Move certs source path to defaults and make other small re-factoring.
Issue-ID: OOM-1694
Change-Id: Ie0a4b543b40314dc5a7772dd4667b1ad218d3543
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
- docker
tasks:
- import_tasks: roles/certificates/tasks/upload_root_ca.yml
+ vars:
+ certificates_local_dir: certs
- name: Register root certificate
slurp:
- src: '/certs/rootCA.crt'
+ src: "{{ playbook_dir }}/certs/rootCA.crt"
register: root_cert
delegate_to: localhost
--- /dev/null
+---
+# Generate certs to local current dir where ansible in run (= playbook_dir)
+# After ansible run, dir can be deleted but idempotence is lost and certs are re-generated in next run
+certificates_local_dir: certs
--- /dev/null
+---
+- name: Create certificates directory certs to current dir
+ file:
+ path: "{{ certificates_local_dir }}"
+ state: directory
+
+# Some of task are delegated to Ansible container because unavailable
+# version of python-pyOpenSSL
+- name: Generate root CA private key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/rootCA.key"
+ size: 4096
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ basic_constraints:
+ - CA:true
+ basic_constraints_critical: true
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+
+- name: Generate root CA certificate
+ openssl_certificate:
+ provider: selfsigned
+ path: "{{ certificates_local_dir }}/rootCA.crt"
+ csr_path: "{{ certificates_local_dir }}/rootCA.csr"
+ privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+ force: true
+ notify: Restart Docker
+
+- name: Generate private Nexus key
+ openssl_privatekey:
+ path: "{{ certificates_local_dir }}/nexus_server.key"
+ size: 4096
+ force: false
+
+- name: Generate Nexus CSR (certificate signing request)
+ openssl_csr:
+ path: "{{ certificates_local_dir }}/nexus_server.csr"
+ privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ common_name: registry-1.docker.io
+ key_usage:
+ - keyAgreement
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ - dataEncipherment
+ extended_key_usage:
+ - serverAuth
+ subject_alt_name:
+ "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+
+- name: Generate v3 extension config file
+ template:
+ src: v3.ext.j2
+ dest: "{{ certificates_local_dir }}/v3.ext"
+
+# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
+# Currently using 2.6.3
+- name: Sign Nexus certificate
+ command: >
+ openssl
+ x509
+ -req
+ -in "{{ certificates_local_dir }}/nexus_server.csr"
+ -extfile "{{ certificates_local_dir }}/v3.ext"
+ -CA "{{ certificates_local_dir }}/rootCA.crt"
+ -CAkey "{{ certificates_local_dir }}/rootCA.key"
+ -CAcreateserial
+ -out "{{ certificates_local_dir }}/nexus_server.crt"
+ -days 3650
+ -sha256
---
-# Some of task are delegated to Ansible container because unavailable
-# version of python-pyOpenSSL
-- name: Generate root CA private key
- openssl_privatekey:
- path: /certs/rootCA.key
- size: 4096
- delegate_to: localhost
-
-- name: Generate an OpenSSL CSR.
- openssl_csr:
- path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- basic_constraints:
- - CA:true
- basic_constraints_critical: yes
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- delegate_to: localhost
-
-- name: Generate root CA certificate
- openssl_certificate:
- provider: selfsigned
- path: /certs/rootCA.crt
- csr_path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- force: yes
- delegate_to: localhost
- notify: Restart Docker
-
-- name: Generate private Nexus key
- openssl_privatekey:
- path: /certs/nexus_server.key
- size: 4096
- force: False
- delegate_to: localhost
-
-- name: Generate Nexus CSR (certificate signing request)
- openssl_csr:
- path: /certs/nexus_server.csr
- privatekey_path: /certs/nexus_server.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- common_name: registry-1.docker.io
- key_usage:
- - keyAgreement
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- - dataEncipherment
- extended_key_usage:
- - serverAuth
- subject_alt_name:
- "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
- delegate_to: localhost
-
-- name: Generate v3 extension config file
- template:
- src: v3.ext.j2
- dest: /certs/v3.ext
- delegate_to: localhost
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
-- name: Sign Nexus certificate
- command: >
- openssl
- x509
- -req
- -in /certs/nexus_server.csr
- -extfile /certs/v3.ext
- -CA /certs/rootCA.crt
- -CAkey /certs/rootCA.key
- -CAcreateserial
- -out /certs/nexus_server.crt
- -days 3650
- -sha256
+- name: Generate certs
+ import_tasks: generate-certificates.yml
delegate_to: localhost
- name: Upload certificates to infrastructure server
copy:
- src: /certs
- directory_mode: yes
+ src: "{{ certificates_local_dir }}"
+ directory_mode: true
dest: "{{ app_data_path }}/"
- import_tasks: upload_root_ca.yml
---
- name: Copy root certificate
copy:
- src: "/certs/rootCA.crt"
+ src: "{{ certificates_local_dir }}/rootCA.crt"
dest: /etc/pki/ca-trust/source/anchors/
+ register: copycert
notify: Restart Docker
- name: Extract root certificate
command: /usr/bin/update-ca-trust extract
+ when: copycert.changed
notify: Restart Docker
-v "${HOME}"/.ssh:/root/.ssh:rw \
-v "$ANSIBLE_DIR:/ansible:ro" \
-v "$ANSIBLE_DIR/application:/ansible/application:rw" \
- -v "$ANSIBLE_DIR/certs/:/certs:rw" \
+ -v "$ANSIBLE_DIR/certs/:/ansible/certs:rw" \
-v "$ANSIBLE_DIR/log/:/ansible/log:rw" \
-e ANSIBLE_LOG_PATH \
-it "${ANSIBLE_DOCKER_IMAGE}" "$@"
--mount ro:"$ANSIBLE_DIR":/ansible \
--mount rw:"$ANSIBLE_DIR"/application:/ansible/application \
--mount rw:"$ANSIBLE_DIR"/log:/ansible/log \
- --mount rw:"$ANSIBLE_DIR"/certs:/certs \
+ --mount rw:"$ANSIBLE_DIR"/certs:/ansible/certs \
--mount ro:/etc/resolv.conf:/etc/resolv.conf \
--mount ro:/etc/hosts:/etc/hosts \
--workdir /ansible \
Code Review / oom / offline-installer.git / commitdiff