diff --git a/tasks/haproxy_ssl.yml b/tasks/haproxy_ssl.yml new file mode 100644 index 0000000..28e69dc --- /dev/null +++ b/tasks/haproxy_ssl.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure the private ssl directory exists + file: + dest: "/etc/ssl/private" + state: "directory" + tags: + - haproxy-ssl + +- include: haproxy_ssl_self_signed.yml + when: + - haproxy_ssl | bool + - haproxy_user_ssl_cert is not defined or haproxy_user_ssl_key is not defined + +- include: haproxy_ssl_user_provided.yml diff --git a/tasks/haproxy_ssl_key_create.yml b/tasks/haproxy_ssl_key_create.yml new file mode 100644 index 0000000..1e0efb0 --- /dev/null +++ b/tasks/haproxy_ssl_key_create.yml @@ -0,0 +1,40 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Remove self signed certs and keys for regen + file: + dest: "{{ item }}" + state: "absent" + with_items: + - "{{ haproxy_ssl_pem }}" + - "{{ haproxy_ssl_key }}" + - "{{ haproxy_ssl_cert }}" + when: haproxy_ssl_self_signed_regen | bool + tags: + - haproxy-ssl + +- name: Create self-signed ssl cert + command: > + openssl req -new -nodes -sha256 -x509 -subj + "{{ haproxy_ssl_self_signed_subject }}" + -days 3650 + -keyout {{ haproxy_ssl_key }} + -out {{ haproxy_ssl_cert }} + -extensions v3_ca + creates={{ haproxy_ssl_cert }} + notify: + - regen pem + tags: + - haproxy-ssl diff --git a/tasks/haproxy_ssl_key_distribute.yml b/tasks/haproxy_ssl_key_distribute.yml new file mode 100644 index 0000000..55beb6b --- /dev/null +++ b/tasks/haproxy_ssl_key_distribute.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2014, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Distribute self signed ssl key + copy: + dest: "{{ haproxy_ssl_key }}" + content: "{{ hostvars[groups['haproxy_all'][0]]['haproxy_ssl_key_fact'] | b64decode }}" + mode: "0640" + notify: + - regen pem + tags: + - haproxy-ssl + +- name: Distribute self signed ssl cert + copy: + dest: "{{ haproxy_ssl_cert }}" + content: "{{ hostvars[groups['haproxy_all'][0]]['haproxy_ssl_cert_fact'] | b64decode }}" + mode: "0640" + notify: + - regen pem + tags: + - haproxy-ssl diff --git a/tasks/haproxy_ssl_key_store.yml b/tasks/haproxy_ssl_key_store.yml new file mode 100644 index 0000000..8603983 --- /dev/null +++ b/tasks/haproxy_ssl_key_store.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Store ssl cert + slurp: + src: "{{ haproxy_ssl_cert }}" + register: _haproxy_ssl_cert + changed_when: false + +- name: Store ssl key + slurp: + src: "{{ haproxy_ssl_key }}" + register: _haproxy_ssl_key + changed_when: false + +- name: Register a fact for the cert and key + set_fact: + haproxy_ssl_cert_fact: "{{ _haproxy_ssl_cert.content }}" + haproxy_ssl_key_fact: "{{ _haproxy_ssl_key.content }}" diff --git a/tasks/haproxy_ssl_self_signed.yml b/tasks/haproxy_ssl_self_signed.yml new file mode 100644 index 0000000..456b0f6 --- /dev/null +++ b/tasks/haproxy_ssl_self_signed.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- include: haproxy_ssl_key_create.yml + when: inventory_hostname == groups['haproxy_all'][0] + +- include: haproxy_ssl_key_store.yml + when: inventory_hostname == groups['haproxy_all'][0] + +- include: haproxy_ssl_key_distribute.yml + when: inventory_hostname != groups['haproxy_all'][0] diff --git a/tasks/haproxy_ssl_configuration.yml b/tasks/haproxy_ssl_user_provided.yml similarity index 57% rename from tasks/haproxy_ssl_configuration.yml rename to tasks/haproxy_ssl_user_provided.yml index 331e8ff..656ae77 100644 --- a/tasks/haproxy_ssl_configuration.yml +++ b/tasks/haproxy_ssl_user_provided.yml @@ -1,5 +1,5 @@ --- -# Copyright 2015, Jean-Philippe Evrard +# Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Deploy user provided ssl cert +- name: Drop user provided ssl cert copy: src: "{{ haproxy_user_ssl_cert }}" dest: "{{ haproxy_ssl_cert }}" @@ -26,13 +26,13 @@ tags: - haproxy-ssl -- name: Deploy user provided ssl key +- name: Drop user provided ssl key copy: src: "{{ haproxy_user_ssl_key }}" dest: "{{ haproxy_ssl_key }}" owner: "root" group: "root" - mode: "0600" + mode: "0640" when: haproxy_user_ssl_key is defined notify: - regen pem @@ -51,36 +51,3 @@ - regen pem tags: - haproxy-ssl - -- name: Ensure the private ssl directory exists - file: - dest: "/etc/ssl/private" - state: "directory" - tags: - - haproxy-ssl - -- name: Remove signed certs and keys for regen - file: - dest: "{{ item }}" - state: "absent" - with_items: - - "{{ haproxy_ssl_pem }}" - - "{{ haproxy_ssl_key }}" - - "{{ haproxy_ssl_cert }}" - when: haproxy_ssl_self_signed_regen | bool - tags: - - haproxy-ssl - -- name: Create self-signed ssl cert if no certificate exists - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ haproxy_ssl_self_signed_subject }}" - -days 3650 - -keyout {{ haproxy_ssl_key }} - -out {{ haproxy_ssl_cert }} - -extensions v3_ca - creates={{ haproxy_ssl_cert }} - notify: - - regen pem - tags: - - haproxy-ssl diff --git a/tasks/main.yml b/tasks/main.yml index e6a5105..37ba2a5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,8 +27,7 @@ - include: haproxy_install.yml -- include: haproxy_ssl_configuration.yml - static: no +- include: haproxy_ssl.yml when: haproxy_ssl | bool - include: haproxy_post_install.yml diff --git a/tests/inventory b/tests/inventory index 6c0833a..30af1d0 100644 --- a/tests/inventory +++ b/tests/inventory @@ -1,2 +1,5 @@ [all] localhost ansible_connection=local ansible_become=True + +[haproxy_all] +localhost