commit e9fca5ef39ebdc51d4d0f1af175960fb51cd903e
author Samuli Silvius <s.silvius@partner.samsung.com> Sun Mar 03 13:34:16 2019 +0200
committer Samuli Silvius <s.silvius@partner.samsung.com> Tue Mar 12 14:07:19 2019 +0200
tree dec12146af5b5e00eed0ffbd0b5ea1c920853c52
parent bdababf6496d20be5723740041b63a1855535c32

Improve certificates role testability

Move certs source path to defaults and make other small re-factoring.

Issue-ID: OOM-1694

Change-Id: Ie0a4b543b40314dc5a7772dd4667b1ad218d3543
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>

ansible/roles/certificates/tasks/generate-certificates.yml

diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
new file mode 100644
index 0000000..ac8fe1e
--- /dev/null
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -0,0 +1,90 @@
+---
+- name: Create certificates directory certs to current dir
+  file:
+    path: "{{ certificates_local_dir }}"
+    state: directory
+
+# Some of task are delegated to Ansible container because unavailable
+# version of python-pyOpenSSL
+- name: Generate root CA private key
+  openssl_privatekey:
+    path: "{{ certificates_local_dir }}/rootCA.key"
+    size: 4096
+
+- name: Generate an OpenSSL CSR.
+  openssl_csr:
+    path: "{{ certificates_local_dir }}/rootCA.csr"
+    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+    organization_name: "{{ certificates.organization_name }}"
+    state_or_province_name: "{{ certificates.state_or_province_name }}"
+    country_name: "{{ certificates.country_name }}"
+    locality_name: "{{ certificates.locality_name }}"
+    basic_constraints:
+      - CA:true
+    basic_constraints_critical: true
+    key_usage:
+      - critical
+      - digitalSignature
+      - cRLSign
+      - keyCertSign
+
+- name: Generate root CA certificate
+  openssl_certificate:
+    provider: selfsigned
+    path: "{{ certificates_local_dir }}/rootCA.crt"
+    csr_path: "{{ certificates_local_dir }}/rootCA.csr"
+    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
+    key_usage:
+      - critical
+      - digitalSignature
+      - cRLSign
+      - keyCertSign
+    force: true
+  notify: Restart Docker
+
+- name: Generate private Nexus key
+  openssl_privatekey:
+    path: "{{ certificates_local_dir }}/nexus_server.key"
+    size: 4096
+    force: false
+
+- name: Generate Nexus CSR (certificate signing request)
+  openssl_csr:
+    path: "{{ certificates_local_dir }}/nexus_server.csr"
+    privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
+    organization_name: "{{ certificates.organization_name }}"
+    state_or_province_name: "{{ certificates.state_or_province_name }}"
+    country_name: "{{ certificates.country_name }}"
+    locality_name: "{{ certificates.locality_name }}"
+    common_name: registry-1.docker.io
+    key_usage:
+      - keyAgreement
+      - nonRepudiation
+      - digitalSignature
+      - keyEncipherment
+      - dataEncipherment
+    extended_key_usage:
+      - serverAuth
+    subject_alt_name:
+      "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+
+- name: Generate v3 extension config file
+  template:
+    src: v3.ext.j2
+    dest: "{{ certificates_local_dir }}/v3.ext"
+
+# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
+# Currently using 2.6.3
+- name: Sign Nexus certificate
+  command: >
+    openssl
+    x509
+    -req
+    -in "{{ certificates_local_dir }}/nexus_server.csr"
+    -extfile "{{ certificates_local_dir }}/v3.ext"
+    -CA "{{ certificates_local_dir }}/rootCA.crt"
+    -CAkey "{{ certificates_local_dir }}/rootCA.key"
+    -CAcreateserial
+    -out "{{ certificates_local_dir }}/nexus_server.crt"
+    -days 3650
+    -sha256