Merge "Add ansible certificates role"
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
new file mode 100644
index 0000000..2e7dd88
--- /dev/null
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+# Some of task are delegated to Ansible container because unavailable
+# version of python-pyOpenSSL
+- name: Generate root CA private key
+ openssl_privatekey:
+ path: /certs/rootCA.key
+ size: 4096
+ delegate_to: localhost
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: /certs/rootCA.csr
+ privatekey_path: /certs/rootCA.key
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ basic_constraints:
+ - CA:true
+ basic_constraints_critical: yes
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+ delegate_to: localhost
+
+- name: Generate root CA certificate
+ openssl_certificate:
+ provider: selfsigned
+ path: /certs/rootCA.crt
+ csr_path: /certs/rootCA.csr
+ privatekey_path: /certs/rootCA.key
+ key_usage:
+ - critical
+ - digitalSignature
+ - cRLSign
+ - keyCertSign
+ force: yes
+ delegate_to: localhost
+ notify: Restart Docker
+
+- name: Generate private Nexus key
+ openssl_privatekey:
+ path: /certs/nexus_server.key
+ size: 4096
+ force: False
+ delegate_to: localhost
+
+- name: Generate Nexus CSR (certificate signing request)
+ openssl_csr:
+ path: /certs/nexus_server.csr
+ privatekey_path: /certs/nexus_server.key
+ organization_name: "{{ certificates.organization_name }}"
+ state_or_province_name: "{{ certificates.state_or_province_name }}"
+ country_name: "{{ certificates.country_name }}"
+ locality_name: "{{ certificates.locality_name }}"
+ common_name: registry-1.docker.io
+ key_usage:
+ - keyAgreement
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ - dataEncipherment
+ extended_key_usage:
+ - serverAuth
+ subject_alt_name:
+ "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+ delegate_to: localhost
+
+- name: Generate v3 extension config file
+ template:
+ src: v3.ext.j2
+ dest: /certs/v3.ext
+ delegate_to: localhost
+
+# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
+# Currently using 2.6.3
+- name: Sign Nexus certificate
+ command: >
+ openssl
+ x509
+ -req
+ -in /certs/nexus_server.csr
+ -extfile /certs/v3.ext
+ -CA /certs/rootCA.crt
+ -CAkey /certs/rootCA.key
+ -CAcreateserial
+ -out /certs/nexus_server.crt
+ -days 3650
+ -sha256
+ delegate_to: localhost
+
+- name: Upload certificates to infrastructure server
+ copy:
+ src: /certs
+ directory_mode: yes
+ dest: "{{ app_data_path }}/"
+
+- import_tasks: upload_root_ca.yml
diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml
new file mode 100644
index 0000000..5a59d27
--- /dev/null
+++ b/ansible/roles/certificates/tasks/upload_root_ca.yml
@@ -0,0 +1,10 @@
+---
+- name: Copy root certificate
+ copy:
+ src: "/certs/rootCA.crt"
+ dest: /etc/pki/ca-trust/source/anchors/
+ notify: Restart Docker
+
+- name: Extract root certificate
+ command: /usr/bin/update-ca-trust extract
+ notify: Restart Docker
diff --git a/ansible/roles/certificates/templates/v3.ext.j2 b/ansible/roles/certificates/templates/v3.ext.j2
new file mode 100644
index 0000000..7be946f
--- /dev/null
+++ b/ansible/roles/certificates/templates/v3.ext.j2
@@ -0,0 +1,9 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+{% for name in all_simulated_hosts -%}
+ DNS.{{ loop.index }} = {{ name }}
+{% endfor %}