fix(certs): Fix ca cert naming in tasks and fix upload file permissions

2c5558d5 · Alexander Käb · 5bda8015 · 2c5558d5 · 2c5558d5
Commit 2c5558d5 authored 2 years ago by Alexander Käb
--- a/README.md
+++ b/README.md
@@ -61,4 +61,7 @@ sidecar_cert_dir: "/etc/graylog/sidecar"

 # The time in days the client certificates will be valid
 cert_valid_days: 1095
+
+# The passphrase used for the CA file
+sidecar_ca_passphrase:
 ```
\ No newline at end of file
--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
 ---
 - name: Fail if 'sidecar-ca' host group is missing # noqa: run_once[task]
  ansible.builtin.fail:
-    msg: "Please add a host group 'sidecar-ca' with the host storing the CA file first"
+    msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
  run_once: true
-  when: "not ({{ groups['sidecar-ca'] is defined }})"
+  when: "not (groups['sidecar-ca'] is defined)"

 - name: Node Certificates | Create temporary directopry for certificates # noqa: run_once[task]
  ansible.builtin.file:
@@ -19,8 +19,8 @@
    dest: "{{ tmp_cert_dir }}/"
    flat: true
  with_items:
-    - "{{ gl_sidecar_ca_path }}/gl-sidecar.pem"
-    - "{{ gl_sidecar_ca_path }}/gl-sidecar.key"
+    - "{{ gl_sidecar_ca_path }}/sidecar-ca.pem"
+    - "{{ gl_sidecar_ca_path }}/sidecar-ca.key"
  delegate_to: "{{ groups['sidecar-ca'] | first }}"
  become: true
  run_once: true
@@ -50,9 +50,9 @@
        path: "{{ tmp_cert_dir }}/sidecar-{{ inventory_hostname }}.pem"
        csr_content: "{{ node_csr.csr }}"
        provider: ownca
-        ownca_path: "{{ tmp_cert_dir }}/gl-sidecar.pem"
-        ownca_privatekey_path: "{{ tmp_cert_dir }}/gl-sidecar.key"
-        ownca_privatekey_passphrase: "{{ ca_passphrase }}"
+        ownca_path: "{{ tmp_cert_dir }}/sidecar-ca.pem"
+        ownca_privatekey_path: "{{ tmp_cert_dir }}/sidecar-ca.key"
+        ownca_privatekey_passphrase: "{{ sidecar_ca_passphrase }}"
        ownca_not_after: "+{{ cert_valid_days }}d"
        ownca_not_before: "-1d"  # valid since yesterday

@@ -61,10 +61,10 @@
  block:
    - name: Node Certificates | Copy Node certificates
      ansible.builtin.copy:
-        src: "{{ tmp_cert_dir }}/{{ item }}"
+        src: "{{ tmp_cert_dir }}/{{ item.file }}"
        dest: "{{ sidecar_cert_dir }}"
-        mode: 0600
+        mode: "{{ item.mode }}"
      with_items:
-        - "sidecar-{{ inventory_hostname }}.key"
-        - "sidecar-{{ inventory_hostname }}.pem"
-        - "gl-sidecar.pem"
\ No newline at end of file
+        - { file: "sidecar-{{ inventory_hostname }}.key", mode: "0600" }
+        - { file: "sidecar-{{ inventory_hostname }}.pem", mode: "0644" }
+        - { file: "sidecar-ca.pem", mode: "0644" }
\ No newline at end of file