From 28cc61996e9063e4d3f86e3500191cfffd8c5654 Mon Sep 17 00:00:00 2001 From: Tom Doel Date: Wed, 17 Jul 2024 14:59:11 +0100 Subject: [PATCH] Change docker client keys filenames to use hostname This is to avoid keys being overwritten when multiple clients are used --- roles/docker/molecule/resources/converge.yml | 4 ++- roles/docker/tasks/client-certs.yml | 34 +++++++++++--------- roles/docker/tasks/main.yml | 5 ++- roles/monitoring_client/defaults/main.yml | 2 ++ roles/monitoring_client/tasks/main.yml | 5 +-- roles/xnat_container_service/tasks/main.yml | 4 ++- 6 files changed, 33 insertions(+), 21 deletions(-) diff --git a/roles/docker/molecule/resources/converge.yml b/roles/docker/molecule/resources/converge.yml index 34d6c003..9fc11bb1 100644 --- a/roles/docker/molecule/resources/converge.yml +++ b/roles/docker/molecule/resources/converge.yml @@ -44,7 +44,9 @@ - name: Copy private key from Ansible Controller cache to client ansible.builtin.copy: - src: "{{ docker_client_certificate_cache_directory }}/key.pem" + src: + "{{ docker_client_certificate_cache_directory + }}/molecule.docker-client.local.pem" dest: "{{ docker_client_directory }}/key.pem" owner: root group: root diff --git a/roles/docker/tasks/client-certs.yml b/roles/docker/tasks/client-certs.yml index ab923b49..8ef23694 100644 --- a/roles/docker/tasks/client-certs.yml +++ b/roles/docker/tasks/client-certs.yml @@ -9,40 +9,42 @@ - name: Generate OpenSSL client private key community.crypto.openssl_privatekey: - path: "{{ docker_client_certificate_directory }}/key.pem" + path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem" owner: "{{ docker_owner }}" group: "{{ docker_group }}" mode: "0400" -- name: Generate OpenSSL CSR for each client using private key +- name: Generate OpenSSL CSR for client using private key community.crypto.openssl_csr: - path: "{{ docker_client_certificate_directory }}/{{ item }}.csr" - privatekey_path: "{{ docker_client_certificate_directory }}/key.pem" - common_name: "{{ item }}" + path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.csr" + privatekey_path: + "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem" + common_name: "{{ client_hostname }}" register: new_docker_client_csr_generated - loop: "{{ docker_client_hostnames }}" -- name: Generate client certificates signed by server CA +- name: Generate client certificate signed by server CA community.crypto.x509_certificate: - path: "{{ docker_client_certificate_directory }}/{{ item }}.cert" - csr_path: "{{ docker_client_certificate_directory }}/{{ item }}.csr" + path: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.cert" + csr_path: + "{{ docker_client_certificate_directory }}/{{ client_hostname }}.csr" provider: ownca ownca_path: "{{ docker_ca_cert }}" ownca_privatekey_path: "{{ docker_ca_key }}" mode: "0400" owner: "{{ docker_owner }}" group: "{{ docker_group }}" - loop: "{{ docker_client_hostnames }}" -- name: Copy signed client certificates to temp dir on Ansible controller +- name: Copy signed client certificate to temp dir on Ansible controller ansible.builtin.fetch: - src: "{{ docker_client_certificate_directory }}/{{ item }}.cert" - dest: "{{ docker_client_certificate_cache_directory }}/{{ item }}.cert" + src: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.cert" + dest: + "{{ docker_client_certificate_cache_directory }}/{{ client_hostname + }}.cert" flat: true - loop: "{{ docker_client_hostnames }}" - name: Copy private key to temp dir on Ansible controller ansible.builtin.fetch: - src: "{{ docker_client_certificate_directory }}/key.pem" - dest: "{{ docker_client_certificate_cache_directory }}/key.pem" + src: "{{ docker_client_certificate_directory }}/{{ client_hostname }}.pem" + dest: + "{{ docker_client_certificate_cache_directory }}/{{ client_hostname }}.pem" flat: true diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index e0a07958..86826e60 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -88,8 +88,11 @@ ansible.builtin.import_tasks: server-cert.yml - name: Generate TLS certificates for each client - ansible.builtin.import_tasks: client-certs.yml + ansible.builtin.include_tasks: client-certs.yml when: docker_client_hostnames + vars: + client_hostname: "{{ item }}" + loop: "{{ docker_client_hostnames }}" - name: Ensure docker service configuration is reloaded before restarting the diff --git a/roles/monitoring_client/defaults/main.yml b/roles/monitoring_client/defaults/main.yml index f8c46070..0895d3c9 100644 --- a/roles/monitoring_client/defaults/main.yml +++ b/roles/monitoring_client/defaults/main.yml @@ -26,3 +26,5 @@ monitoring_client_ssl_cert_file: /root/monitoring_certs/cert.pem monitoring_client_server_ca_cert_file: /root/monitoring_certs/ca.pem monitoring_client_exporter_username: prometheus monitoring_client_exporter_password: "" + +monitoring_client_key_file: "{{ hostvars[inventory_hostname]['ansible_host'] }}.pem" diff --git a/roles/monitoring_client/tasks/main.yml b/roles/monitoring_client/tasks/main.yml index 4f98dd86..99f89a71 100644 --- a/roles/monitoring_client/tasks/main.yml +++ b/roles/monitoring_client/tasks/main.yml @@ -25,9 +25,10 @@ group: "{{ monitoring_client_group }}" mode: "0600" -- name: Copy signed monitoring client key to client +- name: Copy monitoring client key to client ansible.builtin.copy: - src: "{{ monitoring_client_certificate_cache_directory }}/key.pem" + src: "{{ monitoring_client_certificate_cache_directory }}/{{ + monitoring_client_key_file }}" dest: "{{ monitoring_client_ssl_key_file }}" owner: "{{ monitoring_client_owner }}" group: "{{ monitoring_client_group }}" diff --git a/roles/xnat_container_service/tasks/main.yml b/roles/xnat_container_service/tasks/main.yml index 3b82edb3..b1dc4c98 100644 --- a/roles/xnat_container_service/tasks/main.yml +++ b/roles/xnat_container_service/tasks/main.yml @@ -29,7 +29,9 @@ - name: Copy private key from Ansible Controller cache to client ansible.builtin.copy: - src: "{{ xnat_container_service_certificate_cache_directory }}/key.pem" + src: + "{{ xnat_container_service_certificate_cache_directory }}/{{ + xnat_container_service_client_hostname }}.pem" dest: "{{ xnat_container_service_key }}" owner: "{{ xnat_container_service_owner }}" group: "{{ xnat_container_service_group }}"