Add pki to common
This commit is contained in:
parent
1cdfa9cd69
commit
326d017271
5 changed files with 219 additions and 4 deletions
5
ansible/playbooks/common.yml
Normal file
5
ansible/playbooks/common.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: common
|
||||
...
|
||||
|
|
@ -1,9 +1,8 @@
|
|||
---
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: common
|
||||
|
||||
- import_playbook: common.yml
|
||||
- import_playbook: consul-server.yml
|
||||
- import_playbook: vault-server.yml
|
||||
- import_playbook: consul-client.yml
|
||||
- import_playbook: nomad.yml
|
||||
#- import_playbook: docker-registry.yml
|
||||
...
|
||||
|
|
|
|||
100
ansible/roles/common/tasks/Debian_pki.yml
Normal file
100
ansible/roles/common/tasks/Debian_pki.yml
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
---
|
||||
- name: ensure root cert exists
|
||||
copy:
|
||||
content: "{{ vault_ca_cert_payload }}"
|
||||
dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}"
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: root
|
||||
register: root_ca
|
||||
|
||||
- name: update ca certs
|
||||
shell: update-ca-certificates
|
||||
args:
|
||||
executable: /bin/bash
|
||||
when: root_ca.changed
|
||||
|
||||
- name: check vault version
|
||||
shell:
|
||||
cmd: "vault --version | head -1 | cut -d'v' -f2"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
changed_when: False
|
||||
register: installed_vault_version
|
||||
check_mode: False
|
||||
|
||||
- name: get vault
|
||||
unarchive:
|
||||
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
|
||||
dest: /usr/local/bin/
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: root
|
||||
remote_src: True
|
||||
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
|
||||
|
||||
- name: ensure pki cert directory
|
||||
file:
|
||||
path: /etc/pki/certs
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: ensure main pki directory
|
||||
file:
|
||||
path: /etc/pki/keys
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
||||
- name: ensure root cert exists for general use
|
||||
copy:
|
||||
content: "{{ vault_ca_cert_payload }}"
|
||||
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
register: root_ca
|
||||
|
||||
- name: check if server cert is expiring in the next 5 days
|
||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
failed_when: False
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
register: exp
|
||||
|
||||
- name: get cert
|
||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
when: exp.rc != 0
|
||||
|
||||
- name: write cert data to server
|
||||
copy:
|
||||
content: "{{ item.content }}"
|
||||
dest: "/etc/pki/{{ item.path }}"
|
||||
mode: '{{ item.mode }}'
|
||||
owner: root
|
||||
group: root
|
||||
when: cert_data.changed
|
||||
loop:
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
||||
path: "certs/{{ inventory_hostname_short }}.crt",
|
||||
mode: "0755"
|
||||
}
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
|
||||
path: "keys/{{ inventory_hostname_short }}.key",
|
||||
mode: "0600"
|
||||
}
|
||||
...
|
||||
110
ansible/roles/common/tasks/FreeBSD_pki.yml
Normal file
110
ansible/roles/common/tasks/FreeBSD_pki.yml
Normal file
|
|
@ -0,0 +1,110 @@
|
|||
---
|
||||
- name: ensure root cert exists
|
||||
copy:
|
||||
content: "{{ vault_ca_cert_payload }}"
|
||||
dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: staff
|
||||
register: root_ca
|
||||
|
||||
- name: hash cert
|
||||
shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"
|
||||
when: root_ca.changed
|
||||
register: root_ca_hash
|
||||
failed_when: False
|
||||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
|
||||
- name: create hash symlink for cert
|
||||
file:
|
||||
state: link
|
||||
src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
|
||||
dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"
|
||||
when: root_ca_hash.changed
|
||||
|
||||
- name: check vault version
|
||||
shell:
|
||||
cmd: "vault --version | head -1 | cut -d'v' -f2"
|
||||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: installed_vault_version
|
||||
check_mode: False
|
||||
|
||||
- name: get vault
|
||||
unarchive:
|
||||
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"
|
||||
dest: /usr/local/bin/
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: staff
|
||||
remote_src: True
|
||||
when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
|
||||
|
||||
- name: ensure pki cert directory
|
||||
file:
|
||||
path: /etc/pki/certs
|
||||
state: directory
|
||||
owner: root
|
||||
group: staff
|
||||
mode: 0755
|
||||
|
||||
- name: ensure main pki directory
|
||||
file:
|
||||
path: /etc/pki/keys
|
||||
state: directory
|
||||
owner: root
|
||||
group: staff
|
||||
mode: 0700
|
||||
|
||||
- name: ensure root cert exists for general use
|
||||
copy:
|
||||
content: "{{ vault_ca_cert_payload }}"
|
||||
dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: staff
|
||||
register: root_ca
|
||||
|
||||
- name: check if server cert is expiring in the next 5 days
|
||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
|
||||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
failed_when: False
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
register: exp
|
||||
|
||||
- name: get cert
|
||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"
|
||||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
when: exp.rc != 0
|
||||
|
||||
- name: write cert data to server
|
||||
copy:
|
||||
content: "{{ item.content }}"
|
||||
dest: "/etc/pki/{{ item.path }}"
|
||||
mode: '{{ item.mode }}'
|
||||
owner: root
|
||||
group: staff
|
||||
when: cert_data.changed
|
||||
loop:
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
||||
path: "certs/{{ inventory_hostname_short }}.crt",
|
||||
mode: "0755"
|
||||
}
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
|
||||
path: "keys/{{ inventory_hostname_short }}.key",
|
||||
mode: "0600"
|
||||
}
|
||||
...
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- include: "{{ ansible_os_family }}_pki.yml"
|
||||
- include: "{{ ansible_os_family }}.yml"
|
||||
...
|
||||
|
|
|
|||
Loading…
Reference in a new issue