prometheus: move CA to seperate role and add prometheus zone groups

author: Christian Pointner <equinox@spreadspace.org> 2021-06-06 14:57:25 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2021-06-20 01:44:16 +0200
commit: 8ab24a10ac669ade61761d37e68207b402bc277c (patch)
tree: 61572076d0789086f38c72cd0f33eaa2a985e4a7 /roles/monitoring
parent: prometheus: fix blackbox exporter icmp probes (diff)
2 files changed, 61 insertions, 46 deletions
diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml
new file mode 100644
index 00000000..9f166321
--- /dev/null
+++ b/roles/monitoring/prometheus/ca/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: install python-cryptoraphy
+  apt:
+    name: "{{ python_basename }}-cryptography"
+    state: present
+
+- name: create base directory
+  file:
+    path: /etc/ssl/prometheus
+    state: directory
+
+- name: create CA directory
+  file:
+    path: /etc/ssl/prometheus/ca
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create CA private key
+  openssl_privatekey:
+    path: /etc/ssl/prometheus/ca/key.pem
+    type: RSA
+    size: 4096
+    owner: root
+    group: root
+    mode: 0600
+
+- name: create signing request for CA certificate
+  openssl_csr:
+    path: /etc/ssl/prometheus/ca/csr.pem
+    privatekey_path: /etc/ssl/prometheus/ca/key.pem
+    CN: "CA for promethues zone {{ promethues_zone_name }}"
+    useCommonNameForSAN: no
+    key_usage:
+    - cRLSign
+    - digitalSignature
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create self-signed CA certificate
+  openssl_certificate:
+    path: /etc/ssl/prometheus/ca-crt.pem
+    csr_path: /etc/ssl/prometheus/ca/csr.pem
+    privatekey_path: /etc/ssl/prometheus/ca/key.pem
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "+18250d" ## 50 years
diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml
index f9ad5ca3..5c112e12 100644
--- a/roles/monitoring/prometheus/server/tasks/tls.yml
+++ b/roles/monitoring/prometheus/server/tasks/tls.yml
@@ -9,14 +9,6 @@
     path: /etc/ssl/prometheus
     state: directory
 
-- name: create CA directory
-  file:
-    path: /etc/ssl/prometheus/ca
-    state: directory
-    owner: root
-    group: root
-    mode: 0700
-
 - name: create server cert/key directory
   file:
     path: /etc/ssl/prometheus/server
@@ -25,42 +17,7 @@
     group: prometheus
     mode: 0750
 
-- name: create CA private key
-  openssl_privatekey:
-    path: /etc/ssl/prometheus/ca/key.pem
-    type: RSA
-    size: 4096
-    owner: root
-    group: root
-    mode: 0600
-
-- name: create signing request for CA certificate
-  openssl_csr:
-    path: /etc/ssl/prometheus/ca/csr.pem
-    privatekey_path: /etc/ssl/prometheus/ca/key.pem
-    CN: "prometheus CA"
-    useCommonNameForSAN: no
-    key_usage:
-    - cRLSign
-    - digitalSignature
-    - keyCertSign
-    key_usage_critical: yes
-    basic_constraints:
-    - 'CA:TRUE'
-    - 'pathlen:0'
-    basic_constraints_critical: yes
-
-- name: create self-signed CA certificate
-  openssl_certificate:
-    path: /etc/ssl/prometheus/ca-crt.pem
-    csr_path: /etc/ssl/prometheus/ca/csr.pem
-    privatekey_path: /etc/ssl/prometheus/ca/key.pem
-    provider: selfsigned
-    selfsigned_digest: sha256
-    selfsigned_not_after: "+18250d" ## 50 years
-
-
-- name: create server private key to connect to exporter
+- name: create private key to connect to exporter
   openssl_privatekey:
     path: /etc/ssl/prometheus/server/exporter-key.pem
     type: RSA
@@ -68,8 +25,9 @@
     owner: prometheus
     group: prometheus
     mode: 0400
+  notify: reload prometheus
 
-- name: create signing request for server certificate to connect to exporter
+- name: create signing request for client certificate to connect to exporter
   openssl_csr:
     path: /etc/ssl/prometheus/server/exporter-csr.pem
     privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem
@@ -87,7 +45,9 @@
     - 'CA:FALSE'
     basic_constraints_critical: yes
 
-- name: create server certificate to connect to exporter
+## TODO: implement remote signing?
+
+- name: create client certificate to connect to exporter
   openssl_certificate:
     path: /etc/ssl/prometheus/server/exporter-crt.pem
     csr_path: /etc/ssl/prometheus/server/exporter-csr.pem
@@ -96,3 +56,6 @@
     ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
     ownca_digest: sha256
     ownca_not_after: "+18250d" ## 50 years
+  notify: reload prometheus
+
+## TODO: install /etc/ssl/prometheus/ca-crt.pem from server
author	Christian Pointner <equinox@spreadspace.org>	2021-06-06 14:57:25 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2021-06-20 01:44:16 +0200
commit	8ab24a10ac669ade61761d37e68207b402bc277c (patch)
tree	61572076d0789086f38c72cd0f33eaa2a985e4a7 /roles/monitoring
parent	prometheus: fix blackbox exporter icmp probes (diff)