ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update LetsEncrypt Certificate process for RHV-M

Browse Source
This commit is contained in:
Patrick Toal
2021-04-20 11:13:29 -04:00
parent 69e0af808a
commit 8005080b8b
4 changed files with 61 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
collections/requirements.yml
View File

@@ -7,7 +7,8 @@ collections:
source: https://galaxy.ansible.com source: https://galaxy.ansible.com
- name: freeipa.ansible_freeipa - name: freeipa.ansible_freeipa
source: https://hub.mgmt.toal.ca/api/galaxy/content/published/ source: https://galaxy.ansible.com
# source: https://hub.mgmt.toal.ca/api/galaxy/content/published/
- name: redhat.rhv - name: redhat.rhv
source: https://cloud.redhat.com/api/automation-hub/ source: https://cloud.redhat.com/api/automation-hub/
@@ -26,3 +27,7 @@ collections:
- name: redhat.satellite - name: redhat.satellite
source: https://cloud.redhat.com/api/automation-hub/ source: https://cloud.redhat.com/api/automation-hub/
- name: community.crypto
source: https://galaxy.ansible.com

69
rhv_setup.yml
View File

@@ -1,18 +1,29 @@
--- ---
- name: Check for existing cert
hosts: rhv.mgmt.toal.ca
connection: local
tasks:
- name: Information from existing key
community.crypto.x509_certificate_info:
path: "keys/{{ acme_certificate_domains|first }}.pem"
ignore_errors: yes
register: key_info
- set_fact:
have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}"
when:
- not key_info.failed
# Probably want to split this out into a proper certificate management role for Toal.ca # Probably want to split this out into a proper certificate management role for Toal.ca
- name: Request TLS Certificate from LetsEncrypt - name: Request TLS Certificate from LetsEncrypt
hosts: localhost hosts: rhv.mgmt.toal.ca
connection: local connection: local
gather_facts: false gather_facts: false
# This doesn't belong here # This doesn't belong here
vars: vars:
acme_email: ptoal@takeflight.ca acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
challenge: dns-01
dns_provider: dme
root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
domains:
- rhv.mgmt.toal.ca
- rhv.lan.toal.ca
pre_tasks: pre_tasks:
- name: Ensure Let's Encrypt Account Exists - name: Ensure Let's Encrypt Account Exists
@@ -25,18 +36,41 @@
- mailto:ptoal@takeflight.ca - mailto:ptoal@takeflight.ca
account_key_content: "{{ acme_key }}" account_key_content: "{{ acme_key }}"
acme_version: 2 acme_version: 2
roles:
- acme-certificate
- name: tmpfile for Account Key
tempfile:
state: file
register: acme_tmp_key
- name: Account Key to File
copy:
dest: "{{ acme_tmp_key.path }}"
content: "{{ acme_key }}"
mode: "600"
- set_fact:
acme_certificate_acme_account: "{{ acme_tmp_key.path }}"
roles:
- name: felixfontein.acme_certificate
when: not have_valid_cert
post_tasks:
- name: Remove tempfile
file:
path: "{{ acme_tmp_key.path }}"
state: absent
- name: Install custom CA Certificate in RHV-M - name: Install custom CA Certificate in RHV-M
hosts: rhv.mgmt.toal.ca hosts: rhv.mgmt.toal.ca
become: true become: true
vars:
key_files_prefix: "keys/{{ acme_certificate_domains|first }}"
tasks: tasks:
- name: Certificate trust in store - name: Certificate trust in store
copy: copy:
src: "{{ acme_rootchain_file }}" src: "{{ key_files_prefix}}-rootchain.pem"
dest: /etc/pki/ca-trust/source/anchors/ dest: /etc/pki/ca-trust/source/anchors/
register: rootchain_result register: rootchain_result
notify: restart httpd notify: restart httpd
@@ -48,21 +82,21 @@
- name: CA Rootchain in Apache config - name: CA Rootchain in Apache config
copy: copy:
src: "{{ acme_rootchain_file }}" src: "{{ key_files_prefix }}-rootchain.pem"
dest: /etc/pki/ovirt-engine/apache-ca.pem dest: /etc/pki/ovirt-engine/apache-ca.pem
backup: yes backup: yes
notify: restart httpd notify: restart httpd
- name: Private key installed - name: Private key installed
copy: copy:
src: "{{ acme_key_file }}" src: "{{ key_files_prefix }}.key"
dest: /etc/pki/ovirt-engine/keys/apache.key.nopass dest: /etc/pki/ovirt-engine/keys/apache.key.nopass
backup: yes backup: yes
notify: restart httpd notify: restart httpd
- name: Certificate installed - name: Certificate installed
copy: copy:
src: "{{ acme_cert_file }}" src: "{{ key_files_prefix }}.pem"
dest: /etc/pki/ovirt-engine/certs/apache.cer dest: /etc/pki/ovirt-engine/certs/apache.cer
backup: yes backup: yes
notify: restart httpd notify: restart httpd
@@ -114,6 +148,13 @@
# Hack to work around virtualenv python interpreter # Hack to work around virtualenv python interpreter
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"
tasks: tasks:
- name: Obtain SSO token for RHV
ovirt_auth:
url: "{{ ovirt_url }}"
username: "{{ ovirt_username }}"
insecure: true
password: "{{ ovirt_password }}"
- ovirt_network: - ovirt_network:
auth: "{{ ovirt_auth }}" auth: "{{ ovirt_auth }}"
fetch_nested: true fetch_nested: true

1
roles/acme-certificate
View File

@@ -1 +0,0 @@
../../../ansible-role-dev/acme-certificate/

1
roles/ansible-role-redhat_satellite6_installation
View File

@@ -1 +0,0 @@
/Users/ptoal/Dev/ansible-role-redhat_satellite6_installation