blob: 119071a72110e90344337530dba96f95338944f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
---
- name: Ensure CA certificate exists on etcd_ca_host
stat:
path: "{{ etcd_ca_cert }}"
register: g_ca_cert_stat_result
delegate_to: "{{ etcd_ca_host }}"
run_once: true
- fail:
msg: >
CA certificate {{ etcd_ca_cert }} doesn't exist on CA host
{{ etcd_ca_host }}. Apply 'etcd_ca' action from `etcd` role to
{{ etcd_ca_host }}.
when: not g_ca_cert_stat_result.stat.exists | bool
run_once: true
- name: Check status of external etcd certificatees
stat:
path: "{{ etcd_cert_config_dir }}/{{ item }}"
with_items:
- "{{ etcd_cert_prefix }}client.crt"
- "{{ etcd_cert_prefix }}client.key"
- "{{ etcd_cert_prefix }}ca.crt"
register: g_external_etcd_cert_stat_result
when: not etcd_certificates_redeploy | default(false) | bool
- set_fact:
etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool
else (False in (g_external_etcd_cert_stat_result.results
| default({})
| oo_collect(attribute='stat.exists')
| list)) }}"
- name: Ensure generated_certs directory present
file:
path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
state: directory
mode: 0700
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Create the client csr
command: >
openssl req -new -keyout {{ etcd_cert_prefix }}client.key
-config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}client.csr
-reqexts {{ etcd_req_ext }} -batch -nodes
-subj /CN={{ etcd_hostname }}
args:
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'client.csr' }}"
environment:
SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
# Certificates must be signed serially in order to avoid competing
# for the serial file.
- name: Sign and create the client crt
delegated_serial_command:
command: >
openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}client.crt
-in {{ etcd_cert_prefix }}client.csr
-batch
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'client.crt' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- file:
src: "{{ etcd_ca_cert }}"
dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
state: hard
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
register: g_etcd_client_mktemp
changed_when: False
when: etcd_client_certs_missing | bool
become: no
- name: Create a tarball of the etcd certs
command: >
tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
-C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
args:
creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
# Disables the following warning:
# Consider using unarchive module rather than running tar
warn: no
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Retrieve the etcd cert tarballs
fetch:
src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ g_etcd_client_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Ensure certificate directory exists
file:
path: "{{ etcd_cert_config_dir }}"
state: directory
when: etcd_client_certs_missing | bool
- name: Unarchive etcd cert tarballs
unarchive:
src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ etcd_cert_config_dir }}"
when: etcd_client_certs_missing | bool
- file:
path: "{{ etcd_cert_config_dir }}/{{ item }}"
owner: root
group: root
mode: 0600
with_items:
- "{{ etcd_cert_prefix }}client.crt"
- "{{ etcd_cert_prefix }}client.key"
- "{{ etcd_cert_prefix }}ca.crt"
when: etcd_client_certs_missing | bool
- name: Delete temporary directory
local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent
changed_when: False
when: etcd_client_certs_missing | bool
become: no
|