| Michal Zegan | 6c83964 | 2018-12-19 11:20:51 +0100 | [diff] [blame^] | 1 | --- |
| 2 | # Some of task are delegated to Ansible container because unavailable |
| 3 | # version of python-pyOpenSSL |
| 4 | - name: Generate root CA private key |
| 5 | openssl_privatekey: |
| 6 | path: /certs/rootCA.key |
| 7 | size: 4096 |
| 8 | delegate_to: localhost |
| 9 | |
| 10 | - name: Generate an OpenSSL CSR. |
| 11 | openssl_csr: |
| 12 | path: /certs/rootCA.csr |
| 13 | privatekey_path: /certs/rootCA.key |
| 14 | organization_name: "{{ certificates.organization_name }}" |
| 15 | state_or_province_name: "{{ certificates.state_or_province_name }}" |
| 16 | country_name: "{{ certificates.country_name }}" |
| 17 | locality_name: "{{ certificates.locality_name }}" |
| 18 | basic_constraints: |
| 19 | - CA:true |
| 20 | basic_constraints_critical: yes |
| 21 | key_usage: |
| 22 | - critical |
| 23 | - digitalSignature |
| 24 | - cRLSign |
| 25 | - keyCertSign |
| 26 | delegate_to: localhost |
| 27 | |
| 28 | - name: Generate root CA certificate |
| 29 | openssl_certificate: |
| 30 | provider: selfsigned |
| 31 | path: /certs/rootCA.crt |
| 32 | csr_path: /certs/rootCA.csr |
| 33 | privatekey_path: /certs/rootCA.key |
| 34 | key_usage: |
| 35 | - critical |
| 36 | - digitalSignature |
| 37 | - cRLSign |
| 38 | - keyCertSign |
| 39 | force: yes |
| 40 | delegate_to: localhost |
| 41 | notify: Restart Docker |
| 42 | |
| 43 | - name: Generate private Nexus key |
| 44 | openssl_privatekey: |
| 45 | path: /certs/nexus_server.key |
| 46 | size: 4096 |
| 47 | force: False |
| 48 | delegate_to: localhost |
| 49 | |
| 50 | - name: Generate Nexus CSR (certificate signing request) |
| 51 | openssl_csr: |
| 52 | path: /certs/nexus_server.csr |
| 53 | privatekey_path: /certs/nexus_server.key |
| 54 | organization_name: "{{ certificates.organization_name }}" |
| 55 | state_or_province_name: "{{ certificates.state_or_province_name }}" |
| 56 | country_name: "{{ certificates.country_name }}" |
| 57 | locality_name: "{{ certificates.locality_name }}" |
| 58 | common_name: registry-1.docker.io |
| 59 | key_usage: |
| 60 | - keyAgreement |
| 61 | - nonRepudiation |
| 62 | - digitalSignature |
| 63 | - keyEncipherment |
| 64 | - dataEncipherment |
| 65 | extended_key_usage: |
| 66 | - serverAuth |
| 67 | subject_alt_name: |
| 68 | "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" |
| 69 | delegate_to: localhost |
| 70 | |
| 71 | - name: Generate v3 extension config file |
| 72 | template: |
| 73 | src: v3.ext.j2 |
| 74 | dest: /certs/v3.ext |
| 75 | delegate_to: localhost |
| 76 | |
| 77 | # Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) |
| 78 | # Currently using 2.6.3 |
| 79 | - name: Sign Nexus certificate |
| 80 | command: > |
| 81 | openssl |
| 82 | x509 |
| 83 | -req |
| 84 | -in /certs/nexus_server.csr |
| 85 | -extfile /certs/v3.ext |
| 86 | -CA /certs/rootCA.crt |
| 87 | -CAkey /certs/rootCA.key |
| 88 | -CAcreateserial |
| 89 | -out /certs/nexus_server.crt |
| 90 | -days 3650 |
| 91 | -sha256 |
| 92 | delegate_to: localhost |
| 93 | |
| 94 | - name: Upload certificates to infrastructure server |
| 95 | copy: |
| 96 | src: /certs |
| 97 | directory_mode: yes |
| 98 | dest: "{{ app_data_path }}/" |
| 99 | |
| 100 | - import_tasks: upload_root_ca.yml |