roles/pki-root-ca/tasks/main.yml - platform-install - Gitiles


 # Copyright 2017-present Open Networking Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.


 ---
 # pki-root-ca/tasks/main.yml

 # if the next two steps fail, may need to include `create-configdirs-become`
 # role to create these directories using become.
 - name: Create PKI and credentials directories
   file:
     dest: "{{ item }}"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0700
   with_items:
     - "{{ credentials_dir }}"
     - "{{ pki_dir }}"

 - name: Create root CA directory
   file:
     dest: "{{ pki_dir }}/root_ca"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0755

 - name: Create root CA openssl.cnf from template
   template:
     src: openssl_root.cnf.j2
     dest: "{{ pki_dir }}/root_ca/openssl.cnf"
     force: no

 - name: Create subdirs for root CA
   file:
     dest: "{{ pki_dir }}/root_ca/{{ item }}"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0755
   with_items:
     - certs
     - crl
     - newcerts

 - name: Create private CA directory
   file:
     dest: "{{ pki_dir }}/root_ca/private"
     state: directory
     owner: "{{ ansible_user_id }}"
     mode: 0700

 - name: Create serial file
   copy:
     dest: "{{ pki_dir }}/root_ca/serial"
     content: "1000"
     force: no

 - name: Create empty index file if it doesn't exist
   copy:
     dest: "{{ pki_dir }}/root_ca/index.txt"
     content: ""
     force: no
     owner: "{{ ansible_user_id }}"
     mode: 0755

 - name: Save root passphrase to root_ca/private/ca_root_phrase
   copy:
     dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
     content: "{{ ca_root_phrase }}"
     owner: "{{ ansible_user_id }}"
     mode: 0400

 - name: Generate root key
   command: >
     openssl genrsa -aes256
       -out {{ pki_dir }}/root_ca/private/ca_key.pem
       -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
       {{ ca_size }}
   args:
     creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"

 - name: Set permissions on root key
   file:
     dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
     owner: "{{ ansible_user_id }}"
     mode: 0400

 - name: Create root certificate
   command: >
     openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
       -key {{ pki_dir }}/root_ca/private/ca_key.pem
       -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
       -new -x509 -days {{ ca_root_days }}
       -sha256 -extensions v3_ca
       -subj "{{ ca_root_subj }}"
       -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
   args:
     creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"

	# Copyright 2017-present Open Networking Foundation
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.


	---
	# pki-root-ca/tasks/main.yml

	# if the next two steps fail, may need to include `create-configdirs-become`
	# role to create these directories using become.
	- name: Create PKI and credentials directories
	file:
	dest: "{{ item }}"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0700
	with_items:
	- "{{ credentials_dir }}"
	- "{{ pki_dir }}"

	- name: Create root CA directory
	file:
	dest: "{{ pki_dir }}/root_ca"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0755

	- name: Create root CA openssl.cnf from template
	template:
	src: openssl_root.cnf.j2
	dest: "{{ pki_dir }}/root_ca/openssl.cnf"
	force: no

	- name: Create subdirs for root CA
	file:
	dest: "{{ pki_dir }}/root_ca/{{ item }}"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0755
	with_items:
	- certs
	- crl
	- newcerts

	- name: Create private CA directory
	file:
	dest: "{{ pki_dir }}/root_ca/private"
	state: directory
	owner: "{{ ansible_user_id }}"
	mode: 0700

	- name: Create serial file
	copy:
	dest: "{{ pki_dir }}/root_ca/serial"
	content: "1000"
	force: no

	- name: Create empty index file if it doesn't exist
	copy:
	dest: "{{ pki_dir }}/root_ca/index.txt"
	content: ""
	force: no
	owner: "{{ ansible_user_id }}"
	mode: 0755

	- name: Save root passphrase to root_ca/private/ca_root_phrase
	copy:
	dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
	content: "{{ ca_root_phrase }}"
	owner: "{{ ansible_user_id }}"
	mode: 0400

	- name: Generate root key
	command: >
	openssl genrsa -aes256
	-out {{ pki_dir }}/root_ca/private/ca_key.pem
	-passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
	{{ ca_size }}
	args:
	creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"

	- name: Set permissions on root key
	file:
	dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
	owner: "{{ ansible_user_id }}"
	mode: 0400

	- name: Create root certificate
	command: >
	openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
	-key {{ pki_dir }}/root_ca/private/ca_key.pem
	-passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
	-new -x509 -days {{ ca_root_days }}
	-sha256 -extensions v3_ca
	-subj "{{ ca_root_subj }}"
	-out {{ pki_dir }}/root_ca/certs/ca_cert.pem
	args:
	creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"