From 8ab24a10ac669ade61761d37e68207b402bc277c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 6 Jun 2021 14:57:25 +0200 Subject: prometheus: move CA to seperate role and add prometheus zone groups --- roles/monitoring/prometheus/ca/tasks/main.yml | 52 ++++++++++++++++++++++ roles/monitoring/prometheus/server/tasks/tls.yml | 55 ++++-------------------- 2 files changed, 61 insertions(+), 46 deletions(-) create mode 100644 roles/monitoring/prometheus/ca/tasks/main.yml (limited to 'roles/monitoring') diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml new file mode 100644 index 00000000..9f166321 --- /dev/null +++ b/roles/monitoring/prometheus/ca/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create CA directory + file: + path: /etc/ssl/prometheus/ca + state: directory + owner: root + group: root + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/prometheus/ca/key.pem + type: RSA + size: 4096 + owner: root + group: root + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + CN: "CA for promethues zone {{ promethues_zone_name }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - digitalSignature + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/prometheus/ca-crt.pem + csr_path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml index f9ad5ca3..5c112e12 100644 --- a/roles/monitoring/prometheus/server/tasks/tls.yml +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -9,14 +9,6 @@ path: /etc/ssl/prometheus state: directory -- name: create CA directory - file: - path: /etc/ssl/prometheus/ca - state: directory - owner: root - group: root - mode: 0700 - - name: create server cert/key directory file: path: /etc/ssl/prometheus/server @@ -25,42 +17,7 @@ group: prometheus mode: 0750 -- name: create CA private key - openssl_privatekey: - path: /etc/ssl/prometheus/ca/key.pem - type: RSA - size: 4096 - owner: root - group: root - mode: 0600 - -- name: create signing request for CA certificate - openssl_csr: - path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - CN: "prometheus CA" - useCommonNameForSAN: no - key_usage: - - cRLSign - - digitalSignature - - keyCertSign - key_usage_critical: yes - basic_constraints: - - 'CA:TRUE' - - 'pathlen:0' - basic_constraints_critical: yes - -- name: create self-signed CA certificate - openssl_certificate: - path: /etc/ssl/prometheus/ca-crt.pem - csr_path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - provider: selfsigned - selfsigned_digest: sha256 - selfsigned_not_after: "+18250d" ## 50 years - - -- name: create server private key to connect to exporter +- name: create private key to connect to exporter openssl_privatekey: path: /etc/ssl/prometheus/server/exporter-key.pem type: RSA @@ -68,8 +25,9 @@ owner: prometheus group: prometheus mode: 0400 + notify: reload prometheus -- name: create signing request for server certificate to connect to exporter +- name: create signing request for client certificate to connect to exporter openssl_csr: path: /etc/ssl/prometheus/server/exporter-csr.pem privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem @@ -87,7 +45,9 @@ - 'CA:FALSE' basic_constraints_critical: yes -- name: create server certificate to connect to exporter +## TODO: implement remote signing? + +- name: create client certificate to connect to exporter openssl_certificate: path: /etc/ssl/prometheus/server/exporter-crt.pem csr_path: /etc/ssl/prometheus/server/exporter-csr.pem @@ -96,3 +56,6 @@ ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years + notify: reload prometheus + +## TODO: install /etc/ssl/prometheus/ca-crt.pem from server -- cgit v1.2.3