diff options
-rw-r--r-- | ansible/infrastructure.yml | 2 | ||||
-rw-r--r-- | ansible/roles/application-install/tasks/install.yml | 2 | ||||
-rw-r--r-- | ansible/roles/certificates/defaults/main.yml | 4 | ||||
-rw-r--r-- | ansible/roles/certificates/tasks/generate-certificates.yml | 90 | ||||
-rw-r--r-- | ansible/roles/certificates/tasks/main.yml | 96 | ||||
-rw-r--r-- | ansible/roles/certificates/tasks/upload_root_ca.yml | 4 | ||||
-rwxr-xr-x | ansible/run_playbook.sh | 4 |
7 files changed, 106 insertions, 96 deletions
diff --git a/ansible/infrastructure.yml b/ansible/infrastructure.yml index 382ffd53..83e185fe 100644 --- a/ansible/infrastructure.yml +++ b/ansible/infrastructure.yml @@ -21,3 +21,5 @@ - docker tasks: - import_tasks: roles/certificates/tasks/upload_root_ca.yml + vars: + certificates_local_dir: certs diff --git a/ansible/roles/application-install/tasks/install.yml b/ansible/roles/application-install/tasks/install.yml index c0be12eb..d2134d30 100644 --- a/ansible/roles/application-install/tasks/install.yml +++ b/ansible/roles/application-install/tasks/install.yml @@ -40,7 +40,7 @@ - name: Register root certificate slurp: - src: '/certs/rootCA.crt' + src: "{{ playbook_dir }}/certs/rootCA.crt" register: root_cert delegate_to: localhost diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml new file mode 100644 index 00000000..260ba966 --- /dev/null +++ b/ansible/roles/certificates/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# Generate certs to local current dir where ansible in run (= playbook_dir) +# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run +certificates_local_dir: certs diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml new file mode 100644 index 00000000..ac8fe1e3 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-certificates.yml @@ -0,0 +1,90 @@ +--- +- name: Create certificates directory certs to current dir + file: + path: "{{ certificates_local_dir }}" + state: directory + +# Some of task are delegated to Ansible container because unavailable +# version of python-pyOpenSSL +- name: Generate root CA private key + openssl_privatekey: + path: "{{ certificates_local_dir }}/rootCA.key" + size: 4096 + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + basic_constraints: + - CA:true + basic_constraints_critical: true + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + +- name: Generate root CA certificate + openssl_certificate: + provider: selfsigned + path: "{{ certificates_local_dir }}/rootCA.crt" + csr_path: "{{ certificates_local_dir }}/rootCA.csr" + privatekey_path: "{{ certificates_local_dir }}/rootCA.key" + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + force: true + notify: Restart Docker + +- name: Generate private Nexus key + openssl_privatekey: + path: "{{ certificates_local_dir }}/nexus_server.key" + size: 4096 + force: false + +- name: Generate Nexus CSR (certificate signing request) + openssl_csr: + path: "{{ certificates_local_dir }}/nexus_server.csr" + privatekey_path: "{{ certificates_local_dir }}/nexus_server.key" + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + common_name: registry-1.docker.io + key_usage: + - keyAgreement + - nonRepudiation + - digitalSignature + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + subject_alt_name: + "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" + +- name: Generate v3 extension config file + template: + src: v3.ext.j2 + dest: "{{ certificates_local_dir }}/v3.ext" + +# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) +# Currently using 2.6.3 +- name: Sign Nexus certificate + command: > + openssl + x509 + -req + -in "{{ certificates_local_dir }}/nexus_server.csr" + -extfile "{{ certificates_local_dir }}/v3.ext" + -CA "{{ certificates_local_dir }}/rootCA.crt" + -CAkey "{{ certificates_local_dir }}/rootCA.key" + -CAcreateserial + -out "{{ certificates_local_dir }}/nexus_server.crt" + -days 3650 + -sha256 diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml index 2e7dd88a..7aaeac1d 100644 --- a/ansible/roles/certificates/tasks/main.yml +++ b/ansible/roles/certificates/tasks/main.yml @@ -1,100 +1,12 @@ --- -# Some of task are delegated to Ansible container because unavailable -# version of python-pyOpenSSL -- name: Generate root CA private key - openssl_privatekey: - path: /certs/rootCA.key - size: 4096 - delegate_to: localhost - -- name: Generate an OpenSSL CSR. - openssl_csr: - path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - basic_constraints: - - CA:true - basic_constraints_critical: yes - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - delegate_to: localhost - -- name: Generate root CA certificate - openssl_certificate: - provider: selfsigned - path: /certs/rootCA.crt - csr_path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - force: yes - delegate_to: localhost - notify: Restart Docker - -- name: Generate private Nexus key - openssl_privatekey: - path: /certs/nexus_server.key - size: 4096 - force: False - delegate_to: localhost - -- name: Generate Nexus CSR (certificate signing request) - openssl_csr: - path: /certs/nexus_server.csr - privatekey_path: /certs/nexus_server.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - common_name: registry-1.docker.io - key_usage: - - keyAgreement - - nonRepudiation - - digitalSignature - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth - subject_alt_name: - "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" - delegate_to: localhost - -- name: Generate v3 extension config file - template: - src: v3.ext.j2 - dest: /certs/v3.ext - delegate_to: localhost - -# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) -# Currently using 2.6.3 -- name: Sign Nexus certificate - command: > - openssl - x509 - -req - -in /certs/nexus_server.csr - -extfile /certs/v3.ext - -CA /certs/rootCA.crt - -CAkey /certs/rootCA.key - -CAcreateserial - -out /certs/nexus_server.crt - -days 3650 - -sha256 +- name: Generate certs + import_tasks: generate-certificates.yml delegate_to: localhost - name: Upload certificates to infrastructure server copy: - src: /certs - directory_mode: yes + src: "{{ certificates_local_dir }}" + directory_mode: true dest: "{{ app_data_path }}/" - import_tasks: upload_root_ca.yml diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml index 5a59d27b..b2f1f945 100644 --- a/ansible/roles/certificates/tasks/upload_root_ca.yml +++ b/ansible/roles/certificates/tasks/upload_root_ca.yml @@ -1,10 +1,12 @@ --- - name: Copy root certificate copy: - src: "/certs/rootCA.crt" + src: "{{ certificates_local_dir }}/rootCA.crt" dest: /etc/pki/ca-trust/source/anchors/ + register: copycert notify: Restart Docker - name: Extract root certificate command: /usr/bin/update-ca-trust extract + when: copycert.changed notify: Restart Docker diff --git a/ansible/run_playbook.sh b/ansible/run_playbook.sh index 2edbe358..3bc56b3c 100755 --- a/ansible/run_playbook.sh +++ b/ansible/run_playbook.sh @@ -103,7 +103,7 @@ if [ -n "$ANSIBLE_DOCKER_IMAGE" ] ; then -v "${HOME}"/.ssh:/root/.ssh:rw \ -v "$ANSIBLE_DIR:/ansible:ro" \ -v "$ANSIBLE_DIR/application:/ansible/application:rw" \ - -v "$ANSIBLE_DIR/certs/:/certs:rw" \ + -v "$ANSIBLE_DIR/certs/:/ansible/certs:rw" \ -v "$ANSIBLE_DIR/log/:/ansible/log:rw" \ -e ANSIBLE_LOG_PATH \ -it "${ANSIBLE_DOCKER_IMAGE}" "$@" @@ -129,7 +129,7 @@ fi --mount ro:"$ANSIBLE_DIR":/ansible \ --mount rw:"$ANSIBLE_DIR"/application:/ansible/application \ --mount rw:"$ANSIBLE_DIR"/log:/ansible/log \ - --mount rw:"$ANSIBLE_DIR"/certs:/certs \ + --mount rw:"$ANSIBLE_DIR"/certs:/ansible/certs \ --mount ro:/etc/resolv.conf:/etc/resolv.conf \ --mount ro:/etc/hosts:/etc/hosts \ --workdir /ansible \ |