diff options
Diffstat (limited to 'ansible/roles/certificates/tasks/main.yml')
-rw-r--r-- | ansible/roles/certificates/tasks/main.yml | 96 |
1 files changed, 4 insertions, 92 deletions
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml index 2e7dd88a..7aaeac1d 100644 --- a/ansible/roles/certificates/tasks/main.yml +++ b/ansible/roles/certificates/tasks/main.yml @@ -1,100 +1,12 @@ --- -# Some of task are delegated to Ansible container because unavailable -# version of python-pyOpenSSL -- name: Generate root CA private key - openssl_privatekey: - path: /certs/rootCA.key - size: 4096 - delegate_to: localhost - -- name: Generate an OpenSSL CSR. - openssl_csr: - path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - basic_constraints: - - CA:true - basic_constraints_critical: yes - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - delegate_to: localhost - -- name: Generate root CA certificate - openssl_certificate: - provider: selfsigned - path: /certs/rootCA.crt - csr_path: /certs/rootCA.csr - privatekey_path: /certs/rootCA.key - key_usage: - - critical - - digitalSignature - - cRLSign - - keyCertSign - force: yes - delegate_to: localhost - notify: Restart Docker - -- name: Generate private Nexus key - openssl_privatekey: - path: /certs/nexus_server.key - size: 4096 - force: False - delegate_to: localhost - -- name: Generate Nexus CSR (certificate signing request) - openssl_csr: - path: /certs/nexus_server.csr - privatekey_path: /certs/nexus_server.key - organization_name: "{{ certificates.organization_name }}" - state_or_province_name: "{{ certificates.state_or_province_name }}" - country_name: "{{ certificates.country_name }}" - locality_name: "{{ certificates.locality_name }}" - common_name: registry-1.docker.io - key_usage: - - keyAgreement - - nonRepudiation - - digitalSignature - - keyEncipherment - - dataEncipherment - extended_key_usage: - - serverAuth - subject_alt_name: - "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" - delegate_to: localhost - -- name: Generate v3 extension config file - template: - src: v3.ext.j2 - dest: /certs/v3.ext - delegate_to: localhost - -# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) -# Currently using 2.6.3 -- name: Sign Nexus certificate - command: > - openssl - x509 - -req - -in /certs/nexus_server.csr - -extfile /certs/v3.ext - -CA /certs/rootCA.crt - -CAkey /certs/rootCA.key - -CAcreateserial - -out /certs/nexus_server.crt - -days 3650 - -sha256 +- name: Generate certs + import_tasks: generate-certificates.yml delegate_to: localhost - name: Upload certificates to infrastructure server copy: - src: /certs - directory_mode: yes + src: "{{ certificates_local_dir }}" + directory_mode: true dest: "{{ app_data_path }}/" - import_tasks: upload_root_ca.yml |