Change docker client keys filenames to use hostname

This is to avoid keys being overwritten when multiple clients are used
UCL-MIRSG · Jul 23, 2024 · 28cc619 · 28cc619
1 parent f2d83ef
commit 28cc619
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 21 deletions.
diff --git a/roles/docker/molecule/resources/converge.yml b/roles/docker/molecule/resources/converge.yml
@@ -44,7 +44,9 @@
 
     - name: Copy private key from Ansible Controller cache to client
       ansible.builtin.copy:
-        src: "{{ docker_client_certificate_cache_directory }}/key.pem"
+        src:
+          "{{ docker_client_certificate_cache_directory
+          }}/molecule.docker-client.local.pem"
         dest: "{{ docker_client_directory }}/key.pem"
         owner: root
         group: root

diff --git a/roles/docker/tasks/client-certs.yml b/roles/docker/tasks/client-certs.yml
@@ -9,40 +9,42 @@
 
 - name: Generate OpenSSL client private key
   community.crypto.openssl_privatekey:
-    path: "{{ docker_client_certificate_directory }}/key.pem"
+    path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem"
     owner: "{{ docker_owner }}"
     group: "{{ docker_group }}"
     mode: "0400"
 
-- name: Generate OpenSSL CSR for each client using private key
+- name: Generate OpenSSL CSR for client using private key
   community.crypto.openssl_csr:
-    path: "{{ docker_client_certificate_directory }}/{{ item }}.csr"
-    privatekey_path: "{{ docker_client_certificate_directory }}/key.pem"
-    common_name: "{{ item }}"
+    path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.csr"
+    privatekey_path:
+      "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem"
+    common_name: "{{ client_hostname }}"
   register: new_docker_client_csr_generated
-  loop: "{{ docker_client_hostnames }}"
 
-- name: Generate client certificates signed by server CA
+- name: Generate client certificate signed by server CA
   community.crypto.x509_certificate:
-    path: "{{ docker_client_certificate_directory }}/{{ item }}.cert"
-    csr_path: "{{ docker_client_certificate_directory }}/{{ item }}.csr"
+    path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.cert"
+    csr_path:
+      "{{ docker_client_certificate_directory }}/{{ client_hostname }}.csr"
     provider: ownca
     ownca_path: "{{ docker_ca_cert }}"
     ownca_privatekey_path: "{{ docker_ca_key }}"
     mode: "0400"
     owner: "{{ docker_owner }}"
     group: "{{ docker_group }}"
-  loop: "{{ docker_client_hostnames }}"
 
-- name: Copy signed client certificates to temp dir on Ansible controller
+- name: Copy signed client certificate to temp dir on Ansible controller
   ansible.builtin.fetch:
-    src: "{{ docker_client_certificate_directory }}/{{ item }}.cert"
-    dest: "{{ docker_client_certificate_cache_directory }}/{{ item }}.cert"
+    src: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.cert"
+    dest:
+      "{{ docker_client_certificate_cache_directory }}/{{ client_hostname
+      }}.cert"
     flat: true
-  loop: "{{ docker_client_hostnames }}"
 
 - name: Copy private key to temp dir on Ansible controller
   ansible.builtin.fetch:
-    src: "{{ docker_client_certificate_directory }}/key.pem"
-    dest: "{{ docker_client_certificate_cache_directory }}/key.pem"
+    src: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem"
+    dest:
+      "{{ docker_client_certificate_cache_directory }}/{{ client_hostname }}.pem"
     flat: true
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
@@ -88,8 +88,11 @@
       ansible.builtin.import_tasks: server-cert.yml
 
     - name: Generate TLS certificates for each client
-      ansible.builtin.import_tasks: client-certs.yml
+      ansible.builtin.include_tasks: client-certs.yml
       when: docker_client_hostnames
+      vars:
+        client_hostname: "{{ item }}"
+      loop: "{{ docker_client_hostnames }}"
 
 - name:
     Ensure docker service configuration is reloaded before restarting the

diff --git a/roles/monitoring_client/defaults/main.yml b/roles/monitoring_client/defaults/main.yml
@@ -26,3 +26,5 @@ monitoring_client_ssl_cert_file: /root/monitoring_certs/cert.pem
 monitoring_client_server_ca_cert_file: /root/monitoring_certs/ca.pem
 monitoring_client_exporter_username: prometheus
 monitoring_client_exporter_password: ""
+
+monitoring_client_key_file: "{{ hostvars[inventory_hostname]['ansible_host'] }}.pem"
diff --git a/roles/monitoring_client/tasks/main.yml b/roles/monitoring_client/tasks/main.yml
@@ -25,9 +25,10 @@
     group: "{{ monitoring_client_group }}"
     mode: "0600"
 
-- name: Copy signed monitoring client key to client
+- name: Copy monitoring client key to client
   ansible.builtin.copy:
-    src: "{{ monitoring_client_certificate_cache_directory }}/key.pem"
+    src: "{{ monitoring_client_certificate_cache_directory }}/{{
+      monitoring_client_key_file }}"
     dest: "{{ monitoring_client_ssl_key_file }}"
     owner: "{{ monitoring_client_owner }}"
     group: "{{ monitoring_client_group }}"

diff --git a/roles/xnat_container_service/tasks/main.yml b/roles/xnat_container_service/tasks/main.yml
@@ -29,7 +29,9 @@
 
 - name: Copy private key from Ansible Controller cache to client
   ansible.builtin.copy:
-    src: "{{ xnat_container_service_certificate_cache_directory }}/key.pem"
+    src:
+      "{{ xnat_container_service_certificate_cache_directory }}/{{
+      xnat_container_service_client_hostname }}.pem"
     dest: "{{ xnat_container_service_key }}"
     owner: "{{ xnat_container_service_owner }}"
     group: "{{ xnat_container_service_group }}"