diff options
author | Samuli Silvius <s.silvius@partner.samsung.com> | 2019-03-03 13:34:16 +0200 |
---|---|---|
committer | Samuli Silvius <s.silvius@partner.samsung.com> | 2019-03-12 14:07:19 +0200 |
commit | e9fca5ef39ebdc51d4d0f1af175960fb51cd903e (patch) | |
tree | dec12146af5b5e00eed0ffbd0b5ea1c920853c52 /ansible/roles | |
parent | bdababf6496d20be5723740041b63a1855535c32 (diff) |
Improve certificates role testability
Move certs source path to defaults and make other small re-factoring.
Issue-ID: OOM-1694
Change-Id: Ie0a4b543b40314dc5a7772dd4667b1ad218d3543
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
Diffstat (limited to 'ansible/roles')
5 files changed, 102 insertions, 94 deletions
diff --git a/ansible/roles/application-install/tasks/install.yml b/ansible/roles/application-install/tasks/install.yml index c0be12eb..d2134d30 100644 --- a/ansible/roles/application-install/tasks/install.yml +++ b/ansible/roles/application-install/tasks/install.yml @@ -40,7 +40,7 @@ - name: Register root certificate slurp: - src: '/certs/rootCA.crt' + src: "{{ playbook_dir }}/certs/rootCA.crt" register: root_cert delegate_to: localhost diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml new file mode 100644 index 00000000..260ba966 --- /dev/null +++ b/ansible/roles/certificates/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# Generate certs to local current dir where ansible in run (= playbook_dir) +# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run +certificates_local_dir: certs diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml new file mode 100644 index 00000000..ac8fe1e3 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-certificates.yml @@ -0,0 +1,90 @@ +--- +- name: Create certificates directory certs to current dir + file: + path: "{{ certificates_local_dir }}" + state: directory + +# Some of task are delegated to Ansible container because unavailable +# version of python-pyOpenSSL +- name: Generate root CA private key + openssl_privatekey: + path: "{{ certificates_local_dir }}/rootCA.key" + size: 4096 + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + basic_constraints: + - CA:true + basic_constraints_critical: true + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + +- name: Generate root CA certificate + openssl_certificate: + provider: selfsigned + path: "{{ certificates_local_dir }}/rootCA.crt" + csr_path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + force: true + notify: Restart Docker + +- name: Generate private Nexus key + openssl_privatekey: + path: "{{ certificates_local_dir }}/nexus_server.key" + size: 4096 + force: false + +- name: Generate Nexus CSR (certificate signing request) + openssl_csr: + path: "{{ certificates_local_dir }}/nexus_server.csr" + privatekey_path: "{{ certificates_local_dir }}/nexus_server.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + common_name: registry-1.docker.io + key_usage: + - keyAgreement + - nonRepudiation + - digitalSignature + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + subject_alt_name: + "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" + +- name: Generate v3 extension config file + template: + src: v3.ext.j2 + dest: "{{ certificates_local_dir }}/v3.ext" + +# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) +# Currently using 2.6.3 +- name: Sign Nexus certificate + command: > + openssl + x509 + -req + -in "{{ certificates_local_dir }}/nexus_server.csr" + -extfile "{{ certificates_local_dir }}/v3.ext" + -CA "{{ certificates_local_dir }}/rootCA.crt" + -CAkey "{{ certificates_local_dir }}/rootCA.key" + -CAcreateserial + -out "{{ certificates_local_dir }}/nexus_server.crt" + -days 3650 + -sha256 diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml index 2e7dd88a..7aaeac1d 100644 --- a/ansible/roles/certificates/tasks/main.yml +++ b/ansible/roles/certificates/tasks/main.yml @@ -1,100 +1,12 @@ --- -# Some of task are delegated to Ansible container because unavailable -# version of python-pyOpenSSL -- name: Generate root CA private key - openssl_privatekey: - path: /certs/rootCA.key - size: 4096 - delegate_to: localhost - -- name: Generate an OpenSSL CSR. - openssl_csr: - path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - basic_constraints: - - CA:true - basic_constraints_critical: yes - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - delegate_to: localhost - -- name: Generate root CA certificate - openssl_certificate: - provider: selfsigned - path: /certs/rootCA.crt - csr_path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - force: yes - delegate_to: localhost - notify: Restart Docker - -- name: Generate private Nexus key - openssl_privatekey: - path: /certs/nexus_server.key - size: 4096 - force: False - delegate_to: localhost - -- name: Generate Nexus CSR (certificate signing request) - openssl_csr: - path: /certs/nexus_server.csr - privatekey_path: /certs/nexus_server.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - common_name: registry-1.docker.io - key_usage: - - keyAgreement - - nonRepudiation - - digitalSignature - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth - subject_alt_name: - "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" - delegate_to: localhost - -- name: Generate v3 extension config file - template: - src: v3.ext.j2 - dest: /certs/v3.ext - delegate_to: localhost - -# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) -# Currently using 2.6.3 -- name: Sign Nexus certificate - command: > - openssl - x509 - -req - -in /certs/nexus_server.csr - -extfile /certs/v3.ext - -CA /certs/rootCA.crt - -CAkey /certs/rootCA.key - -CAcreateserial - -out /certs/nexus_server.crt - -days 3650 - -sha256 +- name: Generate certs + import_tasks: generate-certificates.yml delegate_to: localhost - name: Upload certificates to infrastructure server copy: - src: /certs - directory_mode: yes + src: "{{ certificates_local_dir }}" + directory_mode: true dest: "{{ app_data_path }}/" - import_tasks: upload_root_ca.yml diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml index 5a59d27b..b2f1f945 100644 --- a/ansible/roles/certificates/tasks/upload_root_ca.yml +++ b/ansible/roles/certificates/tasks/upload_root_ca.yml @@ -1,10 +1,12 @@ --- - name: Copy root certificate copy: - src: "/certs/rootCA.crt" + src: "{{ certificates_local_dir }}/rootCA.crt" dest: /etc/pki/ca-trust/source/anchors/ + register: copycert notify: Restart Docker - name: Extract root certificate command: /usr/bin/update-ca-trust extract + when: copycert.changed notify: Restart Docker |