summaryrefslogtreecommitdiffstats
path: root/roles/etcd_server_certificates/tasks/main.yml
blob: edcf510925371db02cd799090eb13093a056a6a5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
---
- name: Check status of etcd certificates
  stat:
    path: "{{ etcd_cert_config_dir }}/{{ item }}"
  with_items:
  - "{{ etcd_cert_prefix }}server.crt"
  - "{{ etcd_cert_prefix }}peer.crt"
  - "{{ etcd_cert_prefix }}ca.crt"
  register: g_etcd_server_cert_stat_result

- set_fact:
    etcd_server_certs_missing: "{{ False in (g_etcd_server_cert_stat_result.results
                                   | oo_collect(attribute='stat.exists')
                                   | list) }}"

- name: Ensure generated_certs directory present
  file:
    path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    state: directory
    mode: 0700
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Create the server csr
  command: >
    openssl req -new -keyout {{ etcd_cert_prefix }}server.key
    -config {{ etcd_openssl_conf }}
    -out {{ etcd_cert_prefix }}server.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'server.csr' }}"
  environment:
    SAN: "IP:{{ etcd_ip }}"
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

# Certificates must be signed serially in order to avoid competing
# for the serial file.
- name: Sign and create the server crt
  delegated_serial_command:
    command: >
      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
      -out {{ etcd_cert_prefix }}server.crt
      -in {{ etcd_cert_prefix }}server.csr
      -extensions {{ etcd_ca_exts_server }} -batch
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'server.crt' }}"
  environment:
    SAN: "IP:{{ etcd_ip }}"
  delegate_to: "{{ etcd_ca_host }}"

- name: Create the peer csr
  command: >
    openssl req -new -keyout {{ etcd_cert_prefix }}peer.key
    -config {{ etcd_openssl_conf }}
    -out {{ etcd_cert_prefix }}peer.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'peer.csr' }}"
  environment:
    SAN: "IP:{{ etcd_ip }}"
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Sign and create the peer crt
  delegated_serial_command:
    command: >
      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
      -out {{ etcd_cert_prefix }}peer.crt
      -in {{ etcd_cert_prefix }}peer.csr
      -extensions {{ etcd_ca_exts_peer }} -batch
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'peer.crt' }}"
  environment:
    SAN: "IP:{{ etcd_ip }}"
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- file:
    src: "{{ etcd_ca_cert }}"
    dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
    state: hard
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
  register: g_etcd_server_mktemp
  changed_when: False
  when: etcd_server_certs_missing | bool
  delegate_to: localhost

- name: Create a tarball of the etcd certs
  command: >
    tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
      -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
  args:
    creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Retrieve etcd cert tarball
  fetch:
    src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
    dest: "{{ g_etcd_server_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: etcd_server_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ etcd_cert_config_dir }}"
    state: directory
  when: etcd_server_certs_missing | bool

- name: Unarchive cert tarball
  unarchive:
    src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
    dest: "{{ etcd_cert_config_dir }}"
  when: etcd_server_certs_missing | bool

- name: Delete temporary directory
  file: name={{ g_etcd_server_mktemp.stdout }} state=absent
  changed_when: False
  when: etcd_server_certs_missing | bool
  delegate_to: localhost