OpenStack-Ansible PKI role

This role installs a PKI infrastructure for maintaining a Root CA and creating server certificates as required to enable secure communication between components in a deployment.

To clone or view the source code for this repository, visit the role repository for pki.

Default variables

# CA certificates to create
pki_authorities: []

# Global enable/disable of CA generation
pki_create_ca: true

# Variable name pattern to search ansible vars for other authority definitions
pki_search_authorities_pattern: "pki_authorities_"

# Example variables defining a certificate authorities
# pki_authorities_roots:
#   - name: "SnakeRoot"
#     provider: selfsigned
#     email_address: "pki@snakeoil.com"
#     basic_constraints: "CA:TRUE"
#     cn: "Snake Oil Corp Root CA"
#     country_name: "GB"
#     state_or_province_name: "England"
#     organization_name: "Snake Oil Corporation"
#     organizational_unit_name: "IT Security"
#     key_usage:
#       - digitalSignature
#       - cRLSign
#       - keyCertSign
#     not_after: "+3650d"

#pki_authorities_intermediates:
#   - name: "SnakeRootIntermediate"
#     email_address: "pki@snakeoil.com"
#     provider: ownca
#     cn: "Snake Oil Corp Openstack Infrastructure Intermediate CA"
#     country_name: "GB"
#     state_or_province_name: "England"
#     organization_name: "Snake Oil Corporation"
#     organizational_unit_name: "IT Security"
#     key_usage:
#       - digitalSignature
#       - cRLSign
#       - keyCertSign
#     not_after: "+365d"
#     signed_by: "SnakeRoot"

# example variable of CA to install
# pki_install_ca:
#   # CA created but the PKI role
#   - name: SnakeRoot
#
#   # user provided CA copied from the deploy host (src), to the target (filename)
#   - src: /opt/my-ca/MyRoot.crt
#     filename: /etc/ssl/certs/MyRoot.crt
#
pki_install_ca: []

# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_ca_pattern: "pki_install_ca_"

# set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: ''

# locations of system trust stores to install CA certs to
pki_trust_store_location:
  apt: /usr/local/share/ca-certificates/
  dnf: /etc/pki/ca-trust/source/anchors/

# Server certificates to create
pki_certificates: []

# Variable name pattern to search ansible vars for other certificate definitions
pki_search_certificates_pattern: "pki_certificates_"

# Example variable defining a server certificate
# pki_certificates_default:
#   - name: "SnakeWeb"
#     provider: ownca
#     cn: "www.snakeoil.com"
#     san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
#   - name: "SnakeMail"
#     signed_by: "SnakeRootIntermediate"
#     provider: ownca
#     cn: "imap.snakeoil.com"
#     signed_by: "SnakeRootIntermediate"

# Example variable defining a server certificate from ansible host variables
# pki_certificates_default:
#   - name: "myservice_{{ ansible_facts['hostname'] }}"
#     cn: "{{ ansible_facts['hostname'] }}"
#     provider: ownca
#     san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
#     signed_by: "SnakeRootIntermediate"

# set this to the name of the certificate to regenerate, or to 'true' to regenerate all
pki_regen_cert: ''

# host where the generated PKI files are kept
pki_setup_host: localhost

# Python interpreter that will be used during cert generation
pki_setup_host_python_interpreter: "{{ (pki_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}"

# base directory for the CA and server certificates
pki_dir: "/etc/pki"

# subdirectories to be created for holding CA certs/keys/csr
pki_ca_dirs: "{{ _pki_ca_dirs }}"

# subdirectories to be created for holding server certs/keys/csr
pki_cert_dirs: "{{ _pki_cert_dirs }}"

# certificates to install
pki_install_certificates: []

# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_certificates_pattern: "pki_install_certificates_"

# Example variable for installation of server certificates with optional user supplied cert override
# pki_install_certificates:
#     # server certificate
#   - src: "{{ user_ssl_cert | default(pki_dir ~ '/certs/certs/myservice_' ~ ansible_facts['hostname'] ~ '.crt') }}"
#     dest: "{{ myservice_ssl_cert }}"
#     owner: "root"
#     group: "root"
#     mode: "0644"
#     #private key
#   - src: "{{ myservice_user_ssl_key | default(pki_dir ~ 'certs/keys/myservice_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
#     dest: "{{ myservice_ssl_key }}"
#     owner: "myservice"
#     group: "myservice"
#     mode: "0600"
#     # intermediate CA
#   - src: "{{ myservice_user_ssl_ca_cert | default(pki_dir ~ '/roots/SnakeRootIntermediate/certs/SnakeRootIntermediate.crt' }}"
#     dest: "{{ myservice_ssl_ca_cert }}"
#     owner: "myservice"
#     group: "myservice"
#     mode: "0644"

# method used to create the certificates
pki_method: standalone

# Handlers naming
pki_handler_ca_changed: "ca cert changed"
pki_handler_cert_changed: "cert changed"
pki_handler_cert_installed: "cert installed"

# Default permissions used on pki_setup_host
# pki_owner: "root"
# pki_group: "root"
pki_cert_mode: "0644"
pki_cert_dir_mode: "0755"
pki_key_mode: "0600"
pki_key_dir_mode: "0700"

Example playbook

---

- name: Install PKI
  hosts: all
  tasks:
    - name: "Include pki role"
      ansible.builtin.include_role:
        name: "{{ playbook_dir | dirname | basename }}"