-
Notifications
You must be signed in to change notification settings - Fork 20
/
init.yml
132 lines (128 loc) · 5.2 KB
/
init.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
- name: Look for existing install
stat:
path: "{{ step_ca_path }}/config/ca.json"
register: step_ca_config
# Always create the intermediate password file as it is needed for CA operation
- name: Intermediate password file is present
copy:
content: "{{ step_ca_intermediate_password }}"
dest: "{{ step_ca_intermediate_password_file }}"
owner: "{{ step_ca_user }}"
mode: 0600
group: "{{ step_ca_user }}"
no_log: yes
- name: Initialize CA
block:
- name: Create root key password file # noqa no-changed-when
copy:
content: "{{ step_ca_root_password }}"
dest: "{{ step_ca_root_password_file }}"
owner: "{{ step_ca_user }}"
mode: 0600
group: "{{ step_ca_user }}"
no_log: yes
- name: Copy root cert from controller
block:
- name: Copy cert file
copy:
src: "{{ step_ca_existing_root_file }}"
dest: "{{ step_ca_root_temp_file }}"
owner: "{{ step_ca_user }}"
mode: 0600
group: "{{ step_ca_user }}"
- name: Use the temp file as remote root cert
set_fact:
step_ca_existing_root_file: "{{ step_ca_root_temp_file }}"
when: step_ca_existing_root|d('') == 'local'
- name: Copy root key from controller
block:
- name: Copy key file
copy:
src: "{{ step_ca_existing_key_file }}"
dest: "{{ step_ca_key_temp_file }}"
owner: "{{ step_ca_user }}"
mode: 0600
group: "{{ step_ca_user }}"
- name: Use the temp file as remote root key
set_fact:
step_ca_existing_key_file: "{{ step_ca_key_temp_file }}"
when: step_ca_existing_key|d('') == 'local'
- name: Decrypt root key
block:
- name: Copy password to temporary file
copy:
content: "{{ step_ca_existing_key_password }}"
dest: "{{ step_ca_existing_key_password_file }}"
owner: "{{ step_ca_user }}"
mode: 0600
group: "{{ step_ca_user }}"
no_log: yes
- name: Decrypt temporary root key # noqa no-changed-when
command: >-
{{ step_cli_executable }} crypto change-pass
{{ step_ca_existing_key_file }}
--out={{ step_ca_key_temp_file }}
--password-file={{ step_ca_existing_key_password_file }}
--insecure --no-password --force
- name: Use the temp file as remote root key
set_fact:
step_ca_existing_key_file: "{{ step_ca_key_temp_file }}"
when: step_ca_existing_key_password is defined
- name: Initialize CA # noqa no-changed-when
command: >-
{{ step_cli_executable }} ca init
--name={{ step_ca_name | quote }}
--dns={{ step_ca_dns | quote }}
--address={{ step_ca_address | quote }}
--provisioner={{ step_ca_tmp_provisioner | quote }}
--password-file={{ step_ca_root_password_file | quote }}
--provisioner-password-file={{ step_ca_root_password_file | quote }}
{% if step_ca_url is defined %} --with-ca-url={{ step_ca_url | quote }}{% endif %}
{% if step_ca_ssh %} --ssh{% endif %}
{% if step_ca_existing_root_file is defined %} --root={{ step_ca_existing_root_file | quote }}{% endif %}
{% if step_ca_existing_key_file is defined %} --key={{ step_ca_existing_key_file | quote }}{% endif %}
{% if step_ca_ra is defined %} --ra={{ step_ca_ra | quote }}{% endif %}
{% if step_ca_ra_issuer is defined %} --issuer={{ step_ca_ra_issuer | quote }}{% endif %}
{% if step_ca_ra_credentials_file is defined %} --credentials-file={{ step_ca_ra_credentials_file | quote }}{% endif %}
environment:
STEPPATH: "{{ step_ca_path }}"
become: yes
become_user: "{{ step_ca_user }}"
- name: Change password for intermediate and ssh keys # noqa no-changed-when
command: "{{ step_cli_executable }} crypto change-pass {{ step_ca_path }}/secrets/{{ item }} -f --password-file={{ step_ca_root_password_file }} --new-password-file={{ step_ca_intermediate_password_file }}"
become: yes
become_user: "{{ step_ca_user }}"
loop: "{{ _item_list | select | list }}"
vars:
_item_list:
- intermediate_ca_key
- "{{ step_ca_ssh | ternary('ssh_host_ca_key', '') }}"
- "{{ step_ca_ssh | ternary('ssh_user_ca_key', '') }}"
- name: Remove initial provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: "{{ step_ca_tmp_provisioner }}"
type: JWK
state: absent
environment:
STEPPATH: "{{ step_ca_path }}"
become: yes
become_user: "{{ step_ca_user }}"
always:
- name: Root password file is absent
file:
path: "{{ step_ca_root_password_file }}"
state: absent
- name: Existing root password file is absent
file:
path: "{{ step_ca_existing_key_password_file }}"
state: absent
- name: Delete temporary root cert file
file:
path: "{{ step_ca_root_temp_file }}"
state: absent
- name: Delete temporary root key file
file:
path: "{{ step_ca_key_temp_file }}"
state: absent
when: not step_ca_config.stat.exists