Improve certificates role testability
Move certs source path to defaults and make other small re-factoring.
Issue-ID: OOM-1694
Change-Id: Ie0a4b543b40314dc5a7772dd4667b1ad218d3543
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
index 2e7dd88..7aaeac1 100644
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -1,100 +1,12 @@
---
-# Some of task are delegated to Ansible container because unavailable
-# version of python-pyOpenSSL
-- name: Generate root CA private key
- openssl_privatekey:
- path: /certs/rootCA.key
- size: 4096
- delegate_to: localhost
-
-- name: Generate an OpenSSL CSR.
- openssl_csr:
- path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- basic_constraints:
- - CA:true
- basic_constraints_critical: yes
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- delegate_to: localhost
-
-- name: Generate root CA certificate
- openssl_certificate:
- provider: selfsigned
- path: /certs/rootCA.crt
- csr_path: /certs/rootCA.csr
- privatekey_path: /certs/rootCA.key
- key_usage:
- - critical
- - digitalSignature
- - cRLSign
- - keyCertSign
- force: yes
- delegate_to: localhost
- notify: Restart Docker
-
-- name: Generate private Nexus key
- openssl_privatekey:
- path: /certs/nexus_server.key
- size: 4096
- force: False
- delegate_to: localhost
-
-- name: Generate Nexus CSR (certificate signing request)
- openssl_csr:
- path: /certs/nexus_server.csr
- privatekey_path: /certs/nexus_server.key
- organization_name: "{{ certificates.organization_name }}"
- state_or_province_name: "{{ certificates.state_or_province_name }}"
- country_name: "{{ certificates.country_name }}"
- locality_name: "{{ certificates.locality_name }}"
- common_name: registry-1.docker.io
- key_usage:
- - keyAgreement
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- - dataEncipherment
- extended_key_usage:
- - serverAuth
- subject_alt_name:
- "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
- delegate_to: localhost
-
-- name: Generate v3 extension config file
- template:
- src: v3.ext.j2
- dest: /certs/v3.ext
- delegate_to: localhost
-
-# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
-# Currently using 2.6.3
-- name: Sign Nexus certificate
- command: >
- openssl
- x509
- -req
- -in /certs/nexus_server.csr
- -extfile /certs/v3.ext
- -CA /certs/rootCA.crt
- -CAkey /certs/rootCA.key
- -CAcreateserial
- -out /certs/nexus_server.crt
- -days 3650
- -sha256
+- name: Generate certs
+ import_tasks: generate-certificates.yml
delegate_to: localhost
- name: Upload certificates to infrastructure server
copy:
- src: /certs
- directory_mode: yes
+ src: "{{ certificates_local_dir }}"
+ directory_mode: true
dest: "{{ app_data_path }}/"
- import_tasks: upload_root_ca.yml