首頁 探索 說明
登入
rht
/
ocp-ing-ichp-materials
2
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 9728b20bc8
分支列表 標籤列表
ocp-ing-ichp...
/
playbooks
/
roles
/
create-certs
/
tasks
/
main.yml

main.yml 2.3 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. ---
    2. 

  2. # Ensures there is a self-signed CA certificate.
    3. 

  3. # Ensures the workstation trusts the CA certificate.
    4. 

  4. - name: Ensure that the target directory is there
    5. 

  5.   ansible.builtin.file:
    6. 

  6.     path: "{{ ansible_facts['user_dir'] }}/ca"
    7. 

  7.     state: directory
    8. 

  8.     owner: student
    9. 

  9.     group: student
    10. 

  10.     mode: 0700
    11. 

  11. 

  12. - name: Check if CA key exists to save time
    13. 

  13.   ansible.builtin.stat:
    14. 

  14.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    15. 

  15.     get_attributes: no
    16. 

  16.     get_checksum: no
    17. 

  17.     get_mime: no
    18. 

  18.   register: cakey_file
    19. 

  19. 

  20. - name: Check if CA cert exists to save time
    21. 

  21.   ansible.builtin.stat:
    22. 

  22.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    23. 

  23.     get_attributes: no
    24. 

  24.     get_checksum: no
    25. 

  25.     get_mime: no
    26. 

  26.   register: cacert_file
    27. 

  27. 

  28. - name: Create a new CA private key, if it does not exist yet.
    29. 

  29.   community.crypto.openssl_privatekey:
    30. 

  30.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    31. 

  31.     type: RSA
    32. 

  32.     size: 4096
    33. 

  33.     mode: 0600
    34. 

  34.   when: cakey_file.stat.exists == false
    35. 

  35. 

  36. - name: Generate a CSR for the CA cert.
    37. 

  37.   community.crypto.openssl_csr:
    38. 

  38.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    39. 

  39.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    40. 

  40.     privatekey_passphrase: verysecret
    41. 

  41.     basic_constraints: "CA:TRUE"
    42. 

  42.     basic_constraints_critical: yes
    43. 

  43.     subject:
    44. 

  44.       C: US
    45. 

  45.       ST: North Carolina
    46. 

  46.       L: Raleigh
    47. 

  47.       O: Red Hat
    48. 

  48.       OU: RHT
    49. 

  49.       CN: Cert Manager Issuer CA
    50. 

  50.     mode: 0600
    51. 

  51.   when: cacert_file.stat.exists == false
    52. 

  52. 

  53. - name: Create a self-signed cert for the CA.
    54. 

  54.   community.crypto.x509_certificate:
    55. 

  55.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    56. 

  56.     csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    57. 

  57.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    58. 

  58.     privatekey_passphrase: verysecret
    59. 

  59.     provider: selfsigned
    60. 

  60.     selfsigned_not_after: +510w
    61. 

  61.     mode: 0600
    62. 

  62.   when: cacert_file.stat.exists == false
    63. 

  63. 

  64. - name: Get rid of the CSR.
    65. 

  65.   ansible.builtin.file:
    66. 

  66.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    67. 

  67.     state: absent
    68. 

  68. 

  69. - name: Copy CA cert to ca-trust dir.
    70. 

  70.   become: yes
    71. 

  71.   ansible.builtin.copy:
    72. 

  72.     src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    73. 

  73.     dest: "/etc/pki/ca-trust/source/anchors/cert-mgr-ca.pem"
    74. 

  74.     mode: 0644
    75. 

  75.   register: copied
    76. 

  76. 

  77. - name: Have workstation trust the CA.
    78. 

  78.   become: yes
    79. 

  79.   command: update-ca-trust
    80. 

  80.   when: copied.changed
    81. 

  81. ...
    82.