summaryrefslogtreecommitdiffstats
path: root/roles/etcd_ca
diff options
context:
space:
mode:
Diffstat (limited to 'roles/etcd_ca')
-rw-r--r--roles/etcd_ca/README.md34
-rw-r--r--roles/etcd_ca/meta/main.yml16
-rw-r--r--roles/etcd_ca/tasks/main.yml44
-rw-r--r--roles/etcd_ca/templates/openssl_append.j251
-rw-r--r--roles/etcd_ca/vars/main.yml3
5 files changed, 148 insertions, 0 deletions
diff --git a/roles/etcd_ca/README.md b/roles/etcd_ca/README.md
new file mode 100644
index 000000000..60a880e30
--- /dev/null
+++ b/roles/etcd_ca/README.md
@@ -0,0 +1,34 @@
+etcd_ca
+========================
+
+TODO
+
+Requirements
+------------
+
+TODO
+
+Role Variables
+--------------
+
+TODO
+
+Dependencies
+------------
+
+TODO
+
+Example Playbook
+----------------
+
+TODO
+
+License
+-------
+
+Apache License Version 2.0
+
+Author Information
+------------------
+
+Scott Dodson (sdodson@redhat.com)
diff --git a/roles/etcd_ca/meta/main.yml b/roles/etcd_ca/meta/main.yml
new file mode 100644
index 000000000..ce909b992
--- /dev/null
+++ b/roles/etcd_ca/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: Jason DeTiberus
+ description:
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 1.9
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml
new file mode 100644
index 000000000..ab151fe5b
--- /dev/null
+++ b/roles/etcd_ca/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+- file:
+ path: "{{ etcd_ca_dir }}/{{ item }}"
+ state: directory
+ mode: 0700
+ owner: root
+ group: root
+ with_items:
+ - certs
+ - crl
+ - fragments
+
+- command: cp /etc/pki/tls/openssl.cnf ./
+ args:
+ chdir: "{{ etcd_ca_dir }}/fragments"
+ creates: "{{ etcd_ca_dir }}/fragments/openssl.cnf"
+
+- template:
+ dest: "{{ etcd_ca_dir }}/fragments/openssl_append.cnf"
+ src: openssl_append.j2
+
+- assemble:
+ src: "{{ etcd_ca_dir }}/fragments"
+ dest: "{{ etcd_ca_dir }}/openssl.cnf"
+
+- command: touch index.txt
+ args:
+ chdir: "{{ etcd_ca_dir }}"
+ creates: "{{ etcd_ca_dir }}/index.txt"
+
+- copy:
+ dest: "{{ etcd_ca_dir }}/serial"
+ content: "01"
+ force: no
+
+- command: >
+ openssl req -config openssl.cnf -newkey rsa:4096
+ -keyout ca.key -new -out ca.crt -x509 -extensions etcd_v3_ca_self
+ -batch -nodes -subj /CN=etcd-signer@{{ ansible_date_time.epoch }}
+ args:
+ chdir: "{{ etcd_ca_dir }}"
+ creates: "{{ etcd_ca_dir }}/ca.crt"
+ environment:
+ SAN: ''
diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2
new file mode 100644
index 000000000..de2adaead
--- /dev/null
+++ b/roles/etcd_ca/templates/openssl_append.j2
@@ -0,0 +1,51 @@
+
+[ etcd_v3_req ]
+basicConstraints = critical,CA:FALSE
+keyUsage = digitalSignature,keyEncipherment
+subjectAltName = ${ENV::SAN}
+
+[ etcd_ca ]
+dir = {{ etcd_ca_dir }}
+crl_dir = $dir/crl
+database = $dir/index.txt
+new_certs_dir = $dir/certs
+certificate = $dir/ca.crt
+serial = $dir/serial
+private_key = $dir/ca.key
+crl_number = $dir/crlnumber
+x509_extensions = etcd_v3_ca_client
+default_days = 365
+default_md = sha256
+preserve = no
+name_opt = ca_default
+cert_opt = ca_default
+policy = policy_anything
+unique_subject = no
+copy_extensions = copy
+
+[ etcd_v3_ca_self ]
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = critical,CA:TRUE,pathlen:0
+keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_peer ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth,serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_server ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ etcd_v3_ca_client ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
diff --git a/roles/etcd_ca/vars/main.yml b/roles/etcd_ca/vars/main.yml
new file mode 100644
index 000000000..901e95027
--- /dev/null
+++ b/roles/etcd_ca/vars/main.yml
@@ -0,0 +1,3 @@
+---
+etcd_conf_dir: /etc/etcd
+etcd_ca_dir: /etc/etcd/ca