Strona główna Odkrywaj Pomoc
Zaloguj się
rht
/
ocp-ing-ichp-materials
2
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: f4a722d45e
Gałęzie Tagi
ocp-ing-ichp...
/
playbooks
/
roles
/
create-certs
/
tasks
/
main.yml

main.yml 2.3 KB
Historia Czysty

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. ---
    2. 

  2. # Ensures there is a self-signed CA certificate.
    3. 

  3. # Ensures the workstation trusts the CA certificate.
    4. 

  4. - name: Ensure that the target directory is there
    5. 

  5.   ansible.builtin.file:
    6. 

  6.     path: "{{ ansible_facts['user_dir'] }}/ca"
    7. 

  7.     state: directory
    8. 

  8.     owner: student
    9. 

  9.     group: student
    10. 

  10.     mode: 0700
    11. 

  11. 

  12. - name: Check if CA key exists to save time
    13. 

  13.   ansible.builtin.stat:
    14. 

  14.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    15. 

  15.     get_attributes: no
    16. 

  16.     get_checksum: no
    17. 

  17.     get_mime: no
    18. 

  18.   register: cakey_file
    19. 

  19. 

  20. - name: Check if CA cert exists to save time
    21. 

  21.   ansible.builtin.stat:
    22. 

  22.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    23. 

  23.     get_attributes: no
    24. 

  24.     get_checksum: no
    25. 

  25.     get_mime: no
    26. 

  26.   register: cacert_file
    27. 

  27. 

  28. - name: Create a new CA private key, if it does not exist yet.
    29. 

  29.   community.crypto.openssl_privatekey:
    30. 

  30.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    31. 

  31.     passphrase: verysecret
    32. 

  32.     type: RSA
    33. 

  33.     cipher: auto
    34. 

  34.     size: 8192
    35. 

  35.     mode: 0600
    36. 

  36.   when: cakey_file.stat.exists == false
    37. 

  37. 

  38. - name: Generate a CSR for the CA cert.
    39. 

  39.   community.crypto.openssl_csr:
    40. 

  40.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    41. 

  41.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    42. 

  42.     privatekey_passphrase: verysecret
    43. 

  43.     basic_constraints: "CA:TRUE"
    44. 

  44.     basic_constraints_critical: yes
    45. 

  45.     subject:
    46. 

  46.       C: US
    47. 

  47.       ST: North Carolina
    48. 

  48.       L: Raleigh
    49. 

  49.       O: Red Hat
    50. 

  50.       OU: RHT
    51. 

  51.       CN: Cert Manager Issuer CA
    52. 

  52.     mode: 0600
    53. 

  53.   when: cacert_file.stat.exists == false
    54. 

  54. 

  55. - name: Create a self-signed cert for the CA.
    56. 

  56.   community.crypto.x509_certificate:
    57. 

  57.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    58. 

  58.     csr_path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    59. 

  59.     privatekey_path: "{{ ansible_facts['user_dir'] }}/ca/ca-key.pem"
    60. 

  60.     privatekey_passphrase: verysecret
    61. 

  61.     provider: selfsigned
    62. 

  62.     selfsigned_not_after: +510w
    63. 

  63.     mode: 0600
    64. 

  64.   when: cacert_file.stat.exists == false
    65. 

  65. 

  66. - name: Get rid of the CSR.
    67. 

  67.   ansible.builtin.file:
    68. 

  68.     path: "{{ ansible_facts['user_dir'] }}/ca/ca-csr.pem"
    69. 

  69.     state: absent
    70. 

  70. 

  71. - name: Copy CA cert to ca-trust dir.
    72. 

  72.   become: yes
    73. 

  73.   ansible.builtin.copy:
    74. 

  74.     src: "{{ ansible_facts['user_dir'] }}/ca/ca-cert.pem"
    75. 

  75.     dest: "/etc/pki/ca-trust/source/anchors/cert-mgr-ca.pem"
    76. 

  76.     mode: 0644
    77. 

  77.   register: copied
    78. 

  78. 

  79. - name: Have workstation trust the CA.
    80. 

  80.   become: yes
    81. 

  81.   command: update-ca-trust
    82. 

  82.   when: copied.changed
    83. 

  83. ...
    84.