From dddd714b9c859484ffd1e1eae739601bc5e853b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=A4b?= <alexander.kaeb@h-da.de>
Date: Thu, 2 Mar 2023 13:20:06 +0100
Subject: [PATCH] Generate SANs from jinja template

---
 README.md                   | 19 +++++++++++++++++++
 defaults/main.yml           | 10 +++++++++-
 tasks/node-certs.yml        |  6 +-----
 templates/node-cert-sans.j2 | 24 ++++++++++++++++++++++++
 4 files changed, 53 insertions(+), 6 deletions(-)
 create mode 100644 templates/node-cert-sans.j2

diff --git a/README.md b/README.md
index b5e2a33..a6be0f6 100644
--- a/README.md
+++ b/README.md
@@ -64,4 +64,23 @@ cert_valid_days: 1095
 
 # The passphrase used for the CA file
 sidecar_ca_passphrase:
+```
+
+### SAN config
+
+To configure the SANs that will be added to the node certificates the following options
+are available. The FQDN and short name of the node will always be added. The settings
+below only apply to `IP` SAN entries.
+
+```yaml
+# Control the IP family to use
+use_ipv4: true
+use_ipv6: true
+
+# If set to true, the IP of the default route interface will be used
+use_default: true
+
+# If set to true, the IP of the provided interface name will be used
+use_interface_ip: false
+iface_name: ""
 ```
\ No newline at end of file
diff --git a/defaults/main.yml b/defaults/main.yml
index d158483..876c7e4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,4 +15,12 @@ generate_node_certs: true
 tmp_cert_dir: "/tmp/graylog-sidecar-certs" # local directory
 gl_sidecar_ca_path: "/etc/graylog/sidecar"
 sidecar_cert_dir: "/etc/graylog/sidecar"
-cert_valid_days: 1095
\ No newline at end of file
+cert_valid_days: 1095
+
+# Cert SAN settings
+node_cert_sans: "{{ lookup('template', 'node-cert-sans.j2') }}"
+use_ipv4: true
+use_ipv6: true
+use_default: true
+use_interface_ip: false
+iface_name: ""
\ No newline at end of file
diff --git a/tasks/node-certs.yml b/tasks/node-certs.yml
index 87724e5..2f19039 100644
--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
@@ -39,11 +39,7 @@
       community.crypto.openssl_csr_pipe:
         privatekey_path: "{{ tmp_cert_dir }}/sidecar-{{ inventory_hostname }}.key"
         common_name: "{{ ansible_fqdn }}"  # CN
-        subject_alt_name:
-          - "DNS:{{ inventory_hostname }}"
-          - "DNS:{{ ansible_fqdn }}"
-          - "IP:{{ ansible_default_ipv6.address }}"
-          # - "IP:{{ ansible_default_ipv4.address }}"
+        subject_alt_name: "{{ node_cert_sans }}"
       register: "node_csr"
 
     - name: Node Certificates | Generate Certificates
diff --git a/templates/node-cert-sans.j2 b/templates/node-cert-sans.j2
new file mode 100644
index 0000000..c811ac5
--- /dev/null
+++ b/templates/node-cert-sans.j2
@@ -0,0 +1,24 @@
+{%- macro ansible_iface(name) -%}
+    ansible_{{name}}
+{%- endmacro -%}
+
+- "DNS:{{ inventory_hostname }}"
+- "DNS:{{ ansible_fqdn }}"
+{% if use_default == true -%}
+    {% if use_ipv4 == true and ansible_default_ipv4.address is defined -%}
+- "IP:{{ ansible_default_ipv4.address }}"
+    {% endif -%}
+    {% if use_ipv6 == true and ansible_default_ipv6.address is defined -%}
+- "IP:{{ ansible_default_ipv6.address }}"
+    {% endif -%}
+{% endif -%}
+{% if use_interface_ip == true -%}
+    {% if ansible_facts[ansible_iface(iface_name)] is defined -%}
+        {% if use_ipv4 == true and ansible_facts[ansible_iface(iface_name)].ipv4.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {% endif -%}
+        {% if use_ipv6 == true and ansible_facts[ansible_iface(iface_name)].ipv6.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {%- endif -%}
+    {%- endif-%}
+{%- endif -%}
\ No newline at end of file
-- 
GitLab