11516e0e4b
This renames zk-ca to opendev-ca and allows us to operate more than one ca on bridge. This way we can keep the CAs for ZooKeeper and Jaeger distinct (so that a compromise of the jaeger server could not be used to access the ZooKeeper cluster). This also starts a new jaeger-ca and uses it on the Jaeger server. Change-Id: I4e5bc4e3ccd78284ce785c971f7e6ad6e721f887
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
- name: Ensure opendev-ca directory exists
|
|
delegate_to: localhost
|
|
file:
|
|
path: "{{ opendev_ca_root }}"
|
|
state: directory
|
|
|
|
# Run this in flock so that we can run it in plays for multiple target
|
|
# hosts in parallel while serializing access to the CA files.
|
|
- name: Run opendev-ca.sh
|
|
delegate_to: localhost
|
|
script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
|
|
args:
|
|
executable: "flock {{ opendev_ca_root }}/lock"
|
|
|
|
- name: Ensure cert dir exists
|
|
file:
|
|
path: "{{ opendev_ca_cert_dir }}/certs"
|
|
state: directory
|
|
owner: "{{ opendev_ca_cert_dir_owner }}"
|
|
group: "{{ opendev_ca_cert_dir_group }}"
|
|
mode: '0755'
|
|
|
|
- name: Ensure keys dir exists
|
|
file:
|
|
path: "{{ opendev_ca_cert_dir }}/keys"
|
|
state: directory
|
|
owner: "{{ opendev_ca_cert_dir_owner }}"
|
|
group: "{{ opendev_ca_cert_dir_group }}"
|
|
mode: '0700'
|
|
|
|
- name: Copy TLS cacert into place
|
|
copy:
|
|
src: "{{ opendev_ca_root }}/certs/cacert.pem"
|
|
dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"
|
|
|
|
- name: Copy TLS cert into place
|
|
copy:
|
|
src: "{{ opendev_ca_root }}/certs/{{ inventory_hostname }}.pem"
|
|
dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"
|
|
|
|
- name: Copy TLS key into place
|
|
copy:
|
|
src: "{{ opendev_ca_root }}/keys/{{ inventory_hostname }}key.pem"
|
|
dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"
|
|
|
|
- name: Copy TLS keystore into place
|
|
copy:
|
|
src: "{{ opendev_ca_root }}/keystores/{{ inventory_hostname }}.pem"
|
|
dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"
|