diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-06-10 01:15:32 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-06-20 01:44:16 +0200 |
| commit | 6082a92fa86d121d3ea4256859ee4c9d412e78c0 (patch) | |
| tree | 56ece20d6814f1cf5e0479b940d1d2366edfdd2b /roles/monitoring/prometheus/server/tasks/tls.yml | |
| parent | prometheus: move CA to seperate role and add prometheus zone groups (diff) | |
promethues: remote certificate signing for exporter/base
Diffstat (limited to 'roles/monitoring/prometheus/server/tasks/tls.yml')
| -rw-r--r-- | roles/monitoring/prometheus/server/tasks/tls.yml | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml index 5c112e12..940c69b1 100644 --- a/roles/monitoring/prometheus/server/tasks/tls.yml +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -17,9 +17,9 @@ group: prometheus mode: 0750 -- name: create private key to connect to exporter +- name: create private key for scrape-client certificate openssl_privatekey: - path: /etc/ssl/prometheus/server/exporter-key.pem + path: /etc/ssl/prometheus/server/scrape-key.pem type: RSA size: 4096 owner: prometheus @@ -27,10 +27,10 @@ mode: 0400 notify: reload prometheus -- name: create signing request for client certificate to connect to exporter +- name: create signing request for scrape-client certificate openssl_csr: - path: /etc/ssl/prometheus/server/exporter-csr.pem - privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem + path: /etc/ssl/prometheus/server/scrape-csr.pem + privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem CN: "{{ inventory_hostname }}" subject_alt_name: - "DNS:{{ host_name }}.{{ host_domain }}" @@ -45,17 +45,31 @@ - 'CA:FALSE' basic_constraints_critical: yes +## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host + +- name: check if scrape-client certificate exists + stat: + path: /etc/ssl/prometheus/server/scrape-crt.pem + register: prometheus_server_scrape_client_cert + +- name: check scrape-client certificate validity + when: prometheus_server_scrape_client_cert.stat.exists + openssl_certificate_info: + path: /etc/ssl/prometheus/server/scrape-crt.pem + valid_at: + ten_years: '+3650d' + register: prometheus_server_scrape_client_cert_info + ## TODO: implement remote signing? -- name: create client certificate to connect to exporter +- name: create scrape-client certificate openssl_certificate: - path: /etc/ssl/prometheus/server/exporter-crt.pem - csr_path: /etc/ssl/prometheus/server/exporter-csr.pem + path: /etc/ssl/prometheus/server/scrape-crt.pem + csr_path: /etc/ssl/prometheus/server/scrape-csr.pem provider: ownca ownca_path: /etc/ssl/prometheus/ca-crt.pem ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years + force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}" notify: reload prometheus - -## TODO: install /etc/ssl/prometheus/ca-crt.pem from server |