Update cert role to enable to load them to secrets

[ta/caas-security.git] / ansible / roles / cert / tasks / main.yml

---
# Copyright 2019 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: template node.conf
  template:
    src: "node.conf.j2"
    dest: /etc/openssl/node.conf
    mode: 0000

- name: check instance cert directory
  stat:
    path: "{{ cert_path }}/ca.pem"
  register: cert_path_register

- name: create cert directory
  file:
    name: "{{ cert_path }}"
    state: directory
  when: not cert_path_register.stat.exists

# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
# Since 'state: directory' creates the directory recursively.
# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
# And in that case the admin user would get access denied for the /etc/kubernetes folder.
- name: changing permissions of cert directory
  file:
    path: "{{ cert_path }}"
    mode: 0700
  when: not cert_path_register.stat.exists

- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
  acl:
    default: yes
    name:  "{{ cert_path }}"
    entity: "{{ users.admin_user_name }}"
    etype: user
    permissions: rx
    recursive: yes
    state: present

- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
  acl:
    name:  "{{ cert_path }}"
    entity: "{{ users.admin_user_name }}"
    etype: user
    permissions: rx
    recursive: yes
    state: present

- name: check instance cert
  stat:
    path: "{{ cert_path }}/{{ _cert }}"
  register: cert

- name: copy CA to {{ cert_path }}
  copy:
    src: "/etc/openssl/ca.pem"
    dest: "{{ cert_path }}/ca.pem"
  when: not cert_path_register.stat.exists

- name: generate instance certificate
  command: "{{ item }}"
  with_items:
    - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
    - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
    - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
  args:
    chdir: "{{ cert_path }}"
  when: not cert.stat.exists

- name: load certificate into secret
  command: "kubectl -n {{ _secret_ns }} create secret {{ _secret_type }}  {{ _secret_name }} --cert={{ cert_path }}/{{ _cert }} --key={{ cert_path }}/{{ _key }}"
  when: _secret_name != ''

- name: Unconditionally delete files in case of secrets
  set_fact:
    _keep_files: "{{ false if _secret_name != '' else _keep_files }}"

- name: create kubeconfig from cert
  include_role:
    name: kubeconfig
  vars:
    config:
      path: "{{ item.path }}"
      owner: "{{ item.owner | default('root') }}"
      group: "{{ item.group | default('root') }}"
      restricted: "{{ item.restricted | default(true) }}"
      user: "{{ _cn }}"
      cert: "{{ cert_path }}/{{ _cert }}"
      key: "{{ cert_path }}/{{ _key }}"
      apiserver: "{{ item.apiserver }}"
      apiserver_port: "{{ item.apiserver_port }}"
      add_users: "{{ add_users | default([]) }}"
  with_items: "{{ kube_conf | default([]) }}"

- name: Unconditionally delete files in case of kubeconfig
  set_fact:
    _keep_files = "{{ false if kube_conf is defined else _keep_files }}"

- name: SECURITY settings on cert files
  block:
    - name: reducing permission of key file and cert file
      file:
        path: "{{ cert_path }}/{{ item }}"
        mode: 0000
      with_items:
        - "{{ _key }}"
        - "{{ _cert }}"
      when: not cert.stat.exists

    - name: remove cert request and serial file
      file:
        path: "{{ cert_path }}/{{ item }}"
        state: absent
      with_items:
        - "{{ instance }}.csr"
        - "{{ instance }}.slr"
      when: not cert.stat.exists

    - name: setting ca.pem permission
      file:
        path: "{{ cert_path }}/ca.pem"
        mode: 0000
      when: not cert_path_register.stat.exists

    - name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.pem
      acl:
        name:  "{{ cert_path }}/ca.pem"
        entity: "{{ users.admin_user_name }}"
        etype: user
        permissions: rx
        state: present

    - name: allowing users to access keys
      acl:
        name: "{{ item[0] }}"
        entity: "{{ item[1] }}"
        etype: user
        permissions: "r"
        state: present
      with_nested:
        - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
        - "{{ add_users | default([]) }}"

    - name: adding exec flag to {{ cert_path }} directory for users
      acl:
        name: "{{ cert_path }}"
        entity: "{{ item }}"
        etype: user
        permissions: "rx"
        state: present
      with_items: "{{ add_users | default([]) }}"

    - name: adding mask to the acl
      acl:
        name: "{{ cert_path }}"
        etype: mask
        permissions: "rx"
        recursive: yes
        state: present
  when: _keep_files

- name: Remove directory in case of _keep_files==false
  file:
    name: "{{ cert_path }}"
    state: absent
  when: not _keep_files

- name: force IO to write data to disk
  shell: "sync"