X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Fcaas-security.git;a=blobdiff_plain;f=ansible%2Froles%2Fcert%2Ftasks%2Fmain.yml;fp=ansible%2Froles%2Fcert%2Ftasks%2Fmain.yml;h=a23996c50361d104596e95ebed2af7093657874f;hp=0000000000000000000000000000000000000000;hb=c177c44e5d4c49eeb51b44487a614b865f8bf002;hpb=f2937b9484f58be8f23ae50500f30ca0f0e16e3b

diff --git a/ansible/roles/cert/tasks/main.yml b/ansible/roles/cert/tasks/main.yml
new file mode 100644
index 0000000..a23996c
--- /dev/null
+++ b/ansible/roles/cert/tasks/main.yml
@@ -0,0 +1,153 @@
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template node.conf
+  template:
+    src: "node.conf.j2"
+    dest: /etc/openssl/node.conf
+    mode: 0000
+
+- name: check instance cert directory
+  stat:
+    path: "{{ cert_path }}/ca.pem"
+  register: cert_path_register
+
+- name: create cert directory
+  file:
+    name: "{{ cert_path }}"
+    state: directory
+  when: not cert_path_register.stat.exists
+
+# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
+# Since 'state: directory' creates the directory recursively.
+# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
+# And in that case the admin user would get access denied for the /etc/kubernetes folder.
+- name: changing permissions of cert directory
+  file:
+    path: "{{ cert_path }}"
+    mode: 0700
+  when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
+  acl:
+    default: yes
+    name:  "{{ cert_path }}"
+    entity: "{{ users.admin_user_name }}"
+    etype: user
+    permissions: rx
+    recursive: yes
+    state: present
+
+- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
+  acl:
+    name:  "{{ cert_path }}"
+    entity: "{{ users.admin_user_name }}"
+    etype: user
+    permissions: rx
+    recursive: yes
+    state: present
+
+- name: check instance cert
+  stat:
+    path: "{{ cert_path }}/{{ _cert }}"
+  register: cert
+
+- name: copy CA to {{ cert_path }}
+  copy:
+    src: "/etc/openssl/ca.pem"
+    dest: "{{ cert_path }}/ca.pem"
+  when: not cert_path_register.stat.exists
+
+- name: generate instance certificate
+  command: "{{ item }}"
+  with_items:
+    - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
+    - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
+    - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
+  args:
+    chdir: "{{ cert_path }}"
+  when: not cert.stat.exists
+
+- name: reducing permission of key file and cert file
+  file:
+    path: "{{ cert_path }}/{{ item }}"
+    mode: 0000
+  with_items:
+    - "{{ _key }}"
+    - "{{ _cert }}"
+  when: not cert.stat.exists
+
+- name: remove cert request and serial file
+  file:
+    path: "{{ cert_path }}/{{ item }}"
+    state: absent
+  with_items:
+    - "{{ instance }}.csr"
+    - "{{ instance }}.slr"
+  when: not cert.stat.exists
+
+- name: setting ca.pem permission
+  file:
+    path: "{{ cert_path }}/ca.pem"
+    mode: 0000
+  when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.epm
+  acl:
+    name:  "{{ cert_path }}/ca.pem"
+    entity: "{{ users.admin_user_name }}"
+    etype: user
+    permissions: rx
+    state: present
+
+- name: allowing users to access keys
+  acl:
+    name: "{{ item[0] }}"
+    entity: "{{ item[1] }}"
+    etype: user
+    permissions: "r"
+    state: present
+  with_nested:
+    - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
+    - "{{ add_users | default([]) }}"
+
+- name: adding exec flag to {{ cert_path }} directory for users
+  acl:
+    name: "{{ cert_path }}"
+    entity: "{{ item }}"
+    etype: user
+    permissions: "rx"
+    state: present
+  with_items: "{{ add_users | default([]) }}"
+
+- name: create kubeconfig from cert
+  include_role:
+    name: kubeconfig
+  vars:
+    config:
+      path: "{{ item.path }}"
+      owner: "{{ item.owner | default('root') }}"
+      group: "{{ item.group | default('root') }}"
+      restricted: "{{ item.restricted | default(true) }}"
+      user: "{{ _cn }}"
+      cert: "{{ cert_path }}/{{ _cert }}"
+      key: "{{ cert_path }}/{{ _key }}"
+      apiserver: "{{ item.apiserver }}"
+      apiserver_port: "{{ item.apiserver_port }}"
+      add_users: "{{ add_users | default([]) }}"
+  with_items: "{{ kube_conf | default([]) }}"
+
+- name: force IO to write data to disk
+  shell: "sync"