forked from chrisvanmeer/at-hashi-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
02_public-key-infrastructure.yml
171 lines (147 loc) · 6.76 KB
/
02_public-key-infrastructure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
---
- name: "AT Computing - HashiCorp Demo - Public Key Infrastructure"
hosts: all
become: true
vars_files:
- vars/general/main.yml
- vars/multipass/main.yml
- vars/hashicorp/vault.yml
- vars/hashicorp/ssl.yml
tasks:
- name: "HashiCorp - PKI : Check if CA file already exists."
ansible.builtin.stat:
path: "{{ ssl_ca_certfile_path }}"
register: ca_already_exists
- name: "HashiCorp - PKI : Create PKI infrastructure on first server."
block:
## Certificate Authority
- name: "HashiCorp - PKI : Create private key with password protection."
community.crypto.openssl_privatekey:
path: "{{ ssl_ca_keyfile_path }}"
- name: "HashiCorp - PKI : Create certificate signing request (CSR) for CA certificate."
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ ssl_ca_keyfile_path }}"
common_name: AT Computing CA
use_common_name_for_san: false
basic_constraints:
- "CA:TRUE"
basic_constraints_critical: yes
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
- name: "HashiCorp - PKI : Create self-signed CA certificate from CSR."
community.crypto.x509_certificate:
path: "{{ ssl_ca_certfile_path }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ ssl_ca_keyfile_path }}"
provider: selfsigned
register: ca_certificate
when: not ca_already_exists.stat.exists
delegate_to: "{{ groups['servers'] | first }}"
run_once: true
## Webapp certificate
- name: "HashiCorp - PKI : Create PKI infrastructure on first server."
block:
- name: "HashiCorp - PKI : Create private key for webapp certificate."
community.crypto.openssl_privatekey:
path: "{{ ssl_webapp_keyfile_path }}"
- name: "HashiCorp - PKI : Retrieve private key contents."
ansible.builtin.slurp:
src: "{{ ssl_webapp_keyfile_path }}"
register: keyfile
- name: "HashiCorp - PKI : Create certificate signing request (CSR) for webapp certificate."
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ ssl_webapp_keyfile_path }}"
common_name: "{{ demo_fqdn }}"
subject_alt_name:
- "DNS:{{ demo_fqdn }}"
register: csr
- name: "HashiCorp - PKI : Check whether certificate exists."
ansible.builtin.stat:
path: "{{ ssl_webapp_certfile_path }}"
register: certificate_exists
- name: "HashiCorp - PKI : Read existing certificate if exists."
ansible.builtin.slurp:
src: "{{ ssl_webapp_certfile_path }}"
when: certificate_exists.stat.exists
register: certificate
- name: "HashiCorp - PKI : Sign certificate with our CA."
community.crypto.x509_certificate_pipe:
content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
csr_content: "{{ csr.csr }}"
provider: ownca
ownca_path: "{{ ssl_ca_certfile_path }}"
ownca_privatekey_path: "{{ ssl_ca_keyfile_path }}"
register: certificate
- name: "HashiCorp - PKI : Write certificate file."
ansible.builtin.copy:
dest: "{{ ssl_webapp_certfile_path }}"
content: "{{ certificate.certificate }}"
mode: "0644"
when: certificate is changed
delegate_to: "{{ groups['servers'] | first }}"
run_once: true
## Distribute the CA certificate to the rest of the environment
- name: "HashiCorp - PKI : Distribute the CA certificate to the rest of the environment."
block:
- name: "HashiCorp - PKI : Retrieve CA certificate contents."
ansible.builtin.slurp:
src: "{{ ssl_ca_certfile_path }}"
register: ca_certificate_slurp
delegate_to: "{{ groups['servers'] | first }}"
run_once: true
tags: shared
- name: "HashiCorp - PKI : Place certificate in default location."
ansible.builtin.copy:
dest: "{{ ssl_ca_certfile_path }}"
content: "{{ ca_certificate_slurp.content | b64decode }}"
mode: "0644"
when: ansible_hostname != groups['servers'] | first
## Create all SSL certificates for both the servers and the clients.
- name: "HashiCorp - PKI : Create all SSL certificates for both the servers and the clients."
block:
- name: "HashiCorp - PKI : Create private key for new certificate."
community.crypto.openssl_privatekey:
path: "{{ ssl_member_keyfile_path }}"
- name: "HashiCorp - PKI : Create certificate signing request (CSR) for new certificate."
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ ssl_member_keyfile_path }}"
common_name: "{{ ssl_member_filename }}"
subject_alt_name:
- "DNS:{{ ssl_member_filename }}"
register: member_csr
- name: "HashiCorp - PKI : Check whether certificate exists."
ansible.builtin.stat:
path: "{{ ssl_member_certfile_path }}"
register: member_certificate_exists
- name: "HashiCorp - PKI : Read existing certificate if exists."
ansible.builtin.slurp:
src: "{{ ssl_member_certfile_path }}"
when: member_certificate_exists.stat.exists
register: member_certificate
- name: "HashiCorp - PKI : Sign certificate with our CA."
community.crypto.x509_certificate_pipe:
content: "{{ (member_certificate.content | b64decode) if member_certificate_exists.stat.exists else omit }}"
csr_content: "{{ member_csr.csr }}"
provider: ownca
ownca_path: "{{ ssl_ca_certfile_path }}"
ownca_privatekey_path: "{{ ssl_ca_keyfile_path }}"
register: member_certificate
delegate_to: "{{ groups['servers'] | first }}"
- name: "HashiCorp - PKI : Write certificate file."
ansible.builtin.copy:
dest: "{{ ssl_member_certfile_path }}"
content: "{{ member_certificate.certificate }}"
mode: "0644"
when: member_certificate is changed
- name: "HashiCorp - PKI : Ensure the CA certificate is copied to the local certs directory."
ansible.builtin.copy:
dest: "{{ ssl_shared_dir }}/{{ ssl_ca_filename }}.crt"
content: "{{ ca_certificate_slurp.content | b64decode }}"
mode: 0644
tags: shared
- name: "HashiCorp - PKI : Ensure certificate index is updated."
ansible.builtin.command: "/usr/sbin/update-ca-certificates -f"
changed_when: false
tags: shared