Skip to content

Commit

Permalink
* Manager certificate for master, satellite and agent in one block of…
Browse files Browse the repository at this point in the history 
… tasks

* Copy the cerificate from delegated host to endpoint if necessary
  • Loading branch information
@afeefghannam89
afeefghannam89 committed May 17, 2024
1 parent 6ac2f7c commit d9f3367
Showing 1 changed file with 62 additions and 119 deletions.
181 changes: 62 additions & 119 deletions roles/icinga2/tasks/features/api.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
register: icinga2_ssl_cert_path

- name: certificate request
- name: create certificatete on delegated host
when: (icinga2_ssl_cert_path.stat.exists == false or icinga2_ssl_key_path.stat.exists == false or icinga2_force_newcert) and icinga2_ssl_cacert is not defined
block:
- name: create cert path
Expand All @@ -107,48 +107,16 @@
group: "{{ icinga2_group }}"
mode: "0750"

- name: save trusted-master.crt
- name: save trusted-master.crt on delegated host
shell: >-
icinga2 pki save-cert
--host "{{ icinga2_ca_host }}"
--port "{{ icinga2_ca_host_port | default('5665') }}"
--trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
when:
- icinga2_ca_host != 'none'
- icinga2_delegate_host is not defined
register: _trusted_master_cert

#- name: fetch master certificat with delegate host
# when:
# - icinga2_delegate_host is defined
# block:

# - name: save trusted-master.crt (delegate host)
# shell: >-
# icinga2 pki save-cert
# --host "{{ icinga2_ca_host }}"
# --port "{{ icinga2_ca_host_port | default('5665') }}"
# --trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
# when:
# - icinga2_ca_host != 'none'
# register: _trusted_master_cert
# args:
# creates: "{{ icinga2_cert_path }}/trusted-master.crt"
# delegate_to: "{{ icinga2_delegate_host }}"

# - name: slurp trusted master cert
# slurp:
# path: "{{ icinga2_cert_path }}/trusted-master.crt"
# register: icinga2_trusted_master_cert
# delegate_to: "{{ icinga2_delegate_host }}"

# - name: write slurped certificate to host
# copy:
# dest: "{{ icinga2_cert_path }}/trusted-master.crt"
# owner: icinga
# group: icinga
# mode: 0644
# content: "{{ icinga2_trusted_master_cert['content'] | b64decode }}"
delegate_to: "{{ icinga2_delegate_host }}"

- name: normalize ca fingerprint
set_fact:
Expand All @@ -162,20 +130,30 @@
- icinga2_ca_fingerprint is defined
- _trusted_master_cert.stdout | regex_search(_ca_fingerprint_normalized, multiline=True) is none

- name: generate private and public key
- name: generate private and public key on delgated host
shell: >-
icinga2 pki new-cert
--cn "{{ icinga2_cert_name }}"
--key "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
{% if icinga2_ca_host != 'none' %} --cert "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt" {% else %} --csr "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.csr" {%- endif %}
delegate_to: "{{ icinga2_delegate_host }}"

- name: copy CA root certificate on master
copy:
src: "{{ icinga2_ca_path }}/ca.crt"
dest: "{{ icinga2_cert_path }}/ca.crt"
owner: "{{ icinga2_user }}"
group: "{{ icinga2_group }}"
remote_src: yes
when: icinga2_ca_host == 'none'

- name: delegate ticket request to master
shell: icinga2 pki ticket --cn "{{ icinga2_cert_name }}" {% if icinga2_ticket_salt is defined %} --salt "{{ icinga2_ticket_salt }}"{% endif %}
delegate_to: "{{ icinga2_delegate_host | default(icinga2_ca_host) }}"
register: icinga2_ticket
when: icinga2_ca_host != 'none'

- name: get certificate
- name: get certificate on delegatted host
shell: >-
icinga2 pki {% if icinga2_ca_host != 'none' %} request
--ticket "{{ icinga2_ticket.stdout }}"
Expand All @@ -187,91 +165,56 @@
{% else %} sign-csr --csr "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.csr" {%- endif %}
--cert "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
notify: reload icinga2 service
when:
- icinga2_delegate_host is not defined
delegate_to: "{{ icinga2_delegate_host | default(icinga2_ca_host) }}"

- name: fetch certificate from delegate host
when:
- icinga2_delegate_host is defined
block:
- name: slurp key
slurp:
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
register: icinga2_key

- name: slurp certificate
slurp:
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
register: icinga2_certificate

- name: slurp ca certificate
slurp:
path: "{{ icinga2_cert_path }}/ca.crt"
register: icinga2_ca_certificate
delegate_to: "{{ icinga2_delegate_host }}"

- name: put ca certificate
copy:
dest: "{{ icinga2_cert_path }}/ca.crt"
owner: icinga
group: icinga
mode: 0644
content: "{{ icinga2_ca_certificate['content'] | b64decode }}"
notify: reload icinga2 service

- name: put key
copy:
dest: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
owner: icinga
group: icinga
mode: 0600
content: "{{ icinga2_key['content'] | b64decode }}"
delegate_to: "{{ icinga2_delegate_host }}"

- name: put certificate
copy:
dest: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
owner: icinga
group: icinga
mode: 0600
content: "{{ icinga2_certificate['content'] | b64decode }}"
delegate_to: "{{ icinga2_delegate_host }}"

- name: get certificate delegated
shell: >-
icinga2 pki request
--ticket "{{ icinga2_ticket.stdout }}"
--host "{{ icinga2_ca_host }}"
--port "{{ icinga2_ca_host_port | default('5665') }}"
--ca "{{ icinga2_cert_path }}/ca.crt"
--key "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
--trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
--cert "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
delegate_to: "{{ icinga2_delegate_host }}"

- name: slurp certificate
slurp:
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
register: icinga2_certificate
delegate_to: "{{ icinga2_delegate_host }}"

- name: put certificate
copy:
dest: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
owner: icinga
group: icinga
mode: 0600
content: "{{ icinga2_certificate['content'] | b64decode }}"
notify: reload icinga2 service
- name: fetch certificate from delegate host to icinga endpoint
when:
- icinga2_delegate_host is defined and icinga2_delegate_host != ansible_fqdn
block:
- name: slurp icinga endpoint key
slurp:
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
register: icinga2_key
delegate_to: "{{ icinga2_delegate_host }}"

- name: slurp icinga endpoint certificate
slurp:
path: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
register: icinga2_certificate
delegate_to: "{{ icinga2_delegate_host }}"

- name: slurp ca certificate
slurp:
path: "{{ icinga2_cert_path }}/ca.crt"
register: icinga2_ca_certificate
delegate_to: "{{ icinga2_delegate_host }}"

- name: put ca certificate
copy:
dest: "{{ icinga2_cert_path }}/ca.crt"
owner: icinga
group: icinga
mode: 0644
content: "{{ icinga2_ca_certificate['content'] | b64decode }}"
notify: reload icinga2 service

- name: copy CA root certificate
- name: put icinga endpoint key
copy:
src: "{{ icinga2_ca_path }}/ca.crt"
dest: "{{ icinga2_cert_path }}/ca.crt"
owner: "{{ icinga2_user }}"
group: "{{ icinga2_group }}"
remote_src: yes
when: icinga2_ca_host == 'none'
dest: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.key"
owner: icinga
group: icinga
mode: 0600
content: "{{ icinga2_key['content'] | b64decode }}"
notify: reload icinga2 service

- name: put icinga endpoint certificate
copy:
dest: "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt"
owner: icinga
group: icinga
mode: 0600
content: "{{ icinga2_certificate['content'] | b64decode }}"
notify: reload icinga2 service

- name: Use self generated certificates
block:
Expand Down

0 comments on commit d9f3367

Please sign in to comment.