From 467c57ffcd6946c566046ab8042e14a2185e97fe Mon Sep 17 00:00:00 2001
From: Milan Verespej <m.verespej@partner.samsung.com>
Date: Wed, 6 Mar 2019 12:32:24 +0100
Subject: Change cert signing from command to module

With newer Ansible we are now able to sign nexus certificate
with own CA using openssl_certificate module.

Issue-ID: OOM-1700

Change-Id: Idc54955160caef4a57bd50fc86678923511b5bce
Signed-off-by: Milan Verespej <m.verespej@partner.samsung.com>
---
 .../certificates/tasks/generate-certificates.yml   | 34 +++++++++-------------
 ansible/roles/certificates/templates/v3.ext.j2     |  9 ------
 2 files changed, 14 insertions(+), 29 deletions(-)
 delete mode 100644 ansible/roles/certificates/templates/v3.ext.j2

diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
index ac8fe1e3..9bf75fff 100644
--- a/ansible/roles/certificates/tasks/generate-certificates.yml
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -66,25 +66,19 @@
     extended_key_usage:
       - serverAuth
     subject_alt_name:
-      "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
 
-- name: Generate v3 extension config file
-  template:
-    src: v3.ext.j2
-    dest: "{{ certificates_local_dir }}/v3.ext"
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
 - name: Sign Nexus certificate
-  command: >
-    openssl
-    x509
-    -req
-    -in "{{ certificates_local_dir }}/nexus_server.csr"
-    -extfile "{{ certificates_local_dir }}/v3.ext"
-    -CA "{{ certificates_local_dir }}/rootCA.crt"
-    -CAkey "{{ certificates_local_dir }}/rootCA.key"
-    -CAcreateserial
-    -out "{{ certificates_local_dir }}/nexus_server.crt"
-    -days 3650
-    -sha256
+  openssl_certificate:
+    provider: ownca
+    path: "{{ certificates_local_dir }}/nexus_server.crt"
+    csr_path: "{{ certificates_local_dir }}/nexus_server.csr"
+    ownca_path: "{{ certificates_local_dir }}/rootCA.crt"
+    ownca_privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+    key_usage:
+      - digitalSignature
+      - nonRepudiation
+      - keyEncipherment
+      - dataEncipherment
+    subject_alt_name:
+      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
diff --git a/ansible/roles/certificates/templates/v3.ext.j2 b/ansible/roles/certificates/templates/v3.ext.j2
deleted file mode 100644
index 7be946fd..00000000
--- a/ansible/roles/certificates/templates/v3.ext.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-subjectAltName = @alt_names
-
-[alt_names]
-{% for name in all_simulated_hosts -%}
-    DNS.{{ loop.index }} = {{ name }}
-{% endfor %}
-- 
cgit 1.2.3-korg