OpenStack-Ansible PKI role¶
This role installs a PKI infrastructure for maintaining a Root CA and creating server certificates as required to enable secure communication between components in a deployment.
To clone or view the source code for this repository, visit the role repository for pki.
Default variables¶
# CA certificates to create
pki_authorities: []
# Global enable/disable of CA generation
pki_create_ca: true
# Variable name pattern to search ansible vars for other authority definitions
pki_search_authorities_pattern: "pki_authorities_"
# Example variables defining a certificate authorities
# pki_authorities_roots:
# - name: "SnakeRoot"
# provider: selfsigned
# email_address: "pki@snakeoil.com"
# basic_constraints: "CA:TRUE"
# cn: "Snake Oil Corp Root CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+3650d"
#pki_authorities_intermediates:
# - name: "SnakeRootIntermediate"
# email_address: "pki@snakeoil.com"
# provider: ownca
# cn: "Snake Oil Corp Openstack Infrastructure Intermediate CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+365d"
# signed_by: "SnakeRoot"
# example variable of CA to install
# pki_install_ca:
# # CA created but the PKI role
# - name: SnakeRoot
#
# # user provided CA copied from the deploy host (src), to the target (filename)
# - src: /opt/my-ca/MyRoot.crt
# filename: /etc/ssl/certs/MyRoot.crt
#
pki_install_ca: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_ca_pattern: "pki_install_ca_"
# set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: ''
# locations of system trust stores to install CA certs to
pki_trust_store_location:
apt: /usr/local/share/ca-certificates/
dnf: /etc/pki/ca-trust/source/anchors/
# Server certificates to create
pki_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_certificates_pattern: "pki_certificates_"
# Example variable defining a server certificate
# pki_certificates_default:
# - name: "SnakeWeb"
# provider: ownca
# cn: "www.snakeoil.com"
# san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
# - name: "SnakeMail"
# signed_by: "SnakeRootIntermediate"
# provider: ownca
# cn: "imap.snakeoil.com"
# signed_by: "SnakeRootIntermediate"
# Example variable defining a server certificate from ansible host variables
# pki_certificates_default:
# - name: "myservice_{{ ansible_facts['hostname'] }}"
# cn: "{{ ansible_facts['hostname'] }}"
# provider: ownca
# san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
# signed_by: "SnakeRootIntermediate"
# set this to the name of the certificate to regenerate, or to 'true' to regenerate all
pki_regen_cert: ''
# host where the generated PKI files are kept
pki_setup_host: localhost
# Python interpreter that will be used during cert generation
pki_setup_host_python_interpreter: "{{ (pki_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}"
# base directory for the CA and server certificates
pki_dir: "/etc/pki"
# subdirectories to be created for holding CA certs/keys/csr
pki_ca_dirs: "{{ _pki_ca_dirs }}"
# subdirectories to be created for holding server certs/keys/csr
pki_cert_dirs: "{{ _pki_cert_dirs }}"
# certificates to install
pki_install_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_certificates_pattern: "pki_install_certificates_"
# Example variable for installation of server certificates with optional user supplied cert override
# pki_install_certificates:
# # server certificate
# - src: "{{ user_ssl_cert | default(pki_dir ~ '/certs/certs/myservice_' ~ ansible_facts['hostname'] ~ '.crt') }}"
# dest: "{{ myservice_ssl_cert }}"
# owner: "root"
# group: "root"
# mode: "0644"
# #private key
# - src: "{{ myservice_user_ssl_key | default(pki_dir ~ 'certs/keys/myservice_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
# dest: "{{ myservice_ssl_key }}"
# owner: "myservice"
# group: "myservice"
# mode: "0600"
# # intermediate CA
# - src: "{{ myservice_user_ssl_ca_cert | default(pki_dir ~ '/roots/SnakeRootIntermediate/certs/SnakeRootIntermediate.crt' }}"
# dest: "{{ myservice_ssl_ca_cert }}"
# owner: "myservice"
# group: "myservice"
# mode: "0644"
# method used to create the certificates
pki_method: standalone
# Handlers naming
pki_handler_ca_changed: "ca cert changed"
pki_handler_cert_changed: "cert changed"
pki_handler_cert_installed: "cert installed"
# Default permissions used on pki_setup_host
# pki_owner: "root"
# pki_group: "root"
pki_cert_mode: "0644"
pki_cert_dir_mode: "0755"
pki_key_mode: "0600"
pki_key_dir_mode: "0700"
Example playbook¶
---
- name: Install PKI
hosts: all
tasks:
- name: "Include pki role"
ansible.builtin.include_role:
name: "{{ playbook_dir | dirname | basename }}"