Головна сторінка Огляд Довідка
Увійти
rht
/
ocp-ing-ichp-materials
2
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Дерево: f0eb5faa30
Гілки Теги
ocp-ing-ichp...
/
playbooks
/
roles
/
create-certs
/
tasks
/
main.yml

main.yml 2.2 KB
Історія Запис

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. ---
    2. 

  2. # Ensures there is a self-signed CA certificate.
    3. 

  3. # Ensures the workstation trusts the CA certificate.
    4. 

  4. - name: Ensure that the target directory is there
    5. 

  5.   ansible.builtin.file:
    6. 

  6.     path: "{{ ansible_facts['user_dir'] }}/ca"
    7. 

  7.     state: directory
    8. 

  8.     owner: student
    9. 

  9.     group: student
    10. 

  10.     mode: 0700
    11. 

  11. 

  12. - name: Check if CA key exists to save time
    13. 

  13.   ansible.builtin.stat:
    14. 

  14.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    15. 

  15.     get_attributes: no
    16. 

  16.     get_checksum: no
    17. 

  17.     get_mime: no
    18. 

  18.   register: cakey_file
    19. 

  19. 

  20. - name: Check if CA cert exists to save time
    21. 

  21.   ansible.builtin.stat:
    22. 

  22.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    23. 

  23.     get_attributes: no
    24. 

  24.     get_checksum: no
    25. 

  25.     get_mime: no
    26. 

  26.   register: cacert_file
    27. 

  27. 

  28. - name: Create a new CA private key, if it does not exist yet.
    29. 

  29.   community.crypto.openssl_privatekey:
    30. 

  30.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    31. 

  31.     type: RSA
    32. 

  32.     size: 4096
    33. 

  33.     mode: 0600
    34. 

  34.   when: cakey_file.stat.exists == false
    35. 

  35. 

  36. - name: Generate a CSR for the CA cert.
    37. 

  37.   community.crypto.openssl_csr:
    38. 

  38.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    39. 

  39.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    40. 

  40.     basic_constraints: "CA:TRUE"
    41. 

  41.     basic_constraints_critical: yes
    42. 

  42.     subject:
    43. 

  43.       C: US
    44. 

  44.       ST: North Carolina
    45. 

  45.       L: Raleigh
    46. 

  46.       O: Red Hat
    47. 

  47.       OU: RHT
    48. 

  48.       CN: Cert Manager Issuer CA
    49. 

  49.     mode: 0600
    50. 

  50.   when: cacert_file.stat.exists == false
    51. 

  51. 

  52. - name: Create a self-signed cert for the CA.
    53. 

  53.   community.crypto.x509_certificate:
    54. 

  54.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    55. 

  55.     csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    56. 

  56.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    57. 

  57.     provider: selfsigned
    58. 

  58.     selfsigned_not_after: +510w
    59. 

  59.     mode: 0600
    60. 

  60.   when: cacert_file.stat.exists == false
    61. 

  61. 

  62. - name: Get rid of the CSR.
    63. 

  63.   ansible.builtin.file:
    64. 

  64.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    65. 

  65.     state: absent
    66. 

  66. 

  67. - name: Copy CA cert to ca-trust dir.
    68. 

  68.   become: yes
    69. 

  69.   ansible.builtin.copy:
    70. 

  70.     src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    71. 

  71.     dest: "/etc/pki/ca-trust/source/anchors/cert-mgr-ca.pem"
    72. 

  72.     mode: 0644
    73. 

  73.   register: copied
    74. 

  74. 

  75. - name: Have workstation trust the CA.
    76. 

  76.   become: yes
    77. 

  77.   command: update-ca-trust
    78. 

  78.   when: copied.changed
    79. 

  79. ...
    80.