summaryrefslogtreecommitdiffstats
path: root/ansible/roles
diff options
context:
space:
mode:
authorSamuli Silvius <s.silvius@partner.samsung.com>2019-03-03 13:34:16 +0200
committerSamuli Silvius <s.silvius@partner.samsung.com>2019-03-12 14:07:19 +0200
commite9fca5ef39ebdc51d4d0f1af175960fb51cd903e (patch)
treedec12146af5b5e00eed0ffbd0b5ea1c920853c52 /ansible/roles
parentbdababf6496d20be5723740041b63a1855535c32 (diff)
Improve certificates role testability
Move certs source path to defaults and make other small re-factoring. Issue-ID: OOM-1694 Change-Id: Ie0a4b543b40314dc5a7772dd4667b1ad218d3543 Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
Diffstat (limited to 'ansible/roles')
-rw-r--r--ansible/roles/application-install/tasks/install.yml2
-rw-r--r--ansible/roles/certificates/defaults/main.yml4
-rw-r--r--ansible/roles/certificates/tasks/generate-certificates.yml90
-rw-r--r--ansible/roles/certificates/tasks/main.yml96
-rw-r--r--ansible/roles/certificates/tasks/upload_root_ca.yml4
5 files changed, 102 insertions, 94 deletions
diff --git a/ansible/roles/application-install/tasks/install.yml b/ansible/roles/application-install/tasks/install.yml
index c0be12eb..d2134d30 100644
--- a/ansible/roles/application-install/tasks/install.yml
+++ b/ansible/roles/application-install/tasks/install.yml
@@ -40,7 +40,7 @@
- name: Register root certificate
slurp:
- src: '/certs/rootCA.crt'
+ src: "{{ playbook_dir }}/certs/rootCA.crt"
register: root_cert
delegate_to: localhost
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
new file mode 100644
index 00000000..260ba966
--- /dev/null
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# Generate certs to local current dir where ansible in run (= playbook_dir)
+# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run
+certificates_local_dir: certs
diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
new file mode 100644
index 00000000..ac8fe1e3
--- /dev/null
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -0,0 +1,90 @@
+---
+- name: Create certificates directory certs to current dir
+ file:
+ path: "{{ certificates_local_dir }}"
+ state: directory
+
+# Some of task are delegated to Ansible container because unavailable
+# version of python-pyOpenSSL
+- name: Generate root CA private key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/rootCA.key"
+ size: 4096
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ basic_constraints:
+ - CA:true
+ basic_constraints_critical: true
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+
+- name: Generate root CA certificate
+ openssl_certificate:
+ provider: selfsigned
+ path: "{{ certificates_local_dir }}/rootCA.crt"
+ csr_path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+ force: true
+ notify: Restart Docker
+
+- name: Generate private Nexus key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/nexus_server.key"
+ size: 4096
+ force: false
+
+- name: Generate Nexus CSR (certificate signing request)
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/nexus_server.csr"
+ privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ common_name: registry-1.docker.io
+ key_usage:
+ - keyAgreement
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ - dataEncipherment
+ extended_key_usage:
+ - serverAuth
+ subject_alt_name:
+ "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+
+- name: Generate v3 extension config file
+ template:
+ src: v3.ext.j2
+ dest: "{{ certificates_local_dir }}/v3.ext"
+
+# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
+# Currently using 2.6.3
+- name: Sign Nexus certificate
+ command: >
+ openssl
+ x509
+ -req
+ -in "{{ certificates_local_dir }}/nexus_server.csr"
+ -extfile "{{ certificates_local_dir }}/v3.ext"
+ -CA "{{ certificates_local_dir }}/rootCA.crt"
+ -CAkey "{{ certificates_local_dir }}/rootCA.key"
+ -CAcreateserial
+ -out "{{ certificates_local_dir }}/nexus_server.crt"
+ -days 3650
+ -sha256
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
index 2e7dd88a..7aaeac1d 100644
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -1,100 +1,12 @@
---
-# Some of task are delegated to Ansible container because unavailable
-# version of python-pyOpenSSL
-- name: Generate root CA private key
- openssl_privatekey:
- path: /certs/rootCA.key
- size: 4096
- delegate_to: localhost
-
-- name: Generate an OpenSSL CSR.
- openssl_csr:
- path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- basic_constraints:
- - CA:true
- basic_constraints_critical: yes
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- delegate_to: localhost
-
-- name: Generate root CA certificate
- openssl_certificate:
- provider: selfsigned
- path: /certs/rootCA.crt
- csr_path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- force: yes
- delegate_to: localhost
- notify: Restart Docker
-
-- name: Generate private Nexus key
- openssl_privatekey:
- path: /certs/nexus_server.key
- size: 4096
- force: False
- delegate_to: localhost
-
-- name: Generate Nexus CSR (certificate signing request)
- openssl_csr:
- path: /certs/nexus_server.csr
- privatekey_path: /certs/nexus_server.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- common_name: registry-1.docker.io
- key_usage:
- - keyAgreement
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- - dataEncipherment
- extended_key_usage:
- - serverAuth
- subject_alt_name:
- "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
- delegate_to: localhost
-
-- name: Generate v3 extension config file
- template:
- src: v3.ext.j2
- dest: /certs/v3.ext
- delegate_to: localhost
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
-- name: Sign Nexus certificate
- command: >
- openssl
- x509
- -req
- -in /certs/nexus_server.csr
- -extfile /certs/v3.ext
- -CA /certs/rootCA.crt
- -CAkey /certs/rootCA.key
- -CAcreateserial
- -out /certs/nexus_server.crt
- -days 3650
- -sha256
+- name: Generate certs
+ import_tasks: generate-certificates.yml
delegate_to: localhost
- name: Upload certificates to infrastructure server
copy:
- src: /certs
- directory_mode: yes
+ src: "{{ certificates_local_dir }}"
+ directory_mode: true
dest: "{{ app_data_path }}/"
- import_tasks: upload_root_ca.yml
diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml
index 5a59d27b..b2f1f945 100644
--- a/ansible/roles/certificates/tasks/upload_root_ca.yml
+++ b/ansible/roles/certificates/tasks/upload_root_ca.yml
@@ -1,10 +1,12 @@
---
- name: Copy root certificate
copy:
- src: "/certs/rootCA.crt"
+ src: "{{ certificates_local_dir }}/rootCA.crt"
dest: /etc/pki/ca-trust/source/anchors/
+ register: copycert
notify: Restart Docker
- name: Extract root certificate
command: /usr/bin/update-ca-trust extract
+ when: copycert.changed
notify: Restart Docker