From 6082a92fa86d121d3ea4256859ee4c9d412e78c0 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 10 Jun 2021 01:15:32 +0200
Subject: promethues: remote certificate signing for exporter/base

---
 .../prometheus/exporter/base/tasks/tls.yml         | 49 +++++++++++++++++++---
 1 file changed, 44 insertions(+), 5 deletions(-)

(limited to 'roles/monitoring/prometheus/exporter/base')

diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
index b2731b09..72186acb 100644
--- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
+++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
@@ -45,17 +45,56 @@
     - 'CA:FALSE'
     basic_constraints_critical: yes
 
-## TODO: implement remote singing using server
+- name: slurp CSR
+  slurp:
+    src: /etc/ssl/prometheus/exporter/csr.pem
+  register: prometheus_exporter_server_csr
 
-- name: create exporter certificate
-  openssl_certificate:
+- name: check if exporter certificate exists
+  stat:
     path: /etc/ssl/prometheus/exporter/crt.pem
-    csr_path: /etc/ssl/prometheus/exporter/csr.pem
+  register: prometheus_exporter_server_cert
+
+- name: read exporter client certificate issuer key id and validity
+  when: prometheus_exporter_server_cert.stat.exists
+  openssl_certificate_info:
+    path: /etc/ssl/prometheus/exporter/crt.pem
+    valid_at:
+      ten_years: '+3650d'
+  register: prometheus_exporter_server_cert_info
+
+- name: slurp existing exporter certificate
+  when: prometheus_exporter_server_cert.stat.exists
+  slurp:
+    src: /etc/ssl/prometheus/exporter/crt.pem
+  register: prometheus_exporter_server_cert_current
+
+- name: generate exporter certificate
+  delegate_to: "{{ promethues_server }}"
+  community.crypto.x509_certificate_pipe:
+    content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}"
+    csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}"
     provider: ownca
     ownca_path: /etc/ssl/prometheus/ca-crt.pem
     ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
     ownca_digest: sha256
     ownca_not_after: "+18250d" ## 50 years
+    force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}"
+  register: prometheus_exporter_server_cert
+
+- name: store exporter certificate
+  copy:
+    content: "{{ prometheus_exporter_server_cert.certificate }}"
+    dest: /etc/ssl/prometheus/exporter/crt.pem
   notify: restart prometheus-exporter-exporter
 
-## TODO: install /etc/ssl/prometheus/ca-crt.pem from server
+- name: slurp CA certificate
+  delegate_to: "{{ promethues_server }}"
+  slurp:
+    src: /etc/ssl/prometheus/ca-crt.pem
+  register: prometheus_exporter_ca_certificate
+
+- name: install CA certificate
+  copy:
+    content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}"
+    dest: /etc/ssl/prometheus/ca-crt.pem
-- 
cgit v1.2.3