40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
|
---
|
||
|
# file: roles/mariadb_cluster/tasks/certificates-server.yml
|
||
|
|
||
|
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - Create private key"
|
||
|
community.crypto.openssl_privatekey:
|
||
|
path: /etc/ssl/galera/server.key
|
||
|
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - Check if server certificate exists"
|
||
|
stat:
|
||
|
path: "/etc/ssl/galera/server.pem"
|
||
|
register: serverCertCheck
|
||
|
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - CSR"
|
||
|
block:
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - Create CSR for new certificate"
|
||
|
community.crypto.openssl_csr_pipe:
|
||
|
privatekey_path: /etc/ssl/galera/server.key
|
||
|
common_name: "{{ hostvars[item]['ansible_hostname'] }}"
|
||
|
subject_alt_name:
|
||
|
- "DNS:{{ mariadb_cluster_wsrep_cluster_name }}"
|
||
|
register: csr
|
||
|
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - Sign certificate with CA"
|
||
|
community.crypto.x509_certificate_pipe:
|
||
|
csr_content: "{{ csr.csr }}"
|
||
|
provider: ownca
|
||
|
ownca_path: /etc/ssl/galera/ca-certificate.pem
|
||
|
ownca_privatekey_path: /etc/ssl/galera/ca-certificate.key
|
||
|
ownca_not_after: "{{ mariadb_cluster_cert_length }}"
|
||
|
ownca_not_before: "-1d"
|
||
|
delegate_to: "{{ mariadb_cluster_master }}"
|
||
|
register: certificate
|
||
|
|
||
|
- name: "{{ hostvars[item]['ansible_hostname'] }} - Write certificate file"
|
||
|
copy:
|
||
|
dest: /etc/ssl/galera/server.pem
|
||
|
content: "{{ certificate.certificate }}"
|
||
|
when: not serverCertCheck.stat.exists
|