roles/etcd/tasks/certificates/fetch_client_certificates_from_ca.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

---
- name: Ensure CA certificate exists on etcd_ca_host
  stat:
    path: "{{ etcd_ca_cert }}"
  register: g_ca_cert_stat_result
  delegate_to: "{{ etcd_ca_host }}"
  run_once: true

- fail:
    msg: >
      CA certificate {{ etcd_ca_cert }} doesn't exist on CA host
      {{ etcd_ca_host }}. Apply 'etcd_ca' action from `etcd` role to
      {{ etcd_ca_host }}.
  when: not g_ca_cert_stat_result.stat.exists | bool
  run_once: true

- name: Check status of external etcd certificatees
  stat:
    path: "{{ etcd_cert_config_dir }}/{{ item }}"
  with_items:
  - "{{ etcd_cert_prefix }}client.crt"
  - "{{ etcd_cert_prefix }}client.key"
  - "{{ etcd_cert_prefix }}ca.crt"
  register: g_external_etcd_cert_stat_result
  when: not etcd_certificates_redeploy | default(false) | bool

- set_fact:
    etcd_client_certs_missing: "{{ true if etcd_certificates_redeploy | default(false) | bool
                                   else (False in (g_external_etcd_cert_stat_result.results
                                                   | default({})
                                                   | oo_collect(attribute='stat.exists')
                                                   | list)) }}"

- name: Ensure generated_certs directory present
  file:
    path: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    state: directory
    mode: 0700
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Create the client csr
  command: >
    openssl req -new -keyout {{ etcd_cert_prefix }}client.key
    -config {{ etcd_openssl_conf }}
    -out {{ etcd_cert_prefix }}client.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'client.csr' }}"
  environment:
    SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

# Certificates must be signed serially in order to avoid competing
# for the serial file.
- name: Sign and create the client crt
  delegated_serial_command:
    command: >
      openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
      -out {{ etcd_cert_prefix }}client.crt
      -in {{ etcd_cert_prefix }}client.csr
      -batch
    chdir: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  etcd_cert_subdir ~ '/'
                 ~ etcd_cert_prefix ~ 'client.crt' }}"
  environment:
    SAN: "IP:{{ etcd_ip }}"
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- file:
    src: "{{ etcd_ca_cert }}"
    dest: "{{ etcd_generated_certs_dir}}/{{ etcd_cert_subdir }}/{{ etcd_cert_prefix }}ca.crt"
    state: hard
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Create local temp directory for syncing certs
  local_action: command mktemp -d /tmp/etcd_certificates-XXXXXXX
  register: g_etcd_client_mktemp
  changed_when: False
  when: etcd_client_certs_missing | bool
  become: no

- name: Create a tarball of the etcd certs
  command: >
    tar -czvf {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz
      -C {{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }} .
  args:
    creates: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
    # Disables the following warning:
    # Consider using unarchive module rather than running tar
    warn: no
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Retrieve the etcd cert tarballs
  fetch:
    src: "{{ etcd_generated_certs_dir }}/{{ etcd_cert_subdir }}.tgz"
    dest: "{{ g_etcd_client_mktemp.stdout }}/"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  when: etcd_client_certs_missing | bool
  delegate_to: "{{ etcd_ca_host }}"

- name: Ensure certificate directory exists
  file:
    path: "{{ etcd_cert_config_dir }}"
    state: directory
  when: etcd_client_certs_missing | bool

- name: Unarchive etcd cert tarballs
  unarchive:
    src: "{{ g_etcd_client_mktemp.stdout }}/{{ etcd_cert_subdir }}.tgz"
    dest: "{{ etcd_cert_config_dir }}"
  when: etcd_client_certs_missing | bool

- file:
    path: "{{ etcd_cert_config_dir }}/{{ item }}"
    owner: root
    group: root
    mode: 0600
  with_items:
  - "{{ etcd_cert_prefix }}client.crt"
  - "{{ etcd_cert_prefix }}client.key"
  - "{{ etcd_cert_prefix }}ca.crt"
  when: etcd_client_certs_missing | bool

- name: Delete temporary directory
  local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent
  changed_when: False
  when: etcd_client_certs_missing | bool
  become: no