summaryrefslogtreecommitdiff
path: root/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
blob: e34025e49947bc5fd11d2ac608fa5f34a5f3f8de (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
---
- name: install python-cryptoraphy
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: /etc/ssl/prometheus
    state: directory

- name: create exporter cert/key directory
  file:
    path: /etc/ssl/prometheus/exporter
    state: directory
    owner: root
    group: prometheus-exporter
    mode: 0750

- name: create exporter private key
  openssl_privatekey:
    path: /etc/ssl/prometheus/exporter/key.pem
    type: RSA
    size: 4096
    owner: prometheus-exporter
    group: prometheus-exporter
    mode: 0400
  notify: restart prometheus-exporter-exporter

- name: create signing request for exporter certificate
  openssl_csr:
    path: /etc/ssl/prometheus/exporter/csr.pem
    privatekey_path: /etc/ssl/prometheus/exporter/key.pem
    CN: "{{ inventory_hostname }}"
    subject_alt_name:
    - "DNS:{{ host_name }}.{{ host_domain }}"
    - "IP:{{ ansible_default_ipv4.address }}"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - serverAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: slurp CSR
  slurp:
    src: /etc/ssl/prometheus/exporter/csr.pem
  register: prometheus_exporter_server_csr

- name: check if exporter certificate exists
  stat:
    path: /etc/ssl/prometheus/exporter/crt.pem
  register: prometheus_exporter_server_cert

- name: read exporter client certificate validity
  when: prometheus_exporter_server_cert.stat.exists
  openssl_certificate_info:
    path: /etc/ssl/prometheus/exporter/crt.pem
    valid_at:
      ten_years: '+3650d'
  register: prometheus_exporter_server_cert_info

- name: slurp existing exporter certificate
  when: prometheus_exporter_server_cert.stat.exists
  slurp:
    src: /etc/ssl/prometheus/exporter/crt.pem
  register: prometheus_exporter_server_cert_current

- name: generate exporter certificate
  delegate_to: "{{ prometheus_server }}"
  community.crypto.x509_certificate_pipe:
    content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}"
    csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}"
    provider: ownca
    ownca_path: /etc/ssl/prometheus/ca-crt.pem
    ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
    force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}"
  register: prometheus_exporter_server_cert

- name: store exporter certificate
  copy:
    content: "{{ prometheus_exporter_server_cert.certificate }}"
    dest: /etc/ssl/prometheus/exporter/crt.pem
  notify: restart prometheus-exporter-exporter

- name: slurp CA certificate
  delegate_to: "{{ prometheus_server }}"
  slurp:
    src: /etc/ssl/prometheus/ca-crt.pem
  register: prometheus_exporter_ca_certificate

- name: install CA certificate
  copy:
    content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}"
    dest: /etc/ssl/prometheus/ca-crt.pem