Inicio Explorar Axuda
Iniciar sesión
rht
/
ocp-ing-ichp-materials
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: ed9fff6fe2
Ramas Etiquetas
ocp-ing-ichp...
/
playbooks
/
roles
/
create-certs
/
tasks
/
main.yml

main.yml 2.3 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. ---
    2. 

  2. # Ensures there is a self-signed CA certificate.
    3. 

  3. # Ensures the workstation trusts the CA certificate.
    4. 

  4. - name: Ensure that the target directory is there
    5. 

  5.   ansible.builtin.file:
    6. 

  6.     path: "{{ ansible_facts['user_dir'] }}/ca"
    7. 

  7.     state: directory
    8. 

  8.     owner: student
    9. 

  9.     group: student
    10. 

  10.     mode: 0700
    11. 

  11. 

  12. - name: Check if CA key exists to save time
    13. 

  13.   ansible.builtin.stat:
    14. 

  14.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    15. 

  15.     get_attributes: no
    16. 

  16.     get_checksum: no
    17. 

  17.     get_mime: no
    18. 

  18.   register: cakey_file
    19. 

  19. 

  20. - name: Check if CA cert exists to save time
    21. 

  21.   ansible.builtin.stat:
    22. 

  22.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    23. 

  23.     get_attributes: no
    24. 

  24.     get_checksum: no
    25. 

  25.     get_mime: no
    26. 

  26.   register: cacert_file
    27. 

  27. 

  28. - name: Create a new CA private key, if it does not exist yet.
    29. 

  29.   community.crypto.openssl_privatekey:
    30. 

  30.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    31. 

  31.     type: RSA
    32. 

  32.     cipher: auto
    33. 

  33.     size: 4096
    34. 

  34.     mode: 0600
    35. 

  35.   when: cakey_file.stat.exists == false
    36. 

  36. 

  37. - name: Generate a CSR for the CA cert.
    38. 

  38.   community.crypto.openssl_csr:
    39. 

  39.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    40. 

  40.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    41. 

  41.     privatekey_passphrase: verysecret
    42. 

  42.     basic_constraints: "CA:TRUE"
    43. 

  43.     basic_constraints_critical: yes
    44. 

  44.     subject:
    45. 

  45.       C: US
    46. 

  46.       ST: North Carolina
    47. 

  47.       L: Raleigh
    48. 

  48.       O: Red Hat
    49. 

  49.       OU: RHT
    50. 

  50.       CN: Cert Manager Issuer CA
    51. 

  51.     mode: 0600
    52. 

  52.   when: cacert_file.stat.exists == false
    53. 

  53. 

  54. - name: Create a self-signed cert for the CA.
    55. 

  55.   community.crypto.x509_certificate:
    56. 

  56.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    57. 

  57.     csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    58. 

  58.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    59. 

  59.     privatekey_passphrase: verysecret
    60. 

  60.     provider: selfsigned
    61. 

  61.     selfsigned_not_after: +510w
    62. 

  62.     mode: 0600
    63. 

  63.   when: cacert_file.stat.exists == false
    64. 

  64. 

  65. - name: Get rid of the CSR.
    66. 

  66.   ansible.builtin.file:
    67. 

  67.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    68. 

  68.     state: absent
    69. 

  69. 

  70. - name: Copy CA cert to ca-trust dir.
    71. 

  71.   become: yes
    72. 

  72.   ansible.builtin.copy:
    73. 

  73.     src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    74. 

  74.     dest: "/etc/pki/ca-trust/source/anchors/cert-mgr-ca.pem"
    75. 

  75.     mode: 0644
    76. 

  76.   register: copied
    77. 

  77. 

  78. - name: Have workstation trust the CA.
    79. 

  79.   become: yes
    80. 

  80.   command: update-ca-trust
    81. 

  81.   when: copied.changed
    82. 

  82. ...
    83.