diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/monitoring/prometheus/ca/tasks/main.yml | 52 | ||||
-rw-r--r-- | roles/monitoring/prometheus/server/tasks/tls.yml | 47 |
2 files changed, 43 insertions, 56 deletions
diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml deleted file mode 100644 index 064cb6e8..00000000 --- a/roles/monitoring/prometheus/ca/tasks/main.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: install python-cryptoraphy - apt: - name: "{{ python_basename }}-cryptography" - state: present - -- name: create base directory - file: - path: /etc/ssl/prometheus - state: directory - -- name: create CA directory - file: - path: /etc/ssl/prometheus/ca - state: directory - owner: root - group: root - mode: 0700 - -- name: create CA private key - openssl_privatekey: - path: /etc/ssl/prometheus/ca/key.pem - type: RSA - size: 4096 - owner: root - group: root - mode: 0600 - -- name: create signing request for CA certificate - openssl_csr: - path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - CN: "CA for prometheus zone {{ prometheus_zone_name }}" - useCommonNameForSAN: no - key_usage: - - cRLSign - - keyCertSign - key_usage_critical: yes - basic_constraints: - - 'CA:TRUE' - - 'pathlen:0' - basic_constraints_critical: yes - -- name: create self-signed CA certificate - openssl_certificate: - path: /etc/ssl/prometheus/ca-crt.pem - csr_path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - provider: selfsigned - selfsigned_digest: sha256 - selfsigned_not_after: "+18250d" ## 50 years - selfsigned_create_subject_key_identifier: always_create diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml index 940c69b1..45990f9a 100644 --- a/roles/monitoring/prometheus/server/tasks/tls.yml +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -9,6 +9,49 @@ path: /etc/ssl/prometheus state: directory +- name: create CA directory + file: + path: /etc/ssl/prometheus/ca + state: directory + owner: root + group: root + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/prometheus/ca/key.pem + type: RSA + size: 4096 + owner: root + group: root + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + CN: "CA for prometheus zone {{ prometheus_zone_name }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/prometheus/ca-crt.pem + csr_path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create + + - name: create server cert/key directory file: path: /etc/ssl/prometheus/server @@ -45,8 +88,6 @@ - 'CA:FALSE' basic_constraints_critical: yes -## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host - - name: check if scrape-client certificate exists stat: path: /etc/ssl/prometheus/server/scrape-crt.pem @@ -60,8 +101,6 @@ ten_years: '+3650d' register: prometheus_server_scrape_client_cert_info -## TODO: implement remote signing? - - name: create scrape-client certificate openssl_certificate: path: /etc/ssl/prometheus/server/scrape-crt.pem |