diff options
Diffstat (limited to 'roles/monitoring/prometheus/server/tasks/tls.yml')
-rw-r--r-- | roles/monitoring/prometheus/server/tasks/tls.yml | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml new file mode 100644 index 00000000..940c69b1 --- /dev/null +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -0,0 +1,75 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create server cert/key directory + file: + path: /etc/ssl/prometheus/server + state: directory + owner: root + group: prometheus + mode: 0750 + +- name: create private key for scrape-client certificate + openssl_privatekey: + path: /etc/ssl/prometheus/server/scrape-key.pem + type: RSA + size: 4096 + owner: prometheus + group: prometheus + mode: 0400 + notify: reload prometheus + +- name: create signing request for scrape-client certificate + openssl_csr: + path: /etc/ssl/prometheus/server/scrape-csr.pem + privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem + CN: "{{ inventory_hostname }}" + subject_alt_name: + - "DNS:{{ host_name }}.{{ host_domain }}" + - "IP:{{ ansible_default_ipv4.address }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host + +- name: check if scrape-client certificate exists + stat: + path: /etc/ssl/prometheus/server/scrape-crt.pem + register: prometheus_server_scrape_client_cert + +- name: check scrape-client certificate validity + when: prometheus_server_scrape_client_cert.stat.exists + openssl_certificate_info: + path: /etc/ssl/prometheus/server/scrape-crt.pem + valid_at: + ten_years: '+3650d' + register: prometheus_server_scrape_client_cert_info + +## TODO: implement remote signing? + +- name: create scrape-client certificate + openssl_certificate: + path: /etc/ssl/prometheus/server/scrape-crt.pem + csr_path: /etc/ssl/prometheus/server/scrape-csr.pem + provider: ownca + ownca_path: /etc/ssl/prometheus/ca-crt.pem + ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}" + notify: reload prometheus |