Patrick de Ruiter
22d78bf85c
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 24s
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 44s
Code Quality & Security Scan / Terraform Validate (push) Successful in 43s
Code Quality & Security Scan / SonarQube Trigger (push) Successful in 47s
- Remove ansible/ from .gitignore - Add vault_agent role (copied from terraform-vsphere-infra) - Add vault_agent-playbook.yml for deployment - Include ansible collections (cloud.terraform, ansible.posix, etc.) - Archive consul_template role as consul_template-legacy The ansible directory contains the vault-agent deployment automation that replaces the legacy consul-template approach.
78 lines
2.2 KiB
YAML
78 lines
2.2 KiB
YAML
- name: Install Python3 OpenSSL
|
|
ansible.builtin.apt:
|
|
name: python3-openssl
|
|
state: present
|
|
|
|
- name: Ensure group Certs exists
|
|
ansible.builtin.group:
|
|
state: present
|
|
system: true
|
|
name: "certs"
|
|
|
|
- name: Set permissions to group
|
|
ansible.builtin.file:
|
|
path: /etc/vault.d/ssl
|
|
owner: vault
|
|
group: vault
|
|
mode: '0750'
|
|
state: directory
|
|
|
|
- name: Create Private key (RSA, 4096 bits)
|
|
community.crypto.openssl_privatekey:
|
|
path: /etc/vault.d/ssl/{{ inventory_hostname }}.key
|
|
# run_once: true
|
|
|
|
- name: Set ownership of certificate key file
|
|
ansible.builtin.file:
|
|
path: /etc/ssl/private/private.key
|
|
owner: "vault"
|
|
group: "vault"
|
|
mode: "0640"
|
|
|
|
- name: Create certificate signing request (CSR) for self-signed certificate
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: /etc/vault.d/ssl/{{ inventory_hostname }}.key
|
|
common_name: "{{ inventory_hostname }}.{{ vault_domain_name }}"
|
|
organization_name: "We Build Your Cloud B.V."
|
|
subject_alt_name:
|
|
- "DNS:localhost"
|
|
- "DNS:{{ inventory_hostname }}"
|
|
- "DNS:{{ inventory_hostname }}.{{ vault_domain_name }}"
|
|
- "IP:{{ ansible_default_ipv4.address }}"
|
|
- "IP:127.0.0.1"
|
|
extended_key_usage:
|
|
- serverAuth
|
|
# run_once: true
|
|
register: csr
|
|
|
|
- name: Sign certificate with our CA
|
|
community.crypto.x509_certificate_pipe:
|
|
csr_content: "{{ csr.csr }}"
|
|
provider: ownca
|
|
ownca_path: /Users/pderuiter/ca/ca-certificate.crt
|
|
ownca_privatekey_path: /Users/pderuiter/ca/ca-certificate.key
|
|
ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
|
|
ownca_not_after: +720d
|
|
ownca_not_before: "-1d"
|
|
delegate_to: localhost
|
|
# run_once: true
|
|
register: certificate
|
|
become: false
|
|
|
|
- name: Write certificate to file on target server
|
|
ansible.builtin.copy:
|
|
dest: /etc/vault.d/ssl/{{ inventory_hostname }}.crt
|
|
content: "{{ certificate.certificate }}"
|
|
owner: "vault"
|
|
group: "vault"
|
|
mode: "0640"
|
|
# run_once: true
|
|
|
|
- name: Copy CA certificate to target system
|
|
ansible.builtin.copy:
|
|
src: /Users/pderuiter/ca/ca-certificate.crt
|
|
dest: /etc/vault.d/ssl/ca-wbyc-certificate.pem
|
|
owner: "vault"
|
|
group: "vault"
|
|
mode: "0640"
|