--- - name: install python-cryptoraphy apt: name: "{{ python_basename }}-cryptography" state: present - name: create base directory file: path: /etc/ssl/prometheus state: directory - name: create exporter cert/key directory file: path: /etc/ssl/prometheus/exporter state: directory owner: root group: prometheus-exporter mode: 0750 - name: create exporter private key openssl_privatekey: path: /etc/ssl/prometheus/exporter/key.pem type: RSA size: 4096 owner: prometheus-exporter group: prometheus-exporter mode: 0400 notify: reload nginx - name: create signing request for exporter certificate openssl_csr: path: /etc/ssl/prometheus/exporter/csr.pem privatekey_path: /etc/ssl/prometheus/exporter/key.pem CN: "{{ inventory_hostname }}" subject_alt_name: - "DNS:{{ host_name }}.{{ host_domain }}" - "IP:{{ (inventory_hostname == prometheus_server) | ternary('127.0.0.1', ansible_default_ipv4.address) }}" key_usage: - digitalSignature key_usage_critical: yes extended_key_usage: - serverAuth extended_key_usage_critical: yes basic_constraints: - 'CA:FALSE' basic_constraints_critical: yes - name: slurp CSR slurp: src: /etc/ssl/prometheus/exporter/csr.pem register: prometheus_exporter_server_csr - name: check if exporter certificate exists stat: path: /etc/ssl/prometheus/exporter/crt.pem register: prometheus_exporter_server_cert - name: read exporter client certificate validity when: prometheus_exporter_server_cert.stat.exists openssl_certificate_info: path: /etc/ssl/prometheus/exporter/crt.pem valid_at: ten_years: '+3650d' register: prometheus_exporter_server_cert_info - name: slurp existing exporter certificate when: prometheus_exporter_server_cert.stat.exists slurp: src: /etc/ssl/prometheus/exporter/crt.pem register: prometheus_exporter_server_cert_current - name: generate exporter certificate delegate_to: "{{ prometheus_server }}" community.crypto.x509_certificate_pipe: content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}" csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}" provider: ownca ownca_path: /etc/ssl/prometheus/ca-crt.pem ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}" register: prometheus_exporter_server_cert - name: store exporter certificate copy: content: "{{ prometheus_exporter_server_cert.certificate }}" dest: /etc/ssl/prometheus/exporter/crt.pem notify: reload nginx - name: slurp CA certificate delegate_to: "{{ prometheus_server }}" slurp: src: /etc/ssl/prometheus/ca-crt.pem register: prometheus_exporter_ca_certificate - name: install CA certificate copy: content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}" dest: /etc/ssl/prometheus/ca-crt.pem