Created
June 5, 2021 15:41
-
-
Save chadgeary/38b3f29756991bd5db8f6ba2d11e0d6b to your computer and use it in GitHub Desktop.
certs.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: check ca exists | |
| stat: | |
| path: /opt/nifi-certificates/ca/ca.pem | |
| register: ca_cert | |
| - name: get ca from s3 | |
| aws_s3: | |
| region: "{{ aws_region }}" | |
| mode: get | |
| bucket: "{{ s3_bucket }}" | |
| object: "nifi/certificates/ca/{{ item }}" | |
| dest: "/opt/nifi-certificates/ca/{{ item }}" | |
| with_items: | |
| - ca.pem | |
| - ca.key | |
| retries: 900 | |
| delay: 2 | |
| register: ca_from_s3 | |
| until: ca_from_s3 is not failed | |
| become_user: nifi | |
| when: | |
| - ca_cert.stat.exists == false | |
| - name: check admin exists | |
| stat: | |
| path: /opt/nifi-certificates/admin/keystore.p12 | |
| register: admin_cert | |
| - name: get admin from s3 | |
| aws_s3: | |
| region: "{{ aws_region }}" | |
| mode: get | |
| bucket: "{{ s3_bucket }}" | |
| object: "nifi/certificates/admin/{{ item }}" | |
| dest: "/opt/nifi-certificates/admin/{{ item }}" | |
| with_items: | |
| - keystore.p12 | |
| - private_key.key | |
| - admin_cert.pem | |
| retries: 900 | |
| delay: 2 | |
| register: admin_from_s3 | |
| until: admin_from_s3 is not failed | |
| become_user: nifi | |
| when: | |
| - admin_cert.stat.exists == false | |
| - name: admin cli.properties template | |
| template: | |
| src: cli.properties | |
| dest: /opt/nifi-certificates/admin/cli.properties | |
| owner: nifi | |
| group: nifi | |
| mode: 0640 | |
| - name: check node keystore exists | |
| stat: | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.p12 | |
| register: node_cert | |
| - name: generate node private key when no keystore | |
| community.crypto.openssl_privatekey: | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.key | |
| owner: nifi | |
| group: nifi | |
| type: RSA | |
| cipher: auto | |
| passphrase: "{{ nifi_secret }}" | |
| select_crypto_backend: cryptography | |
| when: node_cert.stat.exists == false | |
| - name: generate node public key when no keystore | |
| community.crypto.openssl_publickey: | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.pem | |
| owner: nifi | |
| group: nifi | |
| format: PEM | |
| privatekey_path: /opt/nifi-certificates/{{ ansible_nodename }}/node.key | |
| privatekey_passphrase: "{{ nifi_secret }}" | |
| select_crypto_backend: cryptography | |
| when: node_cert.stat.exists == false | |
| - name: generate node csr when no keystore | |
| community.crypto.openssl_csr: | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.csr | |
| owner: nifi | |
| group: nifi | |
| privatekey_path: /opt/nifi-certificates/{{ ansible_nodename }}/node.key | |
| privatekey_passphrase: "{{ nifi_secret }}" | |
| common_name: "{{ ansible_nodename }}" | |
| subject_alt_name: "DNS:{{ lb_dns }},DNS:{{ ansible_nodename }}" | |
| select_crypto_backend: cryptography | |
| key_usage: | |
| - digitalSignature | |
| - nonRepudiation | |
| - keyEncipherment | |
| - dataEncipherment | |
| - keyAgreement | |
| extended_key_usage: | |
| - serverAuth | |
| - clientAuth | |
| when: node_cert.stat.exists == false | |
| - name: generate node certificate when no keystore | |
| community.crypto.x509_certificate: | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.pem | |
| owner: nifi | |
| group: nifi | |
| csr_path: /opt/nifi-certificates/{{ ansible_nodename }}/node.csr | |
| ownca_path: /opt/nifi-certificates/ca/ca.pem | |
| ownca_privatekey_path: /opt/nifi-certificates/ca/ca.key | |
| ownca_privatekey_passphrase: "{{ nifi_secret }}" | |
| provider: ownca | |
| select_crypto_backend: cryptography | |
| when: node_cert.stat.exists == false | |
| - name: generate node pkcs12 keystore when no keystore | |
| community.crypto.openssl_pkcs12: | |
| action: export | |
| path: /opt/nifi-certificates/{{ ansible_nodename }}/node.p12 | |
| owner: nifi | |
| group: nifi | |
| friendly_name: "{{ ansible_nodename }}" | |
| privatekey_path: /opt/nifi-certificates/{{ ansible_nodename }}/node.key | |
| privatekey_passphrase: "{{ nifi_secret }}" | |
| certificate_path: /opt/nifi-certificates/{{ ansible_nodename }}/node.pem | |
| passphrase: "{{ nifi_secret }}" | |
| when: node_cert.stat.exists == false | |
| - name: create empty truststore when no keystore | |
| shell: | | |
| keytool -genkeypair -alias none -storepass "{{ nifi_secret }}" -keypass "{{ nifi_secret }}" -keystore /opt/nifi-certificates/ca/trust.jks -dname "CN=none" | |
| keytool -delete -alias none -storepass "{{ nifi_secret }}" -keystore /opt/nifi-certificates/ca/trust.jks | |
| become_user: nifi | |
| when: node_cert.stat.exists == false | |
| - name: add ca to jks truststore when no keystore | |
| community.general.java_cert: | |
| cert_alias: "NIFICA" | |
| cert_path: /opt/nifi-certificates/ca/ca.pem | |
| keystore_path: /opt/nifi-certificates/ca/trust.jks | |
| keystore_pass: "{{ nifi_secret }}" | |
| trust_cacert: yes | |
| when: node_cert.stat.exists == false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment