fetch_client_certificates_from_ca.yml 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. ---
  2. - name: Ensure CA certificate exists on etcd_ca_host
  3. stat:
  4. path: "{{ etcd_ca_cert }}"
  5. get_checksum: false
  6. get_attributes: false
  7. get_mime: false
  8. register: g_ca_cert_stat_result
  9. delegate_to: "{{ etcd_ca_host }}"
  10. run_once: true
  11. - fail:
  12. msg: >
  13. CA certificate {{ etcd_ca_cert }} doesn't exist on CA host
  14. {{ etcd_ca_host }}. Apply 'etcd_ca' action from `etcd` role to
  15. {{ etcd_ca_host }}.
  16. when: not g_ca_cert_stat_result.stat.exists | bool
  17. run_once: true
  18. - name: Check status of external etcd certificatees
  19. stat:
  20. path: "{{ etcd_cert_config_dir }}/{{ item }}"
  21. get_checksum: false
  22. get_attributes: false
  23. get_mime: false
  24. with_items:
  25. - "{{ etcd_cert_prefix }}client.crt"
  26. - "{{ etcd_cert_prefix }}client.key"
  27. - "{{ etcd_cert_prefix }}ca.crt"
  28. register: g_external_etcd_cert_stat_result
  29. when: not etcd_certificates_redeploy | default(false) | bool
  30. - set_fact:
  31. etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool
  32. else (False in (g_external_etcd_cert_stat_result.results
  33. | default({})
  34. | lib_utils_oo_collect(attribute='stat.exists')
  35. | list)) }}"
  36. - name: Ensure generated_certs directory present
  37. file:
  38. path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
  39. state: directory
  40. mode: 0700
  41. when: etcd_client_certs_missing | bool
  42. delegate_to: "{{ etcd_ca_host }}"
  43. - name: Create the client csr
  44. command: >
  45. openssl req -new -keyout {{ etcd_cert_prefix }}client.key
  46. -config {{ etcd_openssl_conf }}
  47. -out {{ etcd_cert_prefix }}client.csr
  48. -reqexts {{ etcd_req_ext }} -batch -nodes
  49. -subj /CN={{ etcd_hostname }}
  50. args:
  51. chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
  52. creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
  53. ~ etcd_cert_prefix ~ 'client.csr' }}"
  54. environment:
  55. SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
  56. when: etcd_client_certs_missing | bool
  57. delegate_to: "{{ etcd_ca_host }}"
  58. # Certificates must be signed serially in order to avoid competing
  59. # for the serial file.
  60. # delegated_serial_command is a custom module in lib_utils
  61. - name: Sign and create the client crt
  62. delegated_serial_command:
  63. command: >
  64. openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
  65. -out {{ etcd_cert_prefix }}client.crt
  66. -in {{ etcd_cert_prefix }}client.csr
  67. -batch
  68. chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
  69. creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
  70. ~ etcd_cert_prefix ~ 'client.crt' }}"
  71. environment:
  72. SAN: "IP:{{ etcd_ip }}"
  73. when: etcd_client_certs_missing | bool
  74. delegate_to: "{{ etcd_ca_host }}"
  75. - file:
  76. src: "{{ etcd_ca_cert }}"
  77. dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
  78. state: hard
  79. force: yes
  80. when: etcd_client_certs_missing | bool
  81. delegate_to: "{{ etcd_ca_host }}"
  82. - name: Create a tarball of the etcd certs
  83. command: >
  84. tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
  85. -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
  86. args:
  87. creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
  88. # Disables the following warning:
  89. # Consider using unarchive module rather than running tar
  90. warn: no
  91. when: etcd_client_certs_missing | bool
  92. delegate_to: "{{ etcd_ca_host }}"
  93. - name: Retrieve the etcd cert tarballs
  94. fetch:
  95. src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
  96. dest: "/tmp"
  97. fail_on_missing: yes
  98. validate_checksum: yes
  99. when: etcd_client_certs_missing | bool
  100. delegate_to: "{{ etcd_ca_host }}"
  101. - name: Ensure certificate directory exists
  102. file:
  103. path: "{{ etcd_cert_config_dir }}"
  104. state: directory
  105. when: etcd_client_certs_missing | bool
  106. - name: Unarchive etcd cert tarballs
  107. unarchive:
  108. src: "/tmp/{{ inventory_hostname }}/{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
  109. dest: "{{ etcd_cert_config_dir }}"
  110. when: etcd_client_certs_missing | bool
  111. - name: Delete temporary directory
  112. local_action: file path="/tmp/{{ inventory_hostname }}" state=absent
  113. changed_when: False
  114. when: etcd_client_certs_missing | bool
  115. - file:
  116. path: "{{ etcd_cert_config_dir }}/{{ item }}"
  117. owner: root
  118. group: root
  119. mode: 0600
  120. with_items:
  121. - "{{ etcd_cert_prefix }}client.crt"
  122. - "{{ etcd_cert_prefix }}client.key"
  123. - "{{ etcd_cert_prefix }}ca.crt"
  124. when: etcd_client_certs_missing | bool