summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ansible/infrastructure.yml2
-rw-r--r--ansible/roles/application-install/tasks/install.yml2
-rw-r--r--ansible/roles/certificates/defaults/main.yml4
-rw-r--r--ansible/roles/certificates/tasks/generate-certificates.yml90
-rw-r--r--ansible/roles/certificates/tasks/main.yml96
-rw-r--r--ansible/roles/certificates/tasks/upload_root_ca.yml4
-rwxr-xr-xansible/run_playbook.sh4
7 files changed, 106 insertions, 96 deletions
diff --git a/ansible/infrastructure.yml b/ansible/infrastructure.yml
index 382ffd53..83e185fe 100644
--- a/ansible/infrastructure.yml
+++ b/ansible/infrastructure.yml
@@ -21,3 +21,5 @@
- docker
tasks:
- import_tasks: roles/certificates/tasks/upload_root_ca.yml
+ vars:
+ certificates_local_dir: certs
diff --git a/ansible/roles/application-install/tasks/install.yml b/ansible/roles/application-install/tasks/install.yml
index c0be12eb..d2134d30 100644
--- a/ansible/roles/application-install/tasks/install.yml
+++ b/ansible/roles/application-install/tasks/install.yml
@@ -40,7 +40,7 @@
- name: Register root certificate
slurp:
- src: '/certs/rootCA.crt'
+ src: "{{ playbook_dir }}/certs/rootCA.crt"
register: root_cert
delegate_to: localhost
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
new file mode 100644
index 00000000..260ba966
--- /dev/null
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# Generate certs to local current dir where ansible in run (= playbook_dir)
+# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run
+certificates_local_dir: certs
diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
new file mode 100644
index 00000000..ac8fe1e3
--- /dev/null
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -0,0 +1,90 @@
+---
+- name: Create certificates directory certs to current dir
+ file:
+ path: "{{ certificates_local_dir }}"
+ state: directory
+
+# Some of task are delegated to Ansible container because unavailable
+# version of python-pyOpenSSL
+- name: Generate root CA private key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/rootCA.key"
+ size: 4096
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ basic_constraints:
+ - CA:true
+ basic_constraints_critical: true
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+
+- name: Generate root CA certificate
+ openssl_certificate:
+ provider: selfsigned
+ path: "{{ certificates_local_dir }}/rootCA.crt"
+ csr_path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+ force: true
+ notify: Restart Docker
+
+- name: Generate private Nexus key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/nexus_server.key"
+ size: 4096
+ force: false
+
+- name: Generate Nexus CSR (certificate signing request)
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/nexus_server.csr"
+ privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ common_name: registry-1.docker.io
+ key_usage:
+ - keyAgreement
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ - dataEncipherment
+ extended_key_usage:
+ - serverAuth
+ subject_alt_name:
+ "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+
+- name: Generate v3 extension config file
+ template:
+ src: v3.ext.j2
+ dest: "{{ certificates_local_dir }}/v3.ext"
+
+# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
+# Currently using 2.6.3
+- name: Sign Nexus certificate
+ command: >
+ openssl
+ x509
+ -req
+ -in "{{ certificates_local_dir }}/nexus_server.csr"
+ -extfile "{{ certificates_local_dir }}/v3.ext"
+ -CA "{{ certificates_local_dir }}/rootCA.crt"
+ -CAkey "{{ certificates_local_dir }}/rootCA.key"
+ -CAcreateserial
+ -out "{{ certificates_local_dir }}/nexus_server.crt"
+ -days 3650
+ -sha256
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
index 2e7dd88a..7aaeac1d 100644
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -1,100 +1,12 @@
---
-# Some of task are delegated to Ansible container because unavailable
-# version of python-pyOpenSSL
-- name: Generate root CA private key
- openssl_privatekey:
- path: /certs/rootCA.key
- size: 4096
- delegate_to: localhost
-
-- name: Generate an OpenSSL CSR.
- openssl_csr:
- path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- basic_constraints:
- - CA:true
- basic_constraints_critical: yes
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- delegate_to: localhost
-
-- name: Generate root CA certificate
- openssl_certificate:
- provider: selfsigned
- path: /certs/rootCA.crt
- csr_path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- force: yes
- delegate_to: localhost
- notify: Restart Docker
-
-- name: Generate private Nexus key
- openssl_privatekey:
- path: /certs/nexus_server.key
- size: 4096
- force: False
- delegate_to: localhost
-
-- name: Generate Nexus CSR (certificate signing request)
- openssl_csr:
- path: /certs/nexus_server.csr
- privatekey_path: /certs/nexus_server.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- common_name: registry-1.docker.io
- key_usage:
- - keyAgreement
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- - dataEncipherment
- extended_key_usage:
- - serverAuth
- subject_alt_name:
- "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
- delegate_to: localhost
-
-- name: Generate v3 extension config file
- template:
- src: v3.ext.j2
- dest: /certs/v3.ext
- delegate_to: localhost
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
-- name: Sign Nexus certificate
- command: >
- openssl
- x509
- -req
- -in /certs/nexus_server.csr
- -extfile /certs/v3.ext
- -CA /certs/rootCA.crt
- -CAkey /certs/rootCA.key
- -CAcreateserial
- -out /certs/nexus_server.crt
- -days 3650
- -sha256
+- name: Generate certs
+ import_tasks: generate-certificates.yml
delegate_to: localhost
- name: Upload certificates to infrastructure server
copy:
- src: /certs
- directory_mode: yes
+ src: "{{ certificates_local_dir }}"
+ directory_mode: true
dest: "{{ app_data_path }}/"
- import_tasks: upload_root_ca.yml
diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml
index 5a59d27b..b2f1f945 100644
--- a/ansible/roles/certificates/tasks/upload_root_ca.yml
+++ b/ansible/roles/certificates/tasks/upload_root_ca.yml
@@ -1,10 +1,12 @@
---
- name: Copy root certificate
copy:
- src: "/certs/rootCA.crt"
+ src: "{{ certificates_local_dir }}/rootCA.crt"
dest: /etc/pki/ca-trust/source/anchors/
+ register: copycert
notify: Restart Docker
- name: Extract root certificate
command: /usr/bin/update-ca-trust extract
+ when: copycert.changed
notify: Restart Docker
diff --git a/ansible/run_playbook.sh b/ansible/run_playbook.sh
index 2edbe358..3bc56b3c 100755
--- a/ansible/run_playbook.sh
+++ b/ansible/run_playbook.sh
@@ -103,7 +103,7 @@ if [ -n "$ANSIBLE_DOCKER_IMAGE" ] ; then
-v "${HOME}"/.ssh:/root/.ssh:rw \
-v "$ANSIBLE_DIR:/ansible:ro" \
-v "$ANSIBLE_DIR/application:/ansible/application:rw" \
- -v "$ANSIBLE_DIR/certs/:/certs:rw" \
+ -v "$ANSIBLE_DIR/certs/:/ansible/certs:rw" \
-v "$ANSIBLE_DIR/log/:/ansible/log:rw" \
-e ANSIBLE_LOG_PATH \
-it "${ANSIBLE_DOCKER_IMAGE}" "$@"
@@ -129,7 +129,7 @@ fi
--mount ro:"$ANSIBLE_DIR":/ansible \
--mount rw:"$ANSIBLE_DIR"/application:/ansible/application \
--mount rw:"$ANSIBLE_DIR"/log:/ansible/log \
- --mount rw:"$ANSIBLE_DIR"/certs:/certs \
+ --mount rw:"$ANSIBLE_DIR"/certs:/ansible/certs \
--mount ro:/etc/resolv.conf:/etc/resolv.conf \
--mount ro:/etc/hosts:/etc/hosts \
--workdir /ansible \