roles/ssh-pki/tasks/main.yml - platform-install - Gitiles


 # Copyright 2017-present Open Networking Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.


 ---
 # ssh-pki/tasks/main.yml

 # if this step fails, may need to include `create-configdir-become` role to
 # create directories using become.
 - name: Create SSH CA Directory
   file:
     dest: "{{ item }}"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0700
   with_items:
     - "{{ ssh_pki_dir }}"
     - "{{ ssh_pki_dir }}/ca"
     - "{{ ssh_pki_dir }}/client_certs"
     - "{{ ssh_pki_dir }}/host_certs"

 - name: Generate SSH CA Cert
   command: >
     ssh-keygen
       -q -N "{{ ssh_ca_phrase }}"
       -t {{ ssh_keytype }}
       -b {{ ssh_keysize }}
       -C "CORD SSH CA"
       -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
   args:
     creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub"

 - name: Generate SSH Client Certs
   command: >
     ssh-keygen
       -q -N ""
       -t {{ item.keytype | default(ssh_keytype) }}
       -b {{ item.keysize | default(ssh_keysize) }}
       -C "CORD SSH client key for {{ item.name }}"
       -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey
   args:
     creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub"
   with_items: "{{ ssh_client_genkeys }}"
   register: client_ssh_key_generated

 - name: Sign SSH Client Certs with SSH CA
   command: >
     ssh-keygen
       -q -P "{{ ssh_ca_phrase }}"
       -I "{{ item.name }}"
       -n "{{ item.name }}"
       -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
       {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub
   args:
     creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub"
   with_items: "{{ ssh_client_genkeys }}"

 - name: Generate SSH Host Certs
   command: >
     ssh-keygen
       -q -N ""
       -t {{ item.keytype | default(ssh_keytype) }}
       -b {{ item.keysize | default(ssh_keysize) }}
       -C "CORD SSH host key for {{ item.name }}"
       -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey
   args:
     creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub"
   with_items: "{{ ssh_host_genkeys }}"
   register: host_ssh_keys_generated

 - name: Generate SSH Host Certs
   command: >
     ssh-keygen
       -q -P "{{ ssh_ca_phrase }}" -h
       -I "{{ item.name }}"
       -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}"
       -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
       {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub
   args:
     creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub"
   with_items: "{{ ssh_host_genkeys }}"

	# Copyright 2017-present Open Networking Foundation
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.


	---
	# ssh-pki/tasks/main.yml

	# if this step fails, may need to include `create-configdir-become` role to
	# create directories using become.
	- name: Create SSH CA Directory
	file:
	dest: "{{ item }}"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0700
	with_items:
	- "{{ ssh_pki_dir }}"
	- "{{ ssh_pki_dir }}/ca"
	- "{{ ssh_pki_dir }}/client_certs"
	- "{{ ssh_pki_dir }}/host_certs"

	- name: Generate SSH CA Cert
	command: >
	ssh-keygen
	-q -N "{{ ssh_ca_phrase }}"
	-t {{ ssh_keytype }}
	-b {{ ssh_keysize }}
	-C "CORD SSH CA"
	-f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
	args:
	creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub"

	- name: Generate SSH Client Certs
	command: >
	ssh-keygen
	-q -N ""
	-t {{ item.keytype \| default(ssh_keytype) }}
	-b {{ item.keysize \| default(ssh_keysize) }}
	-C "CORD SSH client key for {{ item.name }}"
	-f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey
	args:
	creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub"
	with_items: "{{ ssh_client_genkeys }}"
	register: client_ssh_key_generated

	- name: Sign SSH Client Certs with SSH CA
	command: >
	ssh-keygen
	-q -P "{{ ssh_ca_phrase }}"
	-I "{{ item.name }}"
	-n "{{ item.name }}"
	-s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
	{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub
	args:
	creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub"
	with_items: "{{ ssh_client_genkeys }}"

	- name: Generate SSH Host Certs
	command: >
	ssh-keygen
	-q -N ""
	-t {{ item.keytype \| default(ssh_keytype) }}
	-b {{ item.keysize \| default(ssh_keysize) }}
	-C "CORD SSH host key for {{ item.name }}"
	-f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey
	args:
	creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub"
	with_items: "{{ ssh_host_genkeys }}"
	register: host_ssh_keys_generated

	- name: Generate SSH Host Certs
	command: >
	ssh-keygen
	-q -P "{{ ssh_ca_phrase }}" -h
	-I "{{ item.name }}"
	-n "{{ item.name }},{{ item.name }}.{{ site_suffix }}"
	-s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
	{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub
	args:
	creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub"
	with_items: "{{ ssh_host_genkeys }}"