67 lines
1.9 KiB
YAML
67 lines
1.9 KiB
YAML
---
|
|
# file: roles/mariadb_cluster/tasks/certificates.yml
|
|
|
|
- name: Ensure directory exists for local self-signed TLS certs
|
|
file:
|
|
path: /etc/ssl/galera/
|
|
state: directory
|
|
owner: mysql
|
|
group: mysql
|
|
recurse: true
|
|
|
|
- name: CA Setup
|
|
block:
|
|
- name: Generate an OpenSSL private key
|
|
community.crypto.openssl_privatekey:
|
|
path: /etc/ssl/galera/ca-certificate.key
|
|
|
|
- name: Create certificate signing request (CSR) for CA certificate
|
|
community.crypto.openssl_csr_pipe:
|
|
privatekey_path: /etc/ssl/galera/ca-certificate.key
|
|
common_name: Galera-Ansible
|
|
use_common_name_for_san: false
|
|
basic_constraints:
|
|
- 'CA:TRUE'
|
|
basic_constraints_critical: true
|
|
key_usage:
|
|
- keyCertSign
|
|
key_usage_critical: true
|
|
register: ca_csr
|
|
changed_when: false
|
|
|
|
- name: Create self-signed CA certificate from CSR
|
|
community.crypto.x509_certificate:
|
|
path: /etc/ssl/galera/ca-certificate.pem
|
|
csr_content: "{{ ca_csr.csr }}"
|
|
privatekey_path: /etc/ssl/galera/ca-certificate.key
|
|
selfsigned_not_after: "{{ mariadb_cluster_cert_length }}"
|
|
provider: selfsigned
|
|
|
|
- name: Copy ca-certificate locally for transfer
|
|
fetch:
|
|
src: /etc/ssl/galera/ca-certificate.pem
|
|
dest: /tmp/galera-ca-certificate.pem
|
|
flat: yes
|
|
when: inventory_hostname == mariadb_cluster_master
|
|
|
|
- name: Transfer ca cert to other members
|
|
copy:
|
|
src: /tmp/galera-ca-certificate.pem
|
|
dest: /etc/ssl/galera/ca-certificate.pem
|
|
owner: mysql
|
|
group: mysql
|
|
mode: '0644'
|
|
|
|
- name: Server Certificates
|
|
include_tasks: certificates-server.yml
|
|
loop: "{{ groups['mariadb_cluster'] }}"
|
|
loop_control:
|
|
extended: yes
|
|
|
|
- name: Ensure mysql has permissions to access certs
|
|
file:
|
|
path: /etc/ssl/galera/
|
|
state: directory
|
|
owner: mysql
|
|
group: mysql
|
|
recurse: true
|