| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 |
- ---
- - name: Check status of external etcd certificatees
- stat:
- path: "{{ etcd_cert_config_dir }}/{{ item }}"
- with_items:
- - "{{ etcd_cert_prefix }}client.crt"
- - "{{ etcd_cert_prefix }}client.key"
- - "{{ etcd_cert_prefix }}ca.crt"
- register: g_external_etcd_cert_stat_result
- - set_fact:
- etcd_client_certs_missing: "{{ False in (g_external_etcd_cert_stat_result.results
- | oo_collect(attribute='stat.exists')
- | list) }}"
- - name: Ensure generated_certs directory present
- file:
- path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- state: directory
- mode: 0700
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - name: Create the client csr
- command: >
- openssl req -new -keyout {{ etcd_cert_prefix }}client.key
- -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}client.csr
- -reqexts {{ etcd_req_ext }} -batch -nodes
- -subj /CN={{ etcd_hostname }}
- args:
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'client.csr' }}"
- environment:
- SAN: "IP:{{ etcd_ip }}"
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - name: Sign and create the client crt
- delegated_serial_command:
- command: >
- openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
- -out {{ etcd_cert_prefix }}client.crt
- -in {{ etcd_cert_prefix }}client.csr
- -batch
- chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
- creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
- ~ etcd_cert_prefix ~ 'client.crt' }}"
- environment:
- SAN: "IP:{{ etcd_ip }}"
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - file:
- src: "{{ etcd_ca_cert }}"
- dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
- state: hard
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - name: Create local temp directory for syncing certs
- local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
- register: g_etcd_client_mktemp
- changed_when: False
- when: etcd_client_certs_missing | bool
- delegate_to: localhost
- become: no
- - name: Create a tarball of the etcd certs
- command: >
- tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
- -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
- args:
- creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - name: Retrieve the etcd cert tarballs
- fetch:
- src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ g_etcd_client_mktemp.stdout }}/"
- flat: yes
- fail_on_missing: yes
- validate_checksum: yes
- when: etcd_client_certs_missing | bool
- delegate_to: "{{ etcd_ca_host }}"
- - name: Ensure certificate directory exists
- file:
- path: "{{ etcd_cert_config_dir }}"
- state: directory
- when: etcd_client_certs_missing | bool
- - name: Unarchive etcd cert tarballs
- unarchive:
- src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
- dest: "{{ etcd_cert_config_dir }}"
- when: etcd_client_certs_missing | bool
- - file:
- path: "{{ etcd_cert_config_dir }}/{{ item }}"
- owner: root
- group: root
- mode: 0600
- with_items:
- - "{{ etcd_cert_prefix }}client.crt"
- - "{{ etcd_cert_prefix }}client.key"
- - "{{ etcd_cert_prefix }}ca.crt"
- when: etcd_client_certs_missing | bool
- - name: Delete temporary directory
- file: name={{ g_etcd_client_mktemp.stdout }} state=absent
- changed_when: False
- when: etcd_client_certs_missing | bool
- delegate_to: localhost
- become: no
|
