ansible/roles/certificates/tasks/main.yml - onap/oom/offline-installer - Gitiles

 ---
 # Some of task are delegated to Ansible container because unavailable
 # version of python-pyOpenSSL
 - name: Generate root CA private key
   openssl_privatekey:
     path: /certs/rootCA.key
     size: 4096
   delegate_to: localhost

 - name: Generate an OpenSSL CSR.
   openssl_csr:
     path: /certs/rootCA.csr
     privatekey_path: /certs/rootCA.key
     organization_name: "{{ certificates.organization_name }}"
     state_or_province_name: "{{ certificates.state_or_province_name }}"
     country_name: "{{ certificates.country_name }}"
     locality_name: "{{ certificates.locality_name }}"
     basic_constraints:
       - CA:true
     basic_constraints_critical: yes
     key_usage:
       - critical
       - digitalSignature
       - cRLSign
       - keyCertSign
   delegate_to: localhost

 - name: Generate root CA certificate
   openssl_certificate:
     provider: selfsigned
     path: /certs/rootCA.crt
     csr_path: /certs/rootCA.csr
     privatekey_path: /certs/rootCA.key
     key_usage:
       - critical
       - digitalSignature
       - cRLSign
       - keyCertSign
     force: yes
   delegate_to: localhost
   notify: Restart Docker

 - name: Generate private Nexus key
   openssl_privatekey:
     path: /certs/nexus_server.key
     size: 4096
     force: False
   delegate_to: localhost

 - name: Generate Nexus CSR (certificate signing request)
   openssl_csr:
     path: /certs/nexus_server.csr
     privatekey_path: /certs/nexus_server.key
     organization_name: "{{ certificates.organization_name }}"
     state_or_province_name: "{{ certificates.state_or_province_name }}"
     country_name: "{{ certificates.country_name }}"
     locality_name: "{{ certificates.locality_name }}"
     common_name: registry-1.docker.io
     key_usage:
       - keyAgreement
       - nonRepudiation
       - digitalSignature
       - keyEncipherment
       - dataEncipherment
     extended_key_usage:
       - serverAuth
     subject_alt_name:
       "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
   delegate_to: localhost

 - name: Generate v3 extension config file
   template:
     src: v3.ext.j2
     dest: /certs/v3.ext
   delegate_to: localhost

 # Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
 # Currently using 2.6.3
 - name: Sign Nexus certificate
   command: >
     openssl
     x509
     -req
     -in /certs/nexus_server.csr
     -extfile /certs/v3.ext
     -CA /certs/rootCA.crt
     -CAkey /certs/rootCA.key
     -CAcreateserial
     -out /certs/nexus_server.crt
     -days 3650
     -sha256
   delegate_to: localhost

 - name: Upload certificates to infrastructure server
   copy:
     src: /certs
     directory_mode: yes
     dest: "{{ app_data_path }}/"

 - import_tasks: upload_root_ca.yml
	---
	# Some of task are delegated to Ansible container because unavailable
	# version of python-pyOpenSSL
	- name: Generate root CA private key
	openssl_privatekey:
	path: /certs/rootCA.key
	size: 4096
	delegate_to: localhost

	- name: Generate an OpenSSL CSR.
	openssl_csr:
	path: /certs/rootCA.csr
	privatekey_path: /certs/rootCA.key
	organization_name: "{{ certificates.organization_name }}"
	state_or_province_name: "{{ certificates.state_or_province_name }}"
	country_name: "{{ certificates.country_name }}"
	locality_name: "{{ certificates.locality_name }}"
	basic_constraints:
	- CA:true
	basic_constraints_critical: yes
	key_usage:
	- critical
	- digitalSignature
	- cRLSign
	- keyCertSign
	delegate_to: localhost

	- name: Generate root CA certificate
	openssl_certificate:
	provider: selfsigned
	path: /certs/rootCA.crt
	csr_path: /certs/rootCA.csr
	privatekey_path: /certs/rootCA.key
	key_usage:
	- critical
	- digitalSignature
	- cRLSign
	- keyCertSign
	force: yes
	delegate_to: localhost
	notify: Restart Docker

	- name: Generate private Nexus key
	openssl_privatekey:
	path: /certs/nexus_server.key
	size: 4096
	force: False
	delegate_to: localhost

	- name: Generate Nexus CSR (certificate signing request)
	openssl_csr:
	path: /certs/nexus_server.csr
	privatekey_path: /certs/nexus_server.key
	organization_name: "{{ certificates.organization_name }}"
	state_or_province_name: "{{ certificates.state_or_province_name }}"
	country_name: "{{ certificates.country_name }}"
	locality_name: "{{ certificates.locality_name }}"
	common_name: registry-1.docker.io
	key_usage:
	- keyAgreement
	- nonRepudiation
	- digitalSignature
	- keyEncipherment
	- dataEncipherment
	extended_key_usage:
	- serverAuth
	subject_alt_name:
	"{{ simulated_hosts \| map('regex_replace', '(.*)', 'DNS:\\1') \| list }}"
	delegate_to: localhost

	- name: Generate v3 extension config file
	template:
	src: v3.ext.j2
	dest: /certs/v3.ext
	delegate_to: localhost

	# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
	# Currently using 2.6.3
	- name: Sign Nexus certificate
	command: >
	openssl
	x509
	-req
	-in /certs/nexus_server.csr
	-extfile /certs/v3.ext
	-CA /certs/rootCA.crt
	-CAkey /certs/rootCA.key
	-CAcreateserial
	-out /certs/nexus_server.crt
	-days 3650
	-sha256
	delegate_to: localhost

	- name: Upload certificates to infrastructure server
	copy:
	src: /certs
	directory_mode: yes
	dest: "{{ app_data_path }}/"

	- import_tasks: upload_root_ca.yml