Add pki to common

This commit is contained in:
Amarpreet Minhas 2020-08-29 20:21:40 -04:00
parent 1cdfa9cd69
commit 326d017271
5 changed files with 219 additions and 4 deletions

View file

@ -0,0 +1,5 @@
---
- hosts: all
roles:
- role: common
...

View file

@ -1,9 +1,8 @@
--- ---
- hosts: all - import_playbook: common.yml
roles:
- role: common
- import_playbook: consul-server.yml - import_playbook: consul-server.yml
- import_playbook: vault-server.yml - import_playbook: vault-server.yml
- import_playbook: consul-client.yml - import_playbook: consul-client.yml
- import_playbook: nomad.yml
#- import_playbook: docker-registry.yml
... ...

View file

@ -0,0 +1,100 @@
---
- name: ensure root cert exists
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}"
mode: 0755
owner: root
group: root
register: root_ca
- name: update ca certs
shell: update-ca-certificates
args:
executable: /bin/bash
when: root_ca.changed
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
- name: ensure pki cert directory
file:
path: /etc/pki/certs
state: directory
owner: root
group: root
mode: 0755
- name: ensure main pki directory
file:
path: /etc/pki/keys
state: directory
owner: root
group: root
mode: 0600
- name: ensure root cert exists for general use
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: root
register: root_ca
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/pki/{{ item.path }}"
mode: '{{ item.mode }}'
owner: root
group: root
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "certs/{{ inventory_hostname_short }}.crt",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "keys/{{ inventory_hostname_short }}.key",
mode: "0600"
}
...

View file

@ -0,0 +1,110 @@
---
- name: ensure root cert exists
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: staff
register: root_ca
- name: hash cert
shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"
when: root_ca.changed
register: root_ca_hash
failed_when: False
args:
executable: /usr/local/bin/bash
- name: create hash symlink for cert
file:
state: link
src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"
when: root_ca_hash.changed
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /usr/local/bin/bash
changed_when: False
failed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: staff
remote_src: True
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
- name: ensure pki cert directory
file:
path: /etc/pki/certs
state: directory
owner: root
group: staff
mode: 0755
- name: ensure main pki directory
file:
path: /etc/pki/keys
state: directory
owner: root
group: staff
mode: 0700
- name: ensure root cert exists for general use
copy:
content: "{{ vault_ca_cert_payload }}"
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
mode: 0644
owner: root
group: staff
register: root_ca
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
args:
executable: /usr/local/bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"
args:
executable: /usr/local/bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/pki/{{ item.path }}"
mode: '{{ item.mode }}'
owner: root
group: staff
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "certs/{{ inventory_hostname_short }}.crt",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "keys/{{ inventory_hostname_short }}.key",
mode: "0600"
}
...

View file

@ -1,3 +1,4 @@
--- ---
- include: "{{ ansible_os_family }}_pki.yml"
- include: "{{ ansible_os_family }}.yml" - include: "{{ ansible_os_family }}.yml"
... ...