summaryrefslogtreecommitdiff
path: root/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/monitoring/prometheus/exporter/base/tasks/tls.yml')
-rw-r--r--roles/monitoring/prometheus/exporter/base/tasks/tls.yml100
1 files changed, 100 insertions, 0 deletions
diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
new file mode 100644
index 00000000..e34025e4
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
@@ -0,0 +1,100 @@
+---
+- name: install python-cryptoraphy
+ apt:
+ name: "{{ python_basename }}-cryptography"
+ state: present
+
+- name: create base directory
+ file:
+ path: /etc/ssl/prometheus
+ state: directory
+
+- name: create exporter cert/key directory
+ file:
+ path: /etc/ssl/prometheus/exporter
+ state: directory
+ owner: root
+ group: prometheus-exporter
+ mode: 0750
+
+- name: create exporter private key
+ openssl_privatekey:
+ path: /etc/ssl/prometheus/exporter/key.pem
+ type: RSA
+ size: 4096
+ owner: prometheus-exporter
+ group: prometheus-exporter
+ mode: 0400
+ notify: restart prometheus-exporter-exporter
+
+- name: create signing request for exporter certificate
+ openssl_csr:
+ path: /etc/ssl/prometheus/exporter/csr.pem
+ privatekey_path: /etc/ssl/prometheus/exporter/key.pem
+ CN: "{{ inventory_hostname }}"
+ subject_alt_name:
+ - "DNS:{{ host_name }}.{{ host_domain }}"
+ - "IP:{{ ansible_default_ipv4.address }}"
+ key_usage:
+ - digitalSignature
+ key_usage_critical: yes
+ extended_key_usage:
+ - serverAuth
+ extended_key_usage_critical: yes
+ basic_constraints:
+ - 'CA:FALSE'
+ basic_constraints_critical: yes
+
+- name: slurp CSR
+ slurp:
+ src: /etc/ssl/prometheus/exporter/csr.pem
+ register: prometheus_exporter_server_csr
+
+- name: check if exporter certificate exists
+ stat:
+ path: /etc/ssl/prometheus/exporter/crt.pem
+ register: prometheus_exporter_server_cert
+
+- name: read exporter client certificate validity
+ when: prometheus_exporter_server_cert.stat.exists
+ openssl_certificate_info:
+ path: /etc/ssl/prometheus/exporter/crt.pem
+ valid_at:
+ ten_years: '+3650d'
+ register: prometheus_exporter_server_cert_info
+
+- name: slurp existing exporter certificate
+ when: prometheus_exporter_server_cert.stat.exists
+ slurp:
+ src: /etc/ssl/prometheus/exporter/crt.pem
+ register: prometheus_exporter_server_cert_current
+
+- name: generate exporter certificate
+ delegate_to: "{{ prometheus_server }}"
+ community.crypto.x509_certificate_pipe:
+ content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}"
+ csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}"
+ provider: ownca
+ ownca_path: /etc/ssl/prometheus/ca-crt.pem
+ ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
+ ownca_digest: sha256
+ ownca_not_after: "+18250d" ## 50 years
+ force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}"
+ register: prometheus_exporter_server_cert
+
+- name: store exporter certificate
+ copy:
+ content: "{{ prometheus_exporter_server_cert.certificate }}"
+ dest: /etc/ssl/prometheus/exporter/crt.pem
+ notify: restart prometheus-exporter-exporter
+
+- name: slurp CA certificate
+ delegate_to: "{{ prometheus_server }}"
+ slurp:
+ src: /etc/ssl/prometheus/ca-crt.pem
+ register: prometheus_exporter_ca_certificate
+
+- name: install CA certificate
+ copy:
+ content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}"
+ dest: /etc/ssl/prometheus/ca-crt.pem
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-30 04:11:38 +0000