| --- |
| |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| - hosts: localhost |
| connection: local |
| gather_facts: false |
| |
| vars: |
| lab_ssl_dir: "{{ lookup('env', 'PWD') }}/out/ssl/" |
| lab_ca_root_csr: "{{ lab_ssl_dir }}/lab.rootca.key.csr" |
| lab_ca_root_key: "{{ lab_ssl_dir }}/lab.rootca.key.pem" |
| lab_ca_root_crt: "{{ lab_ssl_dir }}/lab.rootca.crt" |
| lab_ca_int_csr: "{{ lab_ssl_dir }}/lab.intermediateca.csr" |
| lab_ca_int_key: "{{ lab_ssl_dir }}/lab.intermediateca.key.pem" |
| lab_ca_int_crt: "{{ lab_ssl_dir }}/lab.intermediateca.crt" |
| lab_csr: |
| CN: CDNLAB.invalid |
| C: US |
| ST: Colorado |
| L: Denver |
| O: ExampleCompany |
| OU: CDN |
| emailAddress: user@kabletown.invalid |
| |
| tasks: |
| - name: Collect All CDN delegations assigned to Fake Origins |
| set_fact: |
| cdnDelegationList: "{{ (cdnDelegationList | default([]) ) + [hostvars[item]['cdn']] }}" |
| with_items: "{{ groups['fakeorigin'] }}" |
| |
| - name: Convert the CDN Delegation list into an index |
| set_fact: |
| cdnDelegationIndex: "{{ (cdnDelegationIndex | default({}) ) | combine( { item.1: item.0 } ) }}" |
| with_indexed_items: "{{ cdnDelegationList | sort | unique }}" |
| |
| - name: Create Index of Fake Origins |
| set_fact: |
| foIndex: "{{ (foIndex | default({}) ) | combine( { item.1: item.0 } ) }}" |
| with_indexed_items: "{{ groups['fakeorigin'] }}" |
| |
| - name: Generate additional ansible inventory |
| template: |
| src: "templates/inventory.template.j2" |
| dest: "{{ lookup('env', 'PWD') }}/inventory/component.inventory" |
| |
| - name: Reload ansible inventory |
| meta: refresh_inventory |
| |
| - name: Ensure SSL info directory exists |
| file: |
| state: directory |
| path: "{{ lookup('env', 'PWD') }}/out/ssl" |
| |
| - name: Regenerate Lab Root CA Private key |
| openssl_privatekey: |
| path: "{{ lab_ca_root_key }}" |
| force: yes |
| when: regenerate_root is defined and (regenerate_root|bool == true) | default(false) |
| |
| - name: Regenerate Lab Root CA CSR |
| openssl_csr: |
| basic_constraints: |
| - CA:TRUE |
| privatekey_path: "{{ lab_ca_root_key }}" |
| subject: |
| CN: "{{ lab_csr.CN }}" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| emailAddress: "{{ lab_csr.emailAddress }}" |
| path: "{{ lab_ca_root_csr }}" |
| force: yes |
| when: regenerate_root is defined and (regenerate_root|bool == true) | default(false) |
| |
| - name: Regenerate Lab Root CA Certificate |
| openssl_certificate: |
| csr_path: "{{ lab_ca_root_csr }}" |
| force: yes |
| issuer: |
| CN: "{{ lab_csr.CN }}" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| path: "{{ lab_ca_root_crt }}" |
| privatekey_path: "{{ lab_ca_root_key }}" |
| provider: selfsigned |
| when: regenerate_root is defined and (regenerate_root|bool == true) | default(false) |
| |
| - name: Generate Intermediate Signing CA Private keys |
| openssl_privatekey: |
| path: "{{ lab_ca_int_key }}" |
| force: yes |
| when: (regenerate_intermediate is defined and (regenerate_intermediate|bool == true)) or (regenerate_root is defined and (regenerate_root|bool == true)) | default(false) |
| |
| - name: Generate Intermediate Signing CA CSRs |
| openssl_csr: |
| privatekey_path: "{{ lab_ca_int_key }}" |
| subject: |
| CN: "{{ lab_csr.CN }} Intermediate CA" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| emailAddress: "{{ lab_csr.emailAddress }}" |
| key_usage: |
| - digitalSignature |
| - keyCertSign |
| basic_constraints: |
| - CA:TRUE, pathlen:0 |
| path: "{{ lab_ca_int_csr }}" |
| force: yes |
| when: (regenerate_intermediate is defined and (regenerate_intermediate|bool == true)) or (regenerate_root is defined and (regenerate_root|bool == true)) | default(false) |
| |
| - name: Generate Intermediate Signing CA Certificates |
| openssl_certificate: |
| csr_path: "{{ lab_ca_int_csr }}" |
| force: yes |
| issuer: |
| CN: "{{ lab_csr.CN }} Intermediate CA" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| path: "{{ lab_ca_int_crt }}" |
| privatekey_path: "{{ lab_ca_int_key }}" |
| provider: ownca |
| ownca_path: "{{ lab_ca_root_crt }}" |
| ownca_privatekey_path: "{{ lab_ca_root_key }}" |
| when: (regenerate_intermediate is defined and (regenerate_intermediate|bool == true)) or (regenerate_root is defined and (regenerate_root|bool == true)) | default(false) |
| |
| - name: Generate Server Private keys |
| openssl_privatekey: |
| path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.key.pem" |
| force: yes |
| with_items: "{{ groups['all'] | difference( groups['mso_parent_alias'] ) }}" |
| |
| - name: Generate Server CSRs (non-riak) |
| openssl_csr: |
| privatekey_path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.key.pem" |
| subject: |
| CN: "{{ target_additional_DNS_names | default(item) }}" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| emailAddress: "{{ lab_csr.emailAddress }}" |
| subject_alt_name: "{{ san_arr | difference(invalid_DNS) }}" |
| path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.csr" |
| force: yes |
| with_items: "{{ groups['all'] | difference( groups['mso_parent_alias'] ) | difference( groups['riak']) | difference( groups['fakeorigin']) }}" |
| vars: |
| san_arr: |
| - "IP:{{ hostvars[item]['ansible_host'] }}" |
| - "DNS:{{ item }}" |
| - "DNS:{{ hostvars[item]['additional_dns_names'] | default('invalid.invalid') }}" |
| invalid_DNS: |
| - "DNS:invalid.invalid" |
| |
| - name: Generate Server CSRs (riak) |
| openssl_csr: |
| privatekey_path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.key.pem" |
| subject: |
| CN: "{{ target_additional_DNS_names | default(item) }}" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| emailAddress: "{{ lab_csr.emailAddress }}" |
| subject_alt_name: "{{ san_arr | union(other_riaks) | union(other_riaks_ips) }}" |
| path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.csr" |
| force: yes |
| with_items: "{{ groups['riak'] }}" |
| vars: |
| san_arr: |
| - "IP:{{ hostvars[item]['ansible_host'] }}" |
| - "DNS:{{ item }}" |
| other_riaks: "{{ groups['riak'] | difference([item]) | map('regex_replace', '^(.*)', 'DNS:\\1') | list }}" |
| other_riaks_ips: "{{ groups['riak'] | difference([item]) | map('extract', hostvars, ['ansible_host']) | list | map('regex_replace', '^(.*)', 'IP:\\1') | list }}" |
| |
| - name: Generate Server CSRs (origin) |
| openssl_csr: |
| privatekey_path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.key.pem" |
| subject: |
| CN: "{{ target_additional_DNS_names | default(item) }}" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| emailAddress: "{{ lab_csr.emailAddress }}" |
| subject_alt_name: "{{ san_arr | union(cnames) | difference(invalid_DNS) | flatten }}" |
| path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.csr" |
| force: yes |
| with_items: "{{ groups['fakeorigin'] }}" |
| vars: |
| san_arr: |
| - "IP:{{ hostvars[item]['ansible_host'] }}" |
| - "DNS:{{ item }}" |
| invalid_DNS: |
| - "DNS:invalid.invalid" |
| cnames: |
| - "{{ (hostvars[item]['ds_names'].split(',') | map('regex_replace', '^(.*)', 'DNS:\\1') ) | default('DNS:invalid.invalid') | list }}" |
| |
| - name: Generate Server Certificates |
| openssl_certificate: |
| csr_path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.csr" |
| force: yes |
| issuer: |
| CN: "{{ lab_csr.CN }} Intermediate CA" |
| C: "{{ lab_csr.C }}" |
| ST: "{{ lab_csr.ST }}" |
| L: "{{ lab_csr.L }}" |
| O: "{{ lab_csr.O }}" |
| OU: "{{ lab_csr.OU }}" |
| path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.crt" |
| privatekey_path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.key.pem" |
| provider: ownca |
| ownca_path: "{{ lab_ca_int_crt }}" |
| ownca_privatekey_path: "{{ lab_ca_int_key }}" |
| with_items: "{{ groups['all'] | difference( groups['mso_parent_alias'] ) }}" |
| |
| #- name: Generate Server DHParms |
| # openssl_dhparam: |
| # path: "{{ lookup('env', 'PWD') }}/out/ssl/{{ item }}.dhparm.pem" |
| # size: 2048 |
| # force: yes |
| # with_items: "{{ groups['all'] | difference( groups['mso_parent_alias'] ) }}" |
| |
| - name: Save the SSL Paths around for later |
| set_fact: |
| lab_ssl_dir: "{{ lab_ssl_dir }}" |
| lab_ca_root_key: "{{ lab_ca_root_key }}" |
| lab_ca_root_crt: "{{ lab_ca_root_crt }}" |
| lab_ca_int_key: "{{ lab_ca_int_key }}" |
| lab_ca_int_crt: "{{ lab_ca_int_crt }}" |
| |
| - hosts: all:!mso_parent_alias |
| gather_facts: no |
| become: yes |
| |
| tasks: |
| - name: Wait for SSH to allow sockets to connect |
| wait_for: |
| host={{ item }} |
| port=22 |
| state=started |
| with_items: "{{ inventory_hostname }}" |
| delegate_to: localhost |
| |
| - name: Pause for SSH to come up and the inital bootstrap to run |
| pause: |
| minutes: 5 |
| |
| - name: Ensure CA tools are installed |
| yum: |
| name: ca-certificates |
| state: present |
| use_backend: yum |
| enablerepo: "{{ additional_yum_repos | default([]) }}" |
| |
| - name: Deploy the Trusted Root SSL CA Certificates |
| copy: |
| src: "{{ item }}" |
| dest: /etc/pki/ca-trust/source/anchors |
| owner: root |
| group: root |
| mode: 0644 |
| notify: update server trusts |
| with_items: |
| - "{{ hostvars.localhost.lab_ca_int_crt }}" |
| - "{{ hostvars.localhost.lab_ca_root_crt }}" |
| |
| - name: Deploy the server cert |
| copy: |
| content: | |
| {{ lookup('file', lab_server_crt) }} |
| {{ lookup('file', hostvars.localhost.lab_ca_int_crt) }} |
| dest: /etc/pki/tls/certs/server.crt |
| owner: root |
| group: root |
| mode: 0644 |
| vars: |
| lab_server_crt: "{{ hostvars.localhost.lab_ssl_dir }}/{{ inventory_hostname }}.crt" |
| |
| - name: Deploy the server private key |
| copy: |
| src: "{{ hostvars.localhost.lab_ssl_dir }}/{{ inventory_hostname }}.key.pem" |
| dest: /etc/pki/tls/private/server.key.pem |
| owner: root |
| group: root |
| mode: 0700 |
| |
| # Perform whatever waiting and validation are required to know that the steady-state is successful and ready here |
| |
| handlers: |
| - name: update server trusts |
| command: /bin/update-ca-trust |