openstack
/
tripleo-ansible
Code Issues Proposed changes
TripleO Ansible project repository. Contains playbooks for use with TripleO OpenStack deployments.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1087 Commits
3 Branches
6 Tags
49 MiB
 
 
 
 
Tree: 0f168dc9ca
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0f168dc9ca'
${ noResults }
tripleo-ansible/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml

119 lines
4.0 KiB
Raw Blame History

---
- name: delete temporary ssl directory
become: true
file: path={{ openssl_temp_dir }} state=absent
- name: create temporary ssl directories
become: true
file: path={{ openssl_temp_dir }}/private recurse=yes
- name: create temporary ssl newcerts directory
become: true
file: path={{ openssl_temp_dir }}/newcerts recurse=yes
- name: create index.txt
become: true
copy: content="" dest={{ openssl_temp_dir }}/index.txt force=no
- name: create serial file
become: true
copy: content="01" dest={{ openssl_temp_dir }}/serial
- name: create openssl configuration file from template
become: true
copy: src="/etc/pki/tls/openssl.cnf" dest="{{ openssl_temp_dir }}/openssl.cnf" remote_src=yes
- name: update openssl directory entry in the configuration file
become: true
ini_file: path="{{ openssl_temp_dir }}/openssl.cnf" section=" CA_default " option="dir" value="{{ openssl_temp_dir }}"
- name: update openssl ca certificate file in the configuration file
become: true
replace: path="{{ openssl_temp_dir }}/openssl.cnf" regexp="cacert.pem" replace="ca_01.pem"
- name: Generating certificate authority private key
become: true
shell: |
openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
when:
- not (force_certs_update | default(false) | bool)
- name: Reuse previous CA private key
block:
- name: Write previous CA private key
copy:
content: "{{ private_key_content }}"
dest: "{{ openssl_temp_dir }}/private/cakey.pem"
no_log: true
when:
- force_certs_update | default(false) | bool
- not (force_private_key_update | default(false) | bool)
- name: Reuse and update previous CA private key
block:
- name: Write previous CA private key
copy:
content: "{{ private_key_content }}"
dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
no_log: true
- name: Update CA private key
shell: |
openssl rsa -aes256 \
-passin pass:{{ ca_passphrase }} \
-passout pass:{{ ca_passphrase }} \
-in {{ openssl_temp_dir }}/private/cakey.old.pem \
-out {{ openssl_temp_dir }}/private/cakey.pem
when:
- force_certs_update | default(false) | bool
- force_private_key_update | default(false) | bool
- name: Reading private key
become: true
shell: cat {{ openssl_temp_dir }}/private/cakey.pem
register: private_key_data
- name: Setting private key fact
set_fact:
private_key_content: "{{ private_key_data.stdout }}"
- name: Generating certificate authority certificate
become: true
shell: |
openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
-out {{ openssl_temp_dir }}/ca_01.pem
- name: Reading CA certificate
become: true
shell: cat {{ openssl_temp_dir }}/ca_01.pem
register: ca_cert_data
- name: Setting CA certificate fact
set_fact:
ca_cert_content: "{{ ca_cert_data.stdout }}"
- name: Generating service private key & certificate request
become: true
shell: |
openssl req -newkey rsa:2048 -nodes -config {{ openssl_temp_dir }}/openssl.cnf -keyout {{ openssl_temp_dir }}/client.key \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-out {{ openssl_temp_dir }}/client.csr
- name: Signing service certificate request
become: true
shell: |
openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
-days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
- name: Read service private key and public certifcate
become: true
shell: |
cat {{ openssl_temp_dir }}/client-.pem {{ openssl_temp_dir }}/client.key
register: service_key_data
- name: Set service key fact
set_fact:
service_pem_content: "{{ service_key_data.stdout }}"