From d7d247ee75cb50ce14b4ec49dd2bd6b4758ce6a1 Mon Sep 17 00:00:00 2001 From: Cory Hawkless Date: Thu, 30 Jul 2020 17:20:30 +0930 Subject: [PATCH] data --- tasks/main.yml | 37 ++++++++++++++++++++++++++++++ templates/requestCertificate.sh.j2 | 19 +++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 tasks/main.yml create mode 100644 templates/requestCertificate.sh.j2 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..214bfca --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Copy CA file to local Trusted root CA store + copy: src="ca.crt" dest="/etc/ssl/certs/my-ca.crt" + #ags: certificate + + #Step1 - Check if certificate file is in place +- name: Check that the host certificate exists + stat: + path: /etc/ssl/private/{{inventory_hostname}}.{{local_domainname}}.key + register: stat_result + tags: certificate + +- debug: msg="File does not exist.. Running request script" + tags: certificate + when: stat_result.stat is defined and not stat_result.stat.exists + + +- debug: msg="File exists, skipping" + tags: certificate + when: stat_result.stat is defined and stat_result.stat.exists + + #Step2 - If certificate does not exist, copy down the batch file +- name: "Copy certificate request script to /tmp ready for execution" + copy: src="requestCertificate.sh" dest=/tmp/reqCrt.sh mode=0700 + when: stat_result.stat is defined and not stat_result.stat.exists + tags: certificate + + #Step3 - Execute the batch file with environment variables +- name: Request new certificate from Vault + shell: /tmp/reqCrt.sh + environment: + VAULT_ADDR: "{{ vault_address }}" + VAULT_TOKEN: "{{ vault_token }}" + VAULT_UNSEAL_KEY1: "{{ vault_unseal_key1 }}" + VAULT_UNSEAL_KEY2: "{{ vault_unseal_key2 }}" + VAULT_UNSEAL_KEY3: "{{ vault_unseal_key3 }}" + when: stat_result.stat is defined and not stat_result.stat.exists + tags: certificate diff --git a/templates/requestCertificate.sh.j2 b/templates/requestCertificate.sh.j2 new file mode 100644 index 0000000..b0d4d84 --- /dev/null +++ b/templates/requestCertificate.sh.j2 @@ -0,0 +1,19 @@ +echo $VAULT_ADDR $VAULT_TOKEN + +curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY1'"}' $VAULT_ADDR/v1/sys/unseal +curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY2'"}' $VAULT_ADDR/v1/sys/unseal +curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY3'"}' $VAULT_ADDR/v1/sys/unseal + +CERTNAME=$(hostname).{{local_domainname}} +curl --header "X-Vault-Token: $VAULT_TOKEN" \ +--request POST \ +--data '{"common_name": "'$CERTNAME'", "ttl": "43800h"}' \ +$VAULT_ADDR/v1/rootca_store/issue/{{vaultStoreName}} > certificateResult.txt + +jq .data.private_key certificateResult.txt | sed "s/\"//g" | sed "s/\\\n/\n/g" > cert.pem +jq .data.certificate certificateResult.txt | sed "s/\"//g" | sed "s/\\\n/\n/g" > cert.crt + +mv cert.pem /etc/ssl/private/$(hostname).{{local_domainname}}.key +mv cert.crt /etc/ssl/certs/$(hostname).{{local_domainname}}.crt + +rm certificateResult.txt