-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-tls.yml
130 lines (114 loc) · 3.62 KB
/
docker-tls.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
- name: Create necessary folders for keys and certificates
file:
path: "/etc/ssl/{{ item }}"
state: directory
mode: '0755'
loop:
- private
- certs
- csr
- name: Generate an RSA 4096bit private key for the CA
openssl_privatekey:
path: "/etc/ssl/private/{{ ca_key }}.pem"
- name: Generate an OpenSSL Certificate Signing Request for the CA
openssl_csr:
path: /etc/ssl/csr/ca.csr
privatekey_path: "/etc/ssl/private/{{ ca_key }}.pem"
common_name: "{{ inventory_hostname }}"
basic_constraints: "CA:TRUE"
mode: 0666
- name: Generate a self-signed certificate for the CA
openssl_certificate:
path: "/etc/ssl/certs/{{ ca_cert }}.crt"
privatekey_path: "/etc/ssl/private/{{ ca_key }}.pem"
csr_path: /etc/ssl/csr/ca.csr
provider: selfsigned
mode: 0666
- name: Generate an RSA 4096bit private key for the server
openssl_privatekey:
path: "/etc/ssl/private/{{ server_key }}.pem"
- name: Get the current host's set of IPs
set_fact:
subjectAltName: "DNS:{{ inventory_hostname }},IP:{{ ansible_all_ipv4_addresses | join(',IP:') }}"
- name: Generate an OpenSSL Certificate Signing Request for the server
openssl_csr:
path: /etc/ssl/csr/server.csr
privatekey_path: "/etc/ssl/private/{{ server_key }}.pem"
extended_key_usage: serverAuth
common_name: "{{ inventory_hostname }}"
subject_alt_name: "{{ subjectAltName }}"
mode: 0666
- name: Generate the signed certificate for the server
openssl_certificate:
path: "/etc/ssl/certs/{{ server_cert }}.crt"
csr_path: /etc/ssl/csr/server.csr
privatekey_path: "/etc/ssl/private/{{ server_key }}.pem"
provider: ownca
ownca_path: "/etc/ssl/certs/{{ ca_cert }}.crt"
ownca_privatekey_path: "/etc/ssl/private/{{ ca_key }}.pem"
mode: 0666
- name: Generate an RSA 4096bit private key for the client
openssl_privatekey:
path: "/etc/ssl/private/{{ client_key }}.pem"
- name: Generate an OpenSSL Certificate Signing Request for the client
openssl_csr:
path: /etc/ssl/csr/client.csr
privatekey_path: /etc/ssl/private/{{ client_key }}.pem
extended_key_usage: clientAuth
mode: 0666
common_name: "client"
- name: Generate the signed certificate for the client
openssl_certificate:
path: "/etc/ssl/certs/{{ client_cert }}.crt"
csr_path: /etc/ssl/csr/client.csr
privatekey_path: /etc/ssl/private/{{ client_key }}.pem
provider: ownca
ownca_path: "/etc/ssl/certs/{{ ca_cert }}.crt"
ownca_privatekey_path: "/etc/ssl/private/{{ ca_key }}.pem"
mode: 0666
- name: Delete CSR files
file:
path: "/etc/ssl/csr/{{ item }}.csr"
state: absent
loop:
- ca
- client
- server
- name: Secure keys
file:
path: "/etc/ssl/private/{{ item }}.pem"
mode: 0400
loop:
- "{{ ca_key }}"
- "{{ client_key }}"
- "{{ server_key }}"
- name: Secure certificates
file:
path: "/etc/ssl/certs/{{ item }}.crt"
mode: 0444
loop:
- "{{ ca_cert }}"
- "{{ client_cert }}"
- "{{ server_cert }}"
- name: Create a folder for each host's keys and certificates
file:
path: "{{ item }}/{{ inventory_hostname }}"
state: directory
mode: '0755'
loop:
- "{{ certs_folder }}"
- "{{ keys_folder }}"
- name: Fetch client and CA certificates and copy them to local folder
fetch:
src: "/etc/ssl/certs/{{ item }}.crt"
dest: "{{ certs_folder }}/{{ inventory_hostname }}/"
flat: yes
loop:
- "{{ ca_cert }}"
- "{{ client_cert }}"
- name: Fetch client private key and copy it to local folder
fetch:
src: "/etc/ssl/private/{{ client_key }}.pem"
dest: "{{ keys_folder }}/{{ inventory_hostname }}/"
flat: yes