blob: 45990f9a059e46739c4b3f8e0c7aac72602c90a1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
---
- name: install python-cryptoraphy
apt:
name: "{{ python_basename }}-cryptography"
state: present
- name: create base directory
file:
path: /etc/ssl/prometheus
state: directory
- name: create CA directory
file:
path: /etc/ssl/prometheus/ca
state: directory
owner: root
group: root
mode: 0700
- name: create CA private key
openssl_privatekey:
path: /etc/ssl/prometheus/ca/key.pem
type: RSA
size: 4096
owner: root
group: root
mode: 0600
- name: create signing request for CA certificate
openssl_csr:
path: /etc/ssl/prometheus/ca/csr.pem
privatekey_path: /etc/ssl/prometheus/ca/key.pem
CN: "CA for prometheus zone {{ prometheus_zone_name }}"
useCommonNameForSAN: no
key_usage:
- cRLSign
- keyCertSign
key_usage_critical: yes
basic_constraints:
- 'CA:TRUE'
- 'pathlen:0'
basic_constraints_critical: yes
- name: create self-signed CA certificate
openssl_certificate:
path: /etc/ssl/prometheus/ca-crt.pem
csr_path: /etc/ssl/prometheus/ca/csr.pem
privatekey_path: /etc/ssl/prometheus/ca/key.pem
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "+18250d" ## 50 years
selfsigned_create_subject_key_identifier: always_create
- name: create server cert/key directory
file:
path: /etc/ssl/prometheus/server
state: directory
owner: root
group: prometheus
mode: 0750
- name: create private key for scrape-client certificate
openssl_privatekey:
path: /etc/ssl/prometheus/server/scrape-key.pem
type: RSA
size: 4096
owner: prometheus
group: prometheus
mode: 0400
notify: reload prometheus
- name: create signing request for scrape-client certificate
openssl_csr:
path: /etc/ssl/prometheus/server/scrape-csr.pem
privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem
CN: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ host_name }}.{{ host_domain }}"
- "IP:{{ ansible_default_ipv4.address }}"
key_usage:
- digitalSignature
key_usage_critical: yes
extended_key_usage:
- clientAuth
extended_key_usage_critical: yes
basic_constraints:
- 'CA:FALSE'
basic_constraints_critical: yes
- name: check if scrape-client certificate exists
stat:
path: /etc/ssl/prometheus/server/scrape-crt.pem
register: prometheus_server_scrape_client_cert
- name: check scrape-client certificate validity
when: prometheus_server_scrape_client_cert.stat.exists
openssl_certificate_info:
path: /etc/ssl/prometheus/server/scrape-crt.pem
valid_at:
ten_years: '+3650d'
register: prometheus_server_scrape_client_cert_info
- name: create scrape-client certificate
openssl_certificate:
path: /etc/ssl/prometheus/server/scrape-crt.pem
csr_path: /etc/ssl/prometheus/server/scrape-csr.pem
provider: ownca
ownca_path: /etc/ssl/prometheus/ca-crt.pem
ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}"
notify: reload prometheus
|
