From 6082a92fa86d121d3ea4256859ee4c9d412e78c0 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 10 Jun 2021 01:15:32 +0200
Subject: promethues: remote certificate signing for exporter/base

---
 roles/monitoring/prometheus/server/tasks/tls.yml | 34 +++++++++++++++++-------
 1 file changed, 24 insertions(+), 10 deletions(-)

(limited to 'roles/monitoring/prometheus/server/tasks/tls.yml')

diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml
index 5c112e12..940c69b1 100644
--- a/roles/monitoring/prometheus/server/tasks/tls.yml
+++ b/roles/monitoring/prometheus/server/tasks/tls.yml
@@ -17,9 +17,9 @@
     group: prometheus
     mode: 0750
 
-- name: create private key to connect to exporter
+- name: create private key for scrape-client certificate
   openssl_privatekey:
-    path: /etc/ssl/prometheus/server/exporter-key.pem
+    path: /etc/ssl/prometheus/server/scrape-key.pem
     type: RSA
     size: 4096
     owner: prometheus
@@ -27,10 +27,10 @@
     mode: 0400
   notify: reload prometheus
 
-- name: create signing request for client certificate to connect to exporter
+- name: create signing request for scrape-client certificate
   openssl_csr:
-    path: /etc/ssl/prometheus/server/exporter-csr.pem
-    privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem
+    path: /etc/ssl/prometheus/server/scrape-csr.pem
+    privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem
     CN: "{{ inventory_hostname }}"
     subject_alt_name:
     - "DNS:{{ host_name }}.{{ host_domain }}"
@@ -45,17 +45,31 @@
     - 'CA:FALSE'
     basic_constraints_critical: yes
 
+## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host
+
+- name: check if scrape-client certificate exists
+  stat:
+    path: /etc/ssl/prometheus/server/scrape-crt.pem
+  register: prometheus_server_scrape_client_cert
+
+- name: check scrape-client certificate validity
+  when: prometheus_server_scrape_client_cert.stat.exists
+  openssl_certificate_info:
+    path: /etc/ssl/prometheus/server/scrape-crt.pem
+    valid_at:
+      ten_years: '+3650d'
+  register: prometheus_server_scrape_client_cert_info
+
 ## TODO: implement remote signing?
 
-- name: create client certificate to connect to exporter
+- name: create scrape-client certificate
   openssl_certificate:
-    path: /etc/ssl/prometheus/server/exporter-crt.pem
-    csr_path: /etc/ssl/prometheus/server/exporter-csr.pem
+    path: /etc/ssl/prometheus/server/scrape-crt.pem
+    csr_path: /etc/ssl/prometheus/server/scrape-csr.pem
     provider: ownca
     ownca_path: /etc/ssl/prometheus/ca-crt.pem
     ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
     ownca_digest: sha256
     ownca_not_after: "+18250d" ## 50 years
+    force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}"
   notify: reload prometheus
-
-## TODO: install /etc/ssl/prometheus/ca-crt.pem from server
-- 
cgit v1.2.3