use_common_name_for_san: false basic_constraints: - 'CA:TRUE' basic_constraints_critical: yes key_usage: - keyCertSign key_usage_critical: true common_name: "CA-{{ patroni_self_signed_cert_name }}" owner: postgres group: postgres register: patroni_ca_csr - name: Generate a Self Signed OpenSSL CA certificate community.crypto.x509_certificate: path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" csr_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr" privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" provider: selfsigned owner: postgres group: postgres when: patroni_cert is not defined register: patroni_ca_cert_gen - name: Generate an OpenSSL private client key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.key" owner: postgres group: postgres when: patroni_cert is not defined register: patroni_key_gen - name: Generate subject_alt_ips set_fact: client_subject_alt_ips: "{{ groups.patroni | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" - name: Print alt subjects ips debug: msg: "{{ client_subject_alt_ips }}" verbosity: 2 - name: Generate subject_alt_names set_fact: client_subject_alt_names: "{{ groups.patroni | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}" - name: Print alt subjects names debug: msg: "{{ client_subject_alt_names }}" verbosity: 2 - name: Generate an OpenSSL Certificate Signing Request for client community.crypto.openssl_csr: path: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.csr" privatekey_path: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.key" common_name: "{{ patroni_self_signed_cert_name }}" subject_alt_name: "{{ (( groups.patroni | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list | default([])) + (groups.patroni | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list | default([]))) }}" owner: postgres group: postgres register: patroni_csr - name: Generate an OpenSSL certificate for client signed with your own CA certificate community.crypto.x509_certificate: path: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.crt" csr_path: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.csr" ownca_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" ownca_privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" provider: ownca owner: postgres group: postgres register: patroni_cert - name: Get CA cert content slurp: src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" register: patroni_ca_cert_b64 - name: Get CA key content slurp: src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" register: patroni_ca_key_b64 - name: Get client cert content slurp: src: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.crt" register: patroni_cert_b64 - name: Get client key content slurp: src: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.key" register: patroni_key_b64 - name: Set facts about key and cert set_fact: patroni_ca_key: "{{ patroni_ca_key_b64.content | b64decode }}" patroni_ca_cert: "{{ patroni_ca_cert_b64.content | b64decode }}" patroni_key: "{{ patroni_key_b64.content | b64decode }}" patroni_cert: "{{ patroni_cert_b64.content | b64decode }}" delegate_to: "{{ item }}" delegate_facts: true run_once: true loop: "{{ groups.patroni }}" - name: Put Patroni CA OpenSSL key copy: content: "{{ patroni_ca_key }}" dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key" owner: postgres group: postgres mode: 0600 notify: Restart Patroni - name: Put Patroni CA OpenSSL cert copy: content: "{{ patroni_ca_cert }}" dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt" owner: postgres group: postgres notify: Restart Patroni - name: Put Patroni CA OpenSSL cert to PKI copy: content: "{{ patroni_ca_cert }}" dest: "/etc/pki/ca-trust/source/anchors/CA-{{ patroni_self_signed_cert_name }}.crt" register: ca_trust_anchors notify: Restart Patroni - name: Update CA trust shell: update-ca-trust extract when: ca_trust_anchors.changed - name: Put Patroni OpenSSL key copy: content: "{{ patroni_key }}" dest: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.key" owner: postgres group: postgres mode: 0600 notify: Restart Patroni - name: Put Patroni OpenSSL cert copy: content: "{{ patroni_cert }}" dest: "{{ patroni_ssl_path }}/{{ patroni_self_signed_cert_name }}.crt" owner: postgres group: postgres notify: Restart Patroni