| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 |
- ---
- # tasks/ssl_generate.yml: Generate SSL data and stash to dynamic
- # data store for deployment to clients
- - name: Include ansible_distribution vars
- include_vars:
- file: "{{ ansible_distribution }}.yml"
- - name: Ensure OpenSSL is installed
- package:
- name: openssl
- state: present
- - name: Ensure SSL generation directory exists
- file:
- dest: "{{ sensu_config_path }}/{{ item }}"
- state: directory
- owner: "{{ sensu_user_name }}"
- group: "{{ sensu_group_name }}"
- when: sensu_master
- loop:
- - ssl_generation
- - ssl_generation/sensu_ssl_tool
- - ssl_generation/sensu_ssl_tool/client
- - ssl_generation/sensu_ssl_tool/server
- - ssl_generation/sensu_ssl_tool/sensu_ca
- - ssl_generation/sensu_ssl_tool/sensu_ca/private
- - ssl_generation/sensu_ssl_tool/sensu_ca/certs
- - name: Ensure OpenSSL configuration is in place
- template:
- src: openssl.cnf.j2
- dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/openssl.cnf"
- owner: "{{ sensu_user_name }}"
- group: "{{ sensu_group_name }}"
- when: sensu_master
- - block:
- - name: Ensure the Sensu CA serial configuration
- shell: 'echo 01 > sensu_ca/serial'
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/serial"
- register: sensu_ca_new_serial
- - name: Ensure sensu_ca/index.txt exists
- file:
- dest: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/index.txt"
- state: touch
- when: sensu_ca_new_serial is changed
- # TODO: The following mirrors the commands used in sensu_ssl_tool/ssl_certs.sh
- # from the 1.3 version of the script. Ideally, this moves into the native openssl_* modules.
- # See https://docs.sensu.io/sensu-core/1.3/reference/ssl/#reference-documentation for limitations and further instructions
- - name: Generate Sensu CA certificate
- command: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1825 -out cacert.pem -outform PEM -subj /CN=SensuCA/ -nodes
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.pem"
- - name: Generate CA cert
- command: openssl x509 -in cacert.pem -out cacert.cer -outform DER
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca/cacert.cer"
- - name: Generate server keys
- command: openssl genrsa -out key.pem 2048
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/key.pem"
- - name: Generate server certificate signing request
- command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=server/ -nodes
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/req.pem"
- - name: Sign the server certificate
- command: openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/cert.pem"
- - name: Convert server certificate and key to PKCS12 formart
- command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/server/keycert.p12"
- - name: Generate client key
- command: openssl genrsa -out key.pem 2048
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/key.pem"
- - name: Generate client certificate signing request
- command: openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=sensu/O=client/ -nodes
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/req.pem"
- - name: Sign the client certificate
- command: openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/sensu_ca"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/cert.pem"
- - name: Convert client key/certificate to PKCS12 format
- command: openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secret
- args:
- chdir: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client"
- creates: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/client/keycert.p12"
- when: sensu_master|bool
- become: true
- become_user: "{{ sensu_user_name }}"
- - name: Stash the Sensu SSL certs/keys
- fetch:
- src: "{{ sensu_config_path }}/ssl_generation/sensu_ssl_tool/{{ item }}"
- dest: "{{ dynamic_data_store }}"
- when: sensu_master
- loop:
- - sensu_ca/cacert.pem
- - server/cert.pem
- - server/key.pem
- - client/cert.pem
- - client/key.pem
|
