Add roles and example playbook for PVC cert renewal #189
Conversation
Signed-off-by: Jim Enright <[email protected]>
Signed-off-by: Jim Enright <[email protected]>
jimright
force-pushed
the
feature/pvc_cert_renewal
branch
from
768046b to
1a0205c
Compare
Signed-off-by: Jim Enright <[email protected]>
There was a problem hiding this comment.
Correct that you do not use tls_fetch_ca_certs in the playbook or in any other role?
An overall comment is that it feels odd to pull back the CSRs to the controller, only to push them to the CA server. Could we have each host push them to the CA server and get them signed via a delegate_to?
| file_type: file | ||
| register: __csrs_to_sign | ||
| vars: | ||
| local_csrs_dir: "{{ (hostvars['localhost']['__pvc_tls_tempdir']['path'], 'csrs') | path_join }}" |
There was a problem hiding this comment.
Could you save yourself the vars declaration by using set_fact in the first play, which is running on localhost? (Actually, looks like the register is handling that for you already, which I thought it didn't persist outside of the play.)
| local_csrs_to_sign: "{{ __csrs_to_sign.files | json_query('[*].path') | flatten }}" | ||
|
|
||
| - name: Play 2 - Sign the CSR | ||
| hosts: ca_server |
There was a problem hiding this comment.
This does not handle FreeIPA at the moment, correct?
There was a problem hiding this comment.
Correct, the flow for renewing FreeIPA certs will be slightly different as it can happen on the cluster host with the step outlined here: https://www.freeipa.org/page/Certmonger#manually-renew-a-certificate.
| # limitations under the License. | ||
| --> | ||
|
|
||
| # cloudera.exe.tls_fetch_ca_certs |
| loop_control: | ||
| loop_var: dir | ||
|
|
||
| - ansible.builtin.set_fact: |
There was a problem hiding this comment.
Really should add name here and on other tasks
| owner: root | ||
| mode: 0644 | ||
|
|
||
| - name: Generate CSR |
There was a problem hiding this comment.
Why not use community.crypto.openssl_csr module?
There was a problem hiding this comment.
Done as part of the latest set of commits. This then also allowed some cleanup of redundant tasks and variables.
| description: "Flag to specify if the CSRs should be copied from the Ansible controller." | ||
| type: "bool" | ||
| default: true | ||
| override_old_certs: |
There was a problem hiding this comment.
This is a confusing parameter. If set to false, then the role will override, but if set to true, the role will back up the cert. The functionality is right; the naming is not.
There was a problem hiding this comment.
This has simplified with the use of community.crypto.x509_certificate. I've renamed the parameter to backup_old_certs and use the parameter in the backup argument to community.crypto.x509_certificate.
playbooks/pvc_renew_certs.yml
Outdated
|
|
||
| - name: Call tls_install_certs role | ||
| ansible.builtin.import_role: | ||
| name: cloudera.exetls_install_certs |
There was a problem hiding this comment.
Invalid reference (missing the dot separator)
There was a problem hiding this comment.
Good spot. Fixed in the latest set of commits.
| owner: root | ||
| group: root | ||
|
|
||
| - name: Validate certificate |
There was a problem hiding this comment.
Potentially use the community.crypto.x509_certificate_info module?
There was a problem hiding this comment.
I tested this but it seems to not validate against the CA cert. Instead I've continued to use the openssl verify command but changed to module to ansible.builtin.command
| - name: Generate a temporary PKCS12 keystore with renewed cert | ||
| community.crypto.openssl_pkcs12: | ||
| action: export | ||
| path: "{{ __temp_keystore }}" |
There was a problem hiding this comment.
Should this be a tempfile location?
There was a problem hiding this comment.
Done in the latest set of commits.
Signed-off-by: Jim Enright <[email protected]>
Signed-off-by: Jim Enright <[email protected]>
Signed-off-by: Jim Enright <[email protected]>
Signed-off-by: Jim Enright <[email protected]>
|
@wmudge - Thanks for the feedback; I've made some updates to the PR based on you comments.
Yes! I created this role initially but found that it wasn't needed. I've kept it as it might be needed if we migrate the full TLS creation to cloudera.exe. However I'm happy to remove if you think it's better.
My rationale for this was to be able to support the scenario where the CSRs are given to a third-party certificate authority in order to sign. I agree that it does make the flow a big clunky. |
New roles added to support cert renewal on CDP Private Cloud:
tls_generate_csr: Generate CSR on each cluster host and copy back to controllertls_signing: Copy CSR to the ca server, sign to generate certtls_install_certs: Copy signed certs to each cluster host; update Java keystore with new certtls_fetch_ca_certs: Used to fetch root and intermediate CA certs from the CA serverExample playbook
pvc_renew_certs.ymlalso included to demonstrate how to use these roles.