blob: f11b51453480a1595037a2a906b53b9be622ceef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
---
- name: Check status of etcd certificates
stat:
path: "{{ etcd_cert_config_dir }}/{{ item }}"
with_items:
- "{{ etcd_cert_prefix }}server.crt"
- "{{ etcd_cert_prefix }}peer.crt"
- "{{ etcd_cert_prefix }}ca.crt"
register: g_etcd_server_cert_stat_result
- set_fact:
etcd_server_certs_missing: "{{ False in (g_etcd_server_cert_stat_result.results
| oo_collect(attribute='stat.exists')
| list) }}"
- name: Ensure generated_certs directory present
file:
path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
state: directory
mode: 0700
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Create the server csr
command: >
openssl req -new -keyout {{ etcd_cert_prefix }}server.key
-config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}server.csr
-reqexts {{ etcd_req_ext }} -batch -nodes
-subj /CN={{ etcd_hostname }}
args:
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'server.csr' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
# Certificates must be signed serially in order to avoid competing
# for the serial file.
- name: Sign and create the server crt
delegated_serial_command:
command: >
openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}server.crt
-in {{ etcd_cert_prefix }}server.csr
-extensions {{ etcd_ca_exts_server }} -batch
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'server.crt' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
delegate_to: "{{ etcd_ca_host }}"
- name: Create the peer csr
command: >
openssl req -new -keyout {{ etcd_cert_prefix }}peer.key
-config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}peer.csr
-reqexts {{ etcd_req_ext }} -batch -nodes
-subj /CN={{ etcd_hostname }}
args:
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'peer.csr' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Sign and create the peer crt
delegated_serial_command:
command: >
openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
-out {{ etcd_cert_prefix }}peer.crt
-in {{ etcd_cert_prefix }}peer.csr
-extensions {{ etcd_ca_exts_peer }} -batch
chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'peer.crt' }}"
environment:
SAN: "IP:{{ etcd_ip }}"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- file:
src: "{{ etcd_ca_cert }}"
dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
state: hard
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Create local temp directory for syncing certs
local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
become: no
register: g_etcd_server_mktemp
changed_when: False
when: etcd_server_certs_missing | bool
delegate_to: localhost
- name: Create a tarball of the etcd certs
command: >
tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
-C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
args:
creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Retrieve etcd cert tarball
fetch:
src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ g_etcd_server_mktemp.stdout }}/"
flat: yes
fail_on_missing: yes
validate_checksum: yes
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
- name: Ensure certificate directory exists
file:
path: "{{ etcd_cert_config_dir }}"
state: directory
when: etcd_server_certs_missing | bool
- name: Unarchive cert tarball
unarchive:
src: "{{ g_etcd_server_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
dest: "{{ etcd_cert_config_dir }}"
when: etcd_server_certs_missing | bool
- name: Delete temporary directory
file: name={{ g_etcd_server_mktemp.stdout }} state=absent
become: no
changed_when: False
when: etcd_server_certs_missing | bool
delegate_to: localhost
|