Inicio Explorar Ayuda
Registro Iniciar sesión
shixiong
/
okd
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: 3bd5ae21ad
Ramas Etiquetas
okd
/
roles
/
etcd_server_certificates
/
tasks
/
main.yml

main.yml 6.1 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. ---
    2. 

  2. - name: Check status of etcd certificates
    3. 

  3.   stat:
    4. 

  4.     path: "{{ etcd_cert_config_dir }}/{{ item }}"
    5. 

  5.   with_items:
    6. 

  6.   - "{{ etcd_cert_prefix }}server.crt"
    7. 

  7.   - "{{ etcd_cert_prefix }}peer.crt"
    8. 

  8.   - "{{ etcd_cert_prefix }}ca.crt"
    9. 

  9.   register: g_etcd_server_cert_stat_result
    10. 

  10.   when: not etcd_certificates_redeploy | default(false) | bool
    11. 

  11. 

  12. - set_fact:
    13. 

  13.     etcd_server_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool
    14. 

  14.                                    else (False in (g_etcd_server_cert_stat_result.results
    15. 

  15.                                                    | default({})
    16. 

  16.                                                    | oo_collect(attribute='stat.exists')
    17. 

  17.                                                    | list)) }}"
    18. 

  18. 

  19. - name: Ensure generated_certs directory present
    20. 

  20.   file:
    21. 

  21.     path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    22. 

  22.     state: directory
    23. 

  23.     mode: 0700
    24. 

  24.   when: etcd_server_certs_missing | bool
    25. 

  25.   delegate_to: "{{ etcd_ca_host }}"
    26. 

  26. 

  27. - name: Create the server csr
    28. 

  28.   command: >
    29. 

  29.     openssl req -new -keyout {{ etcd_cert_prefix }}server.key
    30. 

  30.     -config {{ etcd_openssl_conf }}
    31. 

  31.     -out {{ etcd_cert_prefix }}server.csr
    32. 

  32.     -reqexts {{ etcd_req_ext }} -batch -nodes
    33. 

  33.     -subj /CN={{ etcd_hostname }}
    34. 

  34.   args:
    35. 

  35.     chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    36. 

  36.     creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
    37. 

  37.                  ~ etcd_cert_prefix ~ 'server.csr' }}"
    38. 

  38.   environment:
    39. 

  39.     SAN: "IP:{{ etcd_ip }}"
    40. 

  40.   when: etcd_server_certs_missing | bool
    41. 

  41.   delegate_to: "{{ etcd_ca_host }}"
    42. 

  42. 

  43. # Certificates must be signed serially in order to avoid competing
    44. 

  44. # for the serial file.
    45. 

  45. - name: Sign and create the server crt
    46. 

  46.   delegated_serial_command:
    47. 

  47.     command: >
    48. 

  48.       openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
    49. 

  49.       -out {{ etcd_cert_prefix }}server.crt
    50. 

  50.       -in {{ etcd_cert_prefix }}server.csr
    51. 

  51.       -extensions {{ etcd_ca_exts_server }} -batch
    52. 

  52.     chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    53. 

  53.     creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
    54. 

  54.                  ~ etcd_cert_prefix ~ 'server.crt' }}"
    55. 

  55.   environment:
    56. 

  56.     SAN: "IP:{{ etcd_ip }}"
    57. 

  57.   delegate_to: "{{ etcd_ca_host }}"
    58. 

  58. 

  59. - name: Create the peer csr
    60. 

  60.   command: >
    61. 

  61.     openssl req -new -keyout {{ etcd_cert_prefix }}peer.key
    62. 

  62.     -config {{ etcd_openssl_conf }}
    63. 

  63.     -out {{ etcd_cert_prefix }}peer.csr
    64. 

  64.     -reqexts {{ etcd_req_ext }} -batch -nodes
    65. 

  65.     -subj /CN={{ etcd_hostname }}
    66. 

  66.   args:
    67. 

  67.     chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    68. 

  68.     creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
    69. 

  69.                  ~ etcd_cert_prefix ~ 'peer.csr' }}"
    70. 

  70.   environment:
    71. 

  71.     SAN: "IP:{{ etcd_ip }}"
    72. 

  72.   when: etcd_server_certs_missing | bool
    73. 

  73.   delegate_to: "{{ etcd_ca_host }}"
    74. 

  74. 

  75. # Certificates must be signed serially in order to avoid competing
    76. 

  76. # for the serial file.
    77. 

  77. - name: Sign and create the peer crt
    78. 

  78.   delegated_serial_command:
    79. 

  79.     command: >
    80. 

  80.       openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
    81. 

  81.       -out {{ etcd_cert_prefix }}peer.crt
    82. 

  82.       -in {{ etcd_cert_prefix }}peer.csr
    83. 

  83.       -extensions {{ etcd_ca_exts_peer }} -batch
    84. 

  84.     chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    85. 

  85.     creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
    86. 

  86.                  ~ etcd_cert_prefix ~ 'peer.crt' }}"
    87. 

  87.   environment:
    88. 

  88.     SAN: "IP:{{ etcd_ip }}"
    89. 

  89.   when: etcd_server_certs_missing | bool
    90. 

  90.   delegate_to: "{{ etcd_ca_host }}"
    91. 

  91. 

  92. - file:
    93. 

  93.     src: "{{ etcd_ca_cert }}"
    94. 

  94.     dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
    95. 

  95.     state: hard
    96. 

  96.   when: etcd_server_certs_missing | bool
    97. 

  97.   delegate_to: "{{ etcd_ca_host }}"
    98. 

  98. 

  99. - name: Create local temp directory for syncing certs
    100. 

  100.   local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
    101. 

  101.   become: no
    102. 

  102.   register: g_etcd_server_mktemp
    103. 

  103.   changed_when: False
    104. 

  104.   when: etcd_server_certs_missing | bool
    105. 

  105.   delegate_to: localhost
    106. 

  106. 

  107. - name: Create a tarball of the etcd certs
    108. 

  108.   command: >
    109. 

  109.     tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
    110. 

  110.       -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
    111. 

  111.   args:
    112. 

  112.     creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
    113. 

  113.   when: etcd_server_certs_missing | bool
    114. 

  114.   delegate_to: "{{ etcd_ca_host }}"
    115. 

  115. 

  116. - name: Retrieve etcd cert tarball
    117. 

  117.   fetch:
    118. 

  118.     src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
    119. 

  119.     dest: "{{ g_etcd_server_mktemp.stdout }}/"
    120. 

  120.     flat: yes
    121. 

  121.     fail_on_missing: yes
    122. 

  122.     validate_checksum: yes
    123. 

  123.   when: etcd_server_certs_missing | bool
    124. 

  124.   delegate_to: "{{ etcd_ca_host }}"
    125. 

  125. 

  126. - name: Ensure certificate directory exists
    127. 

  127.   file:
    128. 

  128.     path: "{{ etcd_cert_config_dir }}"
    129. 

  129.     state: directory
    130. 

  130.   when: etcd_server_certs_missing | bool
    131. 

  131. 

  132. - name: Unarchive cert tarball
    133. 

  133.   unarchive:
    134. 

  134.     src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
    135. 

  135.     dest: "{{ etcd_cert_config_dir }}"
    136. 

  136.   when: etcd_server_certs_missing | bool
    137. 

  137. 

  138. - name: Delete temporary directory
    139. 

  139.   file: name={{ g_etcd_server_mktemp.stdout }} state=absent
    140. 

  140.   become: no
    141. 

  141.   changed_when: False
    142. 

  142.   when: etcd_server_certs_missing | bool
    143. 

  143.   delegate_to: localhost
    144. 

  144. 

  145. - name: Validate permissions on certificate files
    146. 

  146.   file:
    147. 

  147.     path: "{{ item }}"
    148. 

  148.     mode: 0600
    149. 

  149.     owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    150. 

  150.     group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    151. 

  151.   when: etcd_url_scheme == 'https'
    152. 

  152.   with_items:
    153. 

  153.   - "{{ etcd_ca_file }}"
    154. 

  154.   - "{{ etcd_cert_file }}"
    155. 

  155.   - "{{ etcd_key_file }}"
    156. 

  156. 

  157. - name: Validate permissions on peer certificate files
    158. 

  158.   file:
    159. 

  159.     path: "{{ item }}"
    160. 

  160.     mode: 0600
    161. 

  161.     owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    162. 

  162.     group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    163. 

  163.   when: etcd_peer_url_scheme == 'https'
    164. 

  164.   with_items:
    165. 

  165.   - "{{ etcd_peer_ca_file }}"
    166. 

  166.   - "{{ etcd_peer_cert_file }}"
    167. 

  167.   - "{{ etcd_peer_key_file }}"
    168. 

  168. 

  169. - name: Validate permissions on the config dir
    170. 

  170.   file:
    171. 

  171.     path: "{{ etcd_conf_dir }}"
    172. 

  172.     state: directory
    173. 

  173.     owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    174. 

  174.     group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
    175. 

  175.     mode: 0700
    176.