From 2c5558d5393a067d2be398772413b0d304540bec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=A4b?= <alexander.kaeb@h-da.de>
Date: Wed, 1 Mar 2023 09:52:14 +0100
Subject: [PATCH] fix(certs): Fix ca cert naming in tasks and fix upload file
 permissions

---
 README.md            |  3 +++
 tasks/node-certs.yml | 24 ++++++++++++------------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 40aa4b7..8b271bf 100644
--- a/README.md
+++ b/README.md
@@ -61,4 +61,7 @@ sidecar_cert_dir: "/etc/graylog/sidecar"
 
 # The time in days the client certificates will be valid
 cert_valid_days: 1095
+
+# The passphrase used for the CA file
+sidecar_ca_passphrase:
 ```
\ No newline at end of file
diff --git a/tasks/node-certs.yml b/tasks/node-certs.yml
index 462bb21..8e85604 100644
--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
@@ -1,9 +1,9 @@
 ---
 - name: Fail if 'sidecar-ca' host group is missing # noqa: run_once[task]
   ansible.builtin.fail:
-    msg: "Please add a host group 'sidecar-ca' with the host storing the CA file first"
+    msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
   run_once: true
-  when: "not ({{ groups['sidecar-ca'] is defined }})"
+  when: "not (groups['sidecar-ca'] is defined)"
 
 - name: Node Certificates | Create temporary directopry for certificates # noqa: run_once[task]
   ansible.builtin.file:
@@ -19,8 +19,8 @@
     dest: "{{ tmp_cert_dir }}/"
     flat: true
   with_items:
-    - "{{ gl_sidecar_ca_path }}/gl-sidecar.pem"
-    - "{{ gl_sidecar_ca_path }}/gl-sidecar.key"
+    - "{{ gl_sidecar_ca_path }}/sidecar-ca.pem"
+    - "{{ gl_sidecar_ca_path }}/sidecar-ca.key"
   delegate_to: "{{ groups['sidecar-ca'] | first }}"
   become: true
   run_once: true
@@ -50,9 +50,9 @@
         path: "{{ tmp_cert_dir }}/sidecar-{{ inventory_hostname }}.pem"
         csr_content: "{{ node_csr.csr }}"
         provider: ownca
-        ownca_path: "{{ tmp_cert_dir }}/gl-sidecar.pem"
-        ownca_privatekey_path: "{{ tmp_cert_dir }}/gl-sidecar.key"
-        ownca_privatekey_passphrase: "{{ ca_passphrase }}"
+        ownca_path: "{{ tmp_cert_dir }}/sidecar-ca.pem"
+        ownca_privatekey_path: "{{ tmp_cert_dir }}/sidecar-ca.key"
+        ownca_privatekey_passphrase: "{{ sidecar_ca_passphrase }}"
         ownca_not_after: "+{{ cert_valid_days }}d"
         ownca_not_before: "-1d"  # valid since yesterday
 
@@ -61,10 +61,10 @@
   block:
     - name: Node Certificates | Copy Node certificates
       ansible.builtin.copy:
-        src: "{{ tmp_cert_dir }}/{{ item }}"
+        src: "{{ tmp_cert_dir }}/{{ item.file }}"
         dest: "{{ sidecar_cert_dir }}"
-        mode: 0600
+        mode: "{{ item.mode }}"
       with_items:
-        - "sidecar-{{ inventory_hostname }}.key"
-        - "sidecar-{{ inventory_hostname }}.pem"
-        - "gl-sidecar.pem"
\ No newline at end of file
+        - { file: "sidecar-{{ inventory_hostname }}.key", mode: "0600" }
+        - { file: "sidecar-{{ inventory_hostname }}.pem", mode: "0644" }
+        - { file: "sidecar-ca.pem", mode: "0644" }
\ No newline at end of file
-- 
GitLab