logan2211 · February 27, 2018 16:31
diff --git a/haproxy-install.yml b/haproxy-install.yml
 ---
 # Copyright 2016, Logan Vig <[email protected]>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 - name: Install haproxy load balancers
  hosts: "{{ haproxy_group }}"
  gather_facts: "{{ gather_facts }}"
  become: yes
  become_user: root
  pre_tasks:
    - name: Fetch the bootstrapped letsencrypt PEM
      fetch:
        src: "{{ item.dest }}"
        dest: "{{ item.src }}"
        flat: yes
      with_items: "{{ haproxy_ssl_map | default([]) }}"
      failed_when: false
      when:
        - inventory_hostname == haproxy_primary_node
        - item.letsencrypt | default('no') | bool
    - name: Generate the self-signed SSL certificates
      include: common-tasks/self-signed-certificate.yml
      vars:
        ssl:
          pem: "{{ outer_item.src }}"
          subject_hosts: "{{ outer_item.subject_hosts }}"
      when:
        - outer_item.gen_self_signed | default('no') | bool or
          outer_item.letsencrypt | default('no') | bool
        - inventory_hostname == ansible_play_hosts[0]
      loop_control:
        loop_var: outer_item
      with_items: "{{ haproxy_ssl_map | default([]) }}"
      delegate_to: localhost
  roles:
    - haproxy
  post_tasks:
    - name: Run certbot for letsencrypt certificates
      include: common-tasks/letsencrypt-certbot.yml
      vars:
        domains: "{{ outer_item.subject_hosts | map(attribute='dns') | list }}"
      loop_control:
        loop_var: outer_item
      with_items: "{{ haproxy_ssl_map | default([]) }}"
      when:
        - inventory_hostname == haproxy_primary_node
        - outer_item.letsencrypt | default('no') | bool
    - name: Run certbot for letsencrypt certificates
      include: common-tasks/letsencrypt-distribute.yml
      vars:
        domains: "{{ outer_item.subject_hosts | map(attribute='dns') | list }}"
        pem_dest: "{{ outer_item.dest }}"
      loop_control:
        loop_var: outer_item
      with_items: "{{ haproxy_ssl_map | default([]) }}"
      when:
        - outer_item.letsencrypt | default('no') | bool
  vars_files:
    - vars/default.yml
  tags:
    - haproxy
diff --git a/self-signed-certificate.yml b/self-signed-certificate.yml
 ---
 # Copyright 2017, Logan Vig <[email protected]>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 # Pass in a var to this file called "ssl" with optional settings:
 # EITHER ssl.ssl_name, ssl.ssl_cert, or ssl.ssl_pem must be defined
 # Example:
 #   ssl.pem: /tmp/ssl.pem
 # Result:
 #   ssl.cert: /tmp/ssl.crt
 #   ssl.key: /tmp/ssl.key

 - name: Populate the certificate prerequisite facts
  set_fact:
    "{{ item.name }}": "{{ item.value }}"
  with_items:
    - name: ssl_name
      value: |-
        {% if ssl.name is defined %}
        {{ ssl.name -}}
        {% elif ssl.cert is defined %}
        {{ (ssl.cert | splitext)[0] -}}
        {% elif ssl.pem is defined %}
        {{ (ssl.pem | splitext)[0] -}}
        {% endif %}
    - name: ssl_subject_hosts
      value: "{{ ssl.subject_hosts | default([{'ip': ansible_ssh_host}]) }}"

 - name: Populate the SSL CN and SAN
  set_fact:
    "{{ item.name }}": "{{ item.value }}"
  with_items:
    - name: ssl_subject_cn
      value: "{{ ssl_subject_hosts[0]['ip']
                 | default(ssl_subject_hosts[0]['dns']) }}"
    - name: ssl_subject_san
      value: |-
        {% set _var = [] %}
        {% for item in ssl_subject_hosts %}
        {% if item.ip is defined %}
        {% set _ = _var.append('IP.' ~ loop.index ~ '=' ~ item.ip) %}
        {% endif %}
        {% if item.dns is defined %}
        {% set _ = _var.append('DNS.' ~ loop.index ~ '=' ~ item.dns) %}
        {% endif %}
        {% endfor %}
        {{ _var | join(',') }}

 - name: Populate the certificate facts
  set_fact:
    "{{ item.name }}": "{{ item.value }}"
  with_items:
    - name: ssl_cert
      value: "{{ ssl.cert | default(ssl_name ~ '.crt') }}"
    - name: ssl_key
      value: "{{ ssl.key | default(ssl_name ~ '.key') }}"
    - name: ssl_pem
      value: "{{ ssl.pem | default(ssl_name ~ '.pem') }}"
    - name: ssl_subject
      value: "/C=US/ST=Texas/L=Dallas/O=IT/CN={{ ssl_subject_cn }}/subjectAltName={{ ssl_subject_san }}"
    - name: ssl_days
      value: "{{ ssl.days | default(3650) }}"

 - name: Remove self signed certs and keys for regen
  file:
    dest: "{{ item }}"
    state: "absent"
  with_items:
    - "{{ ssl_cert }}"
    - "{{ ssl_key }}"
    - "{{ ssl_pem }}"
  when:
    - ssl.ssl_regen is defined
    - ssl.ssl_regen | bool

 - name: Check if the pem file exists
  stat:
    path: "{{ ssl_pem }}"
  register: ssl_pem_stat

 - name: Generate the certificate
  block:
    - name: Generate self-signed ssl cert
      command: >
        openssl req -new -nodes -sha256 -x509 -subj
        "{{ ssl_subject }}"
        -days {{ ssl_days }}
        -out {{ ssl_cert }}
        -keyout {{ ssl_key }}
        -extensions v3_ca
      args:
        creates: "{{ ssl_cert }}"
      register: ssl_generate

    - name: Update pem file
      shell: cat {{ ssl_cert }} {{ ssl_key }} > {{ ssl_pem }}
      changed_when: false
      when: ssl_generate | changed
  when:
    - not ssl_pem_stat.stat.exists
diff --git a/vars.yml b/vars.yml
 ---

 haproxy_ssl_map:
  - src: "/tmp/{{ haproxy_testing_ssl }}"
    dest: "/etc/ssl/private/{{ haproxy_testing_ssl }}"
    gen_self_signed: yes
    subject_hosts:
      - ip: "{{ lb_external_ipv4_vip }}"
      - ip: "{{ lb_internal_ipv4_vip }}"
  - src: "/tmp/{{ haproxy_letsencrypt_ssl }}"
    dest: "/etc/ssl/private/{{ haproxy_letsencrypt_ssl }}"
    letsencrypt: yes
    subject_hosts:
      - dns: "{{ aio_hostname }}"
	---
	# Copyright 2016, Logan Vig <[email protected]>
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	- name: Install haproxy load balancers
	hosts: "{{ haproxy_group }}"
	gather_facts: "{{ gather_facts }}"
	become: yes
	become_user: root
	pre_tasks:
	- name: Fetch the bootstrapped letsencrypt PEM
	fetch:
	src: "{{ item.dest }}"
	dest: "{{ item.src }}"
	flat: yes
	with_items: "{{ haproxy_ssl_map \| default([]) }}"
	failed_when: false
	when:
	- inventory_hostname == haproxy_primary_node
	- item.letsencrypt \| default('no') \| bool
	- name: Generate the self-signed SSL certificates
	include: common-tasks/self-signed-certificate.yml
	vars:
	ssl:
	pem: "{{ outer_item.src }}"
	subject_hosts: "{{ outer_item.subject_hosts }}"
	when:
	- outer_item.gen_self_signed \| default('no') \| bool or
	outer_item.letsencrypt \| default('no') \| bool
	- inventory_hostname == ansible_play_hosts[0]
	loop_control:
	loop_var: outer_item
	with_items: "{{ haproxy_ssl_map \| default([]) }}"
	delegate_to: localhost
	roles:
	- haproxy
	post_tasks:
	- name: Run certbot for letsencrypt certificates
	include: common-tasks/letsencrypt-certbot.yml
	vars:
	domains: "{{ outer_item.subject_hosts \| map(attribute='dns') \| list }}"
	loop_control:
	loop_var: outer_item
	with_items: "{{ haproxy_ssl_map \| default([]) }}"
	when:
	- inventory_hostname == haproxy_primary_node
	- outer_item.letsencrypt \| default('no') \| bool
	- name: Run certbot for letsencrypt certificates
	include: common-tasks/letsencrypt-distribute.yml
	vars:
	domains: "{{ outer_item.subject_hosts \| map(attribute='dns') \| list }}"
	pem_dest: "{{ outer_item.dest }}"
	loop_control:
	loop_var: outer_item
	with_items: "{{ haproxy_ssl_map \| default([]) }}"
	when:
	- outer_item.letsencrypt \| default('no') \| bool
	vars_files:
	- vars/default.yml
	tags:
	- haproxy
	---
	# Copyright 2017, Logan Vig <[email protected]>
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# Pass in a var to this file called "ssl" with optional settings:
	# EITHER ssl.ssl_name, ssl.ssl_cert, or ssl.ssl_pem must be defined
	# Example:
	# ssl.pem: /tmp/ssl.pem
	# Result:
	# ssl.cert: /tmp/ssl.crt
	# ssl.key: /tmp/ssl.key

	- name: Populate the certificate prerequisite facts
	set_fact:
	"{{ item.name }}": "{{ item.value }}"
	with_items:
	- name: ssl_name
	value: \|-
	{% if ssl.name is defined %}
	{{ ssl.name -}}
	{% elif ssl.cert is defined %}
	{{ (ssl.cert \| splitext)[0] -}}
	{% elif ssl.pem is defined %}
	{{ (ssl.pem \| splitext)[0] -}}
	{% endif %}
	- name: ssl_subject_hosts
	value: "{{ ssl.subject_hosts \| default([{'ip': ansible_ssh_host}]) }}"

	- name: Populate the SSL CN and SAN
	set_fact:
	"{{ item.name }}": "{{ item.value }}"
	with_items:
	- name: ssl_subject_cn
	value: "{{ ssl_subject_hosts[0]['ip']
	\| default(ssl_subject_hosts[0]['dns']) }}"
	- name: ssl_subject_san
	value: \|-
	{% set _var = [] %}
	{% for item in ssl_subject_hosts %}
	{% if item.ip is defined %}
	{% set _ = _var.append('IP.' ~ loop.index ~ '=' ~ item.ip) %}
	{% endif %}
	{% if item.dns is defined %}
	{% set _ = _var.append('DNS.' ~ loop.index ~ '=' ~ item.dns) %}
	{% endif %}
	{% endfor %}
	{{ _var \| join(',') }}

	- name: Populate the certificate facts
	set_fact:
	"{{ item.name }}": "{{ item.value }}"
	with_items:
	- name: ssl_cert
	value: "{{ ssl.cert \| default(ssl_name ~ '.crt') }}"
	- name: ssl_key
	value: "{{ ssl.key \| default(ssl_name ~ '.key') }}"
	- name: ssl_pem
	value: "{{ ssl.pem \| default(ssl_name ~ '.pem') }}"
	- name: ssl_subject
	value: "/C=US/ST=Texas/L=Dallas/O=IT/CN={{ ssl_subject_cn }}/subjectAltName={{ ssl_subject_san }}"
	- name: ssl_days
	value: "{{ ssl.days \| default(3650) }}"

	- name: Remove self signed certs and keys for regen
	file:
	dest: "{{ item }}"
	state: "absent"
	with_items:
	- "{{ ssl_cert }}"
	- "{{ ssl_key }}"
	- "{{ ssl_pem }}"
	when:
	- ssl.ssl_regen is defined
	- ssl.ssl_regen \| bool

	- name: Check if the pem file exists
	stat:
	path: "{{ ssl_pem }}"
	register: ssl_pem_stat

	- name: Generate the certificate
	block:
	- name: Generate self-signed ssl cert
	command: >
	openssl req -new -nodes -sha256 -x509 -subj
	"{{ ssl_subject }}"
	-days {{ ssl_days }}
	-out {{ ssl_cert }}
	-keyout {{ ssl_key }}
	-extensions v3_ca
	args:
	creates: "{{ ssl_cert }}"
	register: ssl_generate

	- name: Update pem file
	shell: cat {{ ssl_cert }} {{ ssl_key }} > {{ ssl_pem }}
	changed_when: false
	when: ssl_generate \| changed
	when:
	- not ssl_pem_stat.stat.exists
	---

	haproxy_ssl_map:
	- src: "/tmp/{{ haproxy_testing_ssl }}"
	dest: "/etc/ssl/private/{{ haproxy_testing_ssl }}"
	gen_self_signed: yes
	subject_hosts:
	- ip: "{{ lb_external_ipv4_vip }}"
	- ip: "{{ lb_internal_ipv4_vip }}"
	- src: "/tmp/{{ haproxy_letsencrypt_ssl }}"
	dest: "/etc/ssl/private/{{ haproxy_letsencrypt_ssl }}"
	letsencrypt: yes
	subject_hosts:
	- dns: "{{ aio_hostname }}"