123 lines
5.3 KiB
YAML
123 lines
5.3 KiB
YAML
---
|
|
# file: roles/ovn/tasks/pki.yml
|
|
|
|
- name: "Get {{ ansible_hostname }} secrets from hashicorp vault"
|
|
ansible.builtin.set_fact:
|
|
ovn_hv_host_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'host_vars/' + ansible_hostname, engine_mount_point='talas-kv') }}"
|
|
|
|
- name: "handle server certificates"
|
|
block:
|
|
- name: "Extract cert and private key from hashicorp vault"
|
|
ansible.builtin.set_fact:
|
|
ovn_cert_server_private_key: "{{ ovn_hv_host_secrets.secret.ovn_cert_server_private_key }}"
|
|
ovn_cert_server_serial_number: "{{ ovn_hv_host_secrets.secret.ovn_cert_server_serial_number }}"
|
|
|
|
rescue:
|
|
- name: "Generate a certificate"
|
|
community.hashi_vault.vault_pki_generate_certificate:
|
|
engine_mount_point: "pki"
|
|
role_name: "ovn"
|
|
common_name: "OVN certificate for {{ ansible_hostname }}"
|
|
register: ovn_cert_server_data
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: "Set cert serial number and private key"
|
|
ansible.builtin.set_fact:
|
|
ovn_cert_server_serial_number: "{{ ovn_cert_server_data.data.data.serial_number }}"
|
|
ovn_cert_server_private_key: "{{ ovn_cert_server_data.data.data.private_key }}"
|
|
when: not ansible_check_mode
|
|
|
|
- name: "Write the cert serial number and private key in hashicorp vault"
|
|
community.hashi_vault.vault_kv2_write:
|
|
engine_mount_point: talas-kv
|
|
path: "{{ host_vars_location }}/{{ ansible_hostname }}"
|
|
cas: "{{ ovn_hv_host_secrets.metadata.version | default('0') | int }}"
|
|
data: >-
|
|
{{
|
|
ovn_hv_host_secrets.secret | default({}) | combine(ovn_new_vars)
|
|
}}
|
|
vars:
|
|
ovn_new_vars:
|
|
ovn_cert_server_serial_number: "{{ ovn_cert_server_serial_number }}"
|
|
ovn_cert_server_private_key: "{{ ovn_cert_server_private_key }}"
|
|
delegate_to: localhost
|
|
become: false
|
|
when: not ansible_check_mode
|
|
|
|
- name: "Get cert and issuing certificates from hashicorp vault pki"
|
|
ansible.builtin.set_fact:
|
|
ovn_cert_server_issuing_ca_chain: "{{ lookup('community.hashi_vault.vault_read', 'pki/issuer/OVN') | community.general.json_query('data.ca_chain') | join() | trim }}"
|
|
ovn_cert_server_ca: "{{ lookup('community.hashi_vault.vault_read', 'pki/cert/' + ovn_cert_server_serial_number) | community.general.json_query('data.certificate') }}"
|
|
|
|
- name: "/etc/ovn/ca.crt"
|
|
ansible.builtin.copy:
|
|
content: "{{ ovn_cert_server_issuing_ca_chain }}\n"
|
|
dest: "/etc/ovn/ca.crt"
|
|
mode: "0644"
|
|
|
|
- name: "/etc/ovn/server.crt"
|
|
ansible.builtin.copy:
|
|
content: "{{ ovn_cert_server_ca }}\n"
|
|
dest: "/etc/ovn/server.crt"
|
|
mode: "0644"
|
|
|
|
- name: "/etc/ovn/server.key"
|
|
ansible.builtin.copy:
|
|
content: "{{ ovn_cert_server_private_key }}\n"
|
|
dest: "/etc/ovn/server.key"
|
|
mode: "0600"
|
|
notify:
|
|
- Configure OVN central northbound DB for SSL (certs)
|
|
- Configure OVN central northbound DB for SSL (ports)
|
|
- Configure OVN central southbound DB for SSL (certs)
|
|
- Configure OVN central southbound DB for SSL (ports)
|
|
- Configure OVN IC northbound DB for SSL (certs)
|
|
- Configure OVN IC northbound DB for SSL (ports)
|
|
- Configure OVN IC southbound DB for SSL (certs)
|
|
- Configure OVN IC southbound DB for SSL (ports)
|
|
|
|
- name: "handle incus_client certificates"
|
|
block:
|
|
- name: "Get {{ ovn_cluster_name }} secrets from hashicorp vault"
|
|
ansible.builtin.set_fact:
|
|
ovn_hv_group_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'group_vars/' + ovn_cluster_name, engine_mount_point='talas-kv') }}"
|
|
|
|
- name: "Make sure that cert and private key are present in hashicorp vault"
|
|
ansible.builtin.set_fact:
|
|
ovn_cert_incus_client_private_key: "{{ ovn_hv_group_secrets.secret.ovn_cert_incus_client_private_key }}"
|
|
ovn_cert_incus_client_serial_number: "{{ ovn_hv_group_secrets.secret.ovn_cert_incus_client_serial_number }}"
|
|
|
|
rescue:
|
|
- name: "Generate a certificate for incus client"
|
|
community.hashi_vault.vault_pki_generate_certificate:
|
|
engine_mount_point: "pki"
|
|
role_name: "ovn"
|
|
common_name: "OVN certificate for incus {{ ovn_cluster_name }}"
|
|
register: ovn_cert_incus_client_data
|
|
delegate_to: localhost
|
|
become: false
|
|
|
|
- name: "Set cert serial number and private key for incus client"
|
|
ansible.builtin.set_fact:
|
|
ovn_cert_incus_client_serial_number: "{{ ovn_cert_incus_client_data.data.data.serial_number }}"
|
|
ovn_cert_incus_client_private_key: "{{ ovn_cert_incus_client_data.data.data.private_key }}"
|
|
when: not ansible_check_mode
|
|
|
|
- name: "Write the cert serial number and private key for incus client in hashicorp vault"
|
|
community.hashi_vault.vault_kv2_write:
|
|
engine_mount_point: talas-kv
|
|
path: "group_vars/{{ ovn_cluster_name }}"
|
|
cas: "{{ ovn_hv_group_secrets.metadata.version | default('0') | int }}"
|
|
data: >-
|
|
{{
|
|
ovn_hv_group_secrets.secret | default({}) | combine(ovn_new_vars)
|
|
}}
|
|
vars:
|
|
ovn_new_vars:
|
|
ovn_cert_incus_client_serial_number: "{{ ovn_cert_incus_client_serial_number }}"
|
|
ovn_cert_incus_client_private_key: "{{ ovn_cert_incus_client_private_key }}"
|
|
delegate_to: localhost
|
|
become: false
|
|
when: not ansible_check_mode
|
|
when: ansible_hostname == ovn_cluster_main_name
|