| layout | author | tags | permalink | published | title | ||
|---|---|---|---|---|---|---|---|
post |
hagzag |
|
/devops/Running-Your-Own-Ansible-Driven-CA |
true |
Running your own Ansible Driven CA |
As a preparation for running a swarm cluster in production, I needed a way to manage my Root CA and distribute the certificates between my SWARM nodes, configuring their services to use them etc etc
There is a bunch of posts / articles out there managing your own CA, none of them offer a free, automated solution which scales.
If running in a public DNS there ss a nice free online solution which can be configured programtically (and via ansible module) called https://letsencrypt.org/ there are also provides which give a free official SSL certificate which expire every 3 monthes which could be also a suitable solution …
In my case I needed a CA I can create | destroy | redistribute etc so I had in a way to create my own kind of solution ...
-
Install OpenSSL on your CA server host
-
Configure the CA server options
-
Generate CA private key
-
Generate CA certificate generated with that key
-
-
Generate the required certificate requests for each of your nodes { including the CA server itself }
-
Distribute both the CA cert and the Host certificates to clients
-
Configure my services to use these certs & keys
-
An inventory of hosts you wish to generate certificates for ...
In "shelleg context" the hosts / inventory could be either generated on the fly via a Dynamic Inventor*y or via general group_vars/all/xx_hosts file (more on this in another post …)
- Ansible managed hosts:
Let’s take a look at a part of our group vars which hold our inventory, this example has 1 CA server and 2 nodes like so:
<script src="https://gist.github.com/hagzag/5727cd33f710bfbca2c3c6e5d556c8ea.js"></script>- Ansible CA role -> https://github.com/shelleg/ansible-role-ca/ whic has the following steps:
- Setting up the CA server:
- Generating the node certificates:
- Fetching the keys for distribution (copy from CA server to Ansible control machine):
- Distribute the Certs & keys to the various nodes:
This role is still under development ...
Currently running the following playbook will result in all the 6 steps unless you set the available vars to prevent them as seen in the main.yml above.
The supporting vars are:
<script src="https://gist.github.com/hagzag/d730405560c3d68a11810e78bcb5f684.js"></script>An example playbook utilizing the CA role - in the CA server:
<script src="https://gist.github.com/hagzag/cfbc99b4e63a3beb90a50056ce3e2d48.js"></script>On the nodes which needs certificates ...
<script src="https://gist.github.com/hagzag/9f55d18246c650213e8d9d6d017e2e7d.js"></script>Go ahead and give a try and tell me what you think (open an issue if needed ;))
Issue #1: Control the creating of the server kay only when the existing CA kay has expired, unless force create is defined … there is a mechanism in place which needs testing ... Issue #2: Add support for more hosts / groups of nodes - currently supports only the shelleg.infra and shelleg.swarm.* node groups.
Hope you enjoyed this post at least as much as I enjoyed writing this role …
Comments and findings are welcome.