From 43ec757a4cf7bc27f2156c490db67e7c38764d1b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 2 Jun 2021 01:50:20 +0200 Subject: prometheus: server CA and certificates --- roles/monitoring/prometheus/server/tasks/main.yml | 4 +- roles/monitoring/prometheus/server/tasks/tls.yml | 98 +++++++++++++++++++++++ 2 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 roles/monitoring/prometheus/server/tasks/tls.yml (limited to 'roles/monitoring') diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 5c649f34..61660a03 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -47,8 +47,8 @@ owner: prometheus group: prometheus -## TODO: -## - create CA and certificate/key +- name: create TLS CA and certificates + import_tasks: tls.yml - name: generate configuration file template: diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml new file mode 100644 index 00000000..f9ad5ca3 --- /dev/null +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -0,0 +1,98 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create CA directory + file: + path: /etc/ssl/prometheus/ca + state: directory + owner: root + group: root + mode: 0700 + +- name: create server cert/key directory + file: + path: /etc/ssl/prometheus/server + state: directory + owner: root + group: prometheus + mode: 0750 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/prometheus/ca/key.pem + type: RSA + size: 4096 + owner: root + group: root + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + CN: "prometheus CA" + useCommonNameForSAN: no + key_usage: + - cRLSign + - digitalSignature + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/prometheus/ca-crt.pem + csr_path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + + +- name: create server private key to connect to exporter + openssl_privatekey: + path: /etc/ssl/prometheus/server/exporter-key.pem + type: RSA + size: 4096 + owner: prometheus + group: prometheus + mode: 0400 + +- name: create signing request for server certificate to connect to exporter + openssl_csr: + path: /etc/ssl/prometheus/server/exporter-csr.pem + privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem + CN: "{{ inventory_hostname }}" + subject_alt_name: + - "DNS:{{ host_name }}.{{ host_domain }}" + - "IP:{{ ansible_default_ipv4.address }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: create server certificate to connect to exporter + openssl_certificate: + path: /etc/ssl/prometheus/server/exporter-crt.pem + csr_path: /etc/ssl/prometheus/server/exporter-csr.pem + provider: ownca + ownca_path: /etc/ssl/prometheus/ca-crt.pem + ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years -- cgit v1.2.3