data
This commit is contained in:
parent
c40b6306b3
commit
d7d247ee75
|
|
@ -0,0 +1,37 @@
|
||||||
|
- name: Copy CA file to local Trusted root CA store
|
||||||
|
copy: src="ca.crt" dest="/etc/ssl/certs/my-ca.crt"
|
||||||
|
#ags: certificate
|
||||||
|
|
||||||
|
#Step1 - Check if certificate file is in place
|
||||||
|
- name: Check that the host certificate exists
|
||||||
|
stat:
|
||||||
|
path: /etc/ssl/private/{{inventory_hostname}}.{{local_domainname}}.key
|
||||||
|
register: stat_result
|
||||||
|
tags: certificate
|
||||||
|
|
||||||
|
- debug: msg="File does not exist.. Running request script"
|
||||||
|
tags: certificate
|
||||||
|
when: stat_result.stat is defined and not stat_result.stat.exists
|
||||||
|
|
||||||
|
|
||||||
|
- debug: msg="File exists, skipping"
|
||||||
|
tags: certificate
|
||||||
|
when: stat_result.stat is defined and stat_result.stat.exists
|
||||||
|
|
||||||
|
#Step2 - If certificate does not exist, copy down the batch file
|
||||||
|
- name: "Copy certificate request script to /tmp ready for execution"
|
||||||
|
copy: src="requestCertificate.sh" dest=/tmp/reqCrt.sh mode=0700
|
||||||
|
when: stat_result.stat is defined and not stat_result.stat.exists
|
||||||
|
tags: certificate
|
||||||
|
|
||||||
|
#Step3 - Execute the batch file with environment variables
|
||||||
|
- name: Request new certificate from Vault
|
||||||
|
shell: /tmp/reqCrt.sh
|
||||||
|
environment:
|
||||||
|
VAULT_ADDR: "{{ vault_address }}"
|
||||||
|
VAULT_TOKEN: "{{ vault_token }}"
|
||||||
|
VAULT_UNSEAL_KEY1: "{{ vault_unseal_key1 }}"
|
||||||
|
VAULT_UNSEAL_KEY2: "{{ vault_unseal_key2 }}"
|
||||||
|
VAULT_UNSEAL_KEY3: "{{ vault_unseal_key3 }}"
|
||||||
|
when: stat_result.stat is defined and not stat_result.stat.exists
|
||||||
|
tags: certificate
|
||||||
|
|
@ -0,0 +1,19 @@
|
||||||
|
echo $VAULT_ADDR $VAULT_TOKEN
|
||||||
|
|
||||||
|
curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY1'"}' $VAULT_ADDR/v1/sys/unseal
|
||||||
|
curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY2'"}' $VAULT_ADDR/v1/sys/unseal
|
||||||
|
curl --request POST --data '{"key": "'$VAULT_UNSEAL_KEY3'"}' $VAULT_ADDR/v1/sys/unseal
|
||||||
|
|
||||||
|
CERTNAME=$(hostname).{{local_domainname}}
|
||||||
|
curl --header "X-Vault-Token: $VAULT_TOKEN" \
|
||||||
|
--request POST \
|
||||||
|
--data '{"common_name": "'$CERTNAME'", "ttl": "43800h"}' \
|
||||||
|
$VAULT_ADDR/v1/rootca_store/issue/{{vaultStoreName}} > certificateResult.txt
|
||||||
|
|
||||||
|
jq .data.private_key certificateResult.txt | sed "s/\"//g" | sed "s/\\\n/\n/g" > cert.pem
|
||||||
|
jq .data.certificate certificateResult.txt | sed "s/\"//g" | sed "s/\\\n/\n/g" > cert.crt
|
||||||
|
|
||||||
|
mv cert.pem /etc/ssl/private/$(hostname).{{local_domainname}}.key
|
||||||
|
mv cert.crt /etc/ssl/certs/$(hostname).{{local_domainname}}.crt
|
||||||
|
|
||||||
|
rm certificateResult.txt
|
||||||
Loading…
Reference in New Issue