openstack/ansible-role-pki
Code Issues Proposed changes
ansible-role-pki/tasks/standalone/create_cert.yml
Dmitriy Rabotyagov 95aaaf1337 Allow to provide custom handler names 
Introduce variables that allow to customize handler names that are
being used. This is especially useful when role is included multiple
times within same playbook.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/876436
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/871189/
Change-Id: I66ad04a5dbbce29c052895649792fa8a49e40a57
2023-03-06 11:46:24 +00:00

87 lines
4.0 KiB
YAML
Raw Blame History

---
# Copyright 2021, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create certificate {{ cert.name }}
vars:
ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}"
_cert_file: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '.crt' }}"
_cert_chain_file: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '-chain.crt' }}"
_ca_file: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/certs/' ~ cert.signed_by ~ '.crt' }}"
delegate_to: "{{ pki_setup_host }}"
block:
- name: Generate certificate private key for {{ cert.name }}
community.crypto.openssl_privatekey:
path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}"
passphrase: "{{ cert.key_passphrase | default(omit) }}"
cipher: "{{ ('key_passphrase' in cert and cert.key_passphrase) | ternary('auto', omit) }}"
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
format: "{{ cert.key_format | default(omit) }}"
register: cert_privkey
- name: Create the CSR for {{ cert.name }}
community.crypto.openssl_csr:
path: "{{ cert_dir ~ '/csr/' ~ cert.name ~ '.csr' }}"
privatekey_path: "{{ cert_privkey.filename }}"
privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}"
common_name: "{{ cert.cn | default(omit) }}"
basic_constraints_critical: yes
basic_constraints: "{{ cert.basic_constraints | default(omit) }}"
key_usage: "{{ cert.key_usage | default(omit) }}"
extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"
subject_alt_name: "{{ cert.san | default(omit) }}"
country_name: "{{ cert.country_name | default(omit) }}"
state_or_province_name: "{{ cert.state_or_province_name | default(omit) }}"
locality_name: "{{ cert.locality_name | default(omit) }}"
organization_name: "{{ cert.organization_name | default(omit) }}"
organizational_unit_name: "{{ cert.organization_unit_name | default(omit) }}"
subject: "{{ cert.subject | default(omit) }}"
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
register: cert_csr
- name: Sign the certificate CSR for {{ cert.name }}
community.crypto.x509_certificate:
path: "{{ _cert_file }}"
csr_path: "{{ cert_csr.filename }}"
ownca_path: "{{ _ca_file }}"
ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/private/' ~ cert.signed_by ~ '.key.pem' }}"
ownca_privatekey_passphrase: "{{ cert.ownca_key_passphrase | default(omit) }}"
provider: ownca
force: "{{ pki_regen_cert == cert.name or ((pki_regen_cert | lower) == 'true') }}"
register: cert_crt
when:
- cert.provider == 'ownca'
- cert_csr is changed
notify:
- "{{ pki_handler_cert_changed }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: Get certificate info for {{ cert.name }}
community.crypto.x509_certificate_info:
path: "{{ cert_crt.filename }}"
register: cert_info
when: cert_crt is changed
- name: Save certificate info for {{ cert.name }}
copy:
content: "{{ cert_info | to_nice_yaml }}"
dest: "{{ cert_dir ~ '/certs/' ~ cert.name ~ '.info' }}"
when: cert_crt is changed
- name: Create certificate chain for {{ cert.name }}
shell:
cmd: "cat {{ _cert_file }} {{ _ca_file }} > {{ _cert_chain_file }}"
creates: "{{ (cert_crt is not changed) | ternary(_cert_chain_file, omit) }}"
View Git Blame Copy Permalink