Skip to content

Commit

Permalink
tls for confd
Browse files Browse the repository at this point in the history
  • Loading branch information
vitabaks committed Dec 28, 2024
1 parent e191f9c commit 7b0077a
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 42 deletions.
16 changes: 10 additions & 6 deletions automation/roles/confd/templates/confd.toml.j2
Original file line number Diff line number Diff line change
@@ -1,22 +1,26 @@
backend = "etcdv3"
interval = 10
watch = true
nodes = [
{% if not dcs_exists|bool and dcs_type == 'etcd' %}
{% if not dcs_exists|bool %}
{% for host in groups['etcd_cluster'] %}
"{{ patroni_etcd_protocol | default('http', true) }}://{{ hostvars[host]['inventory_hostname'] }}:2379",
{% endfor %}
{% endif %}
{% if dcs_exists|bool and dcs_type == 'etcd' %}
{% if dcs_exists|bool %}
{% for etcd_hosts in patroni_etcd_hosts %}
"{{ patroni_etcd_protocol | default('http', true) }}://{{etcd_hosts.host}}:{{etcd_hosts.port}}",
{% endfor %}
{% endif %}
]
{% if dcs_exists|bool and dcs_type == 'etcd' %}
{% if tls_cert_generate | default(false) | bool %}
scheme = "https"
client_cakeys = "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}"
client_cert = "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
client_key = "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
{% endif %}
{% if patroni_etcd_username | default('') | length > 0 %}
basic_auth = true
username = "{{ patroni_etcd_username | default('') }}"
password = "{{ patroni_etcd_password | default('') }}"
{% endif %}
{% endif %}
watch = true
interval = 10
6 changes: 3 additions & 3 deletions automation/roles/patroni/templates/patroni.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,9 @@ etcd3:

{% if tls_cert_generate | default(false) | bool %}
protocol: https
cacert: {{ tls_ca_cert_path | default(postgresql_home_dir + '/tls/ca.crt') }}
cert: {{ tls_cert_path | default(postgresql_home_dir + '/tls/server.crt') }}
key: {{ tls_privatekey_path | default(postgresql_home_dir + '/tls/server.key') }}
cacert: {{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}
cert: {{ tls_cert_path | default('/etc/tls/server.crt') }}
key: {{ tls_privatekey_path | default('/etc/tls/server.key') }}
{% endif %}
{% if patroni_etcd_username | default('') | length > 0 %}
username: {{ patroni_etcd_username | default('') }}
Expand Down
24 changes: 12 additions & 12 deletions automation/roles/tls_certificate/copy/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@
delegate_to: "{{ groups.master[0] }}"
register: tls_files
loop:
- "/etc/tls/server.key"
- "/etc/tls/server.crt"
- "/etc/tls/ca.crt"
- "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
- "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
- "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}"

- block:
- name: Create directory {{ tls_etcd_privatekey_path | dirname }}
- name: Create directory {{ tls_etcd_privatekey_path | default('/etc/etcd/tls/server.key') | dirname }}
ansible.builtin.file:
dest: "{{ tls_etcd_privatekey_path | dirname }}"
dest: "{{ tls_etcd_privatekey_path | default('/etc/etcd/tls/server.key') | dirname }}"
state: directory
owner: "etcd"
group: "etcd"
Expand All @@ -33,12 +33,12 @@
when: copy_for == 'etcd'

- block:
- name: Create directory {{ tls_privatekey_path | dirname }}
- name: Create directory {{ tls_privatekey_path | default('/etc/tls/server.key') | dirname }}
ansible.builtin.file:
dest: "{{ tls_privatekey_path | dirname }}"
dest: "{{ tls_privatekey_path | default('/etc/tls/server.key') | dirname }}"
state: directory
owner: "{{ tls_owner }}"
group: "{{ tls_owner }}"
owner: "root"
group: "root"
mode: "0755"

- name: Copy PostgreSQL TLS certificate, key and CA to all nodes
Expand All @@ -49,7 +49,7 @@
group: "{{ tls_owner }}"
mode: "{{ item.mode }}"
loop:
- { index: 0, path: "{{ tls_privatekey_path | default(postgresql_home_dir + '/tls/server.key') }}", mode: "0400" }
- { index: 1, path: "{{ tls_cert_path | default(postgresql_home_dir + '/tls/server.crt') }}", mode: "0644" }
- { index: 2, path: "{{ tls_ca_cert_path | default(postgresql_home_dir + '/tls/ca.crt') }}", mode: "0644" }
- { index: 0, path: "{{ tls_privatekey_path | default('/etc/tls/server.key') }}", mode: "0400" }
- { index: 1, path: "{{ tls_cert_path | default('/etc/tls/server.crt') }}", mode: "0644" }
- { index: 2, path: "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}", mode: "0644" }
when: copy_for == 'pg'
35 changes: 17 additions & 18 deletions automation/roles/tls_certificate/generate/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,13 @@
path: "{{ item }}"
state: absent
loop:
- "{{ tls_privatekey_path | default(postgresql_home_dir + '/tls/server.key') }}"
- "{{ tls_cert_path | default(postgresql_home_dir + '/tls/server.crt') }}"
- "{{ tls_ca_cert_path | default(postgresql_home_dir + '/tls/ca.crt') }}"
- "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
- "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
- "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}"
- "{{ tls_ca_key_path | default('/etc/tls/ca.key') }}"
- "{{ tls_etcd_cert_path | default('/etc/etcd/tls/server.crt') }}"
- "{{ tls_etcd_ca_cert_path | default('/etc/etcd/tls/ca.crt') }}"
- "{{ tls_etcd_privatekey_path | default('/etc/etcd/tls/server.key') }}"
- "/etc/tls/server.key"
- "/etc/tls/server.crt"
- "/etc/tls/ca.crt"
- "/etc/tls/ca.key"

- ansible.builtin.set_fact:
all_san_entries: []
Expand Down Expand Up @@ -50,19 +47,21 @@
######## Generate CA ########
- name: "Ensure TLS directory exist"
ansible.builtin.file:
path: "/etc/tls"
dest: "{{ tls_privatekey_path | default('/etc/tls/server.key') | dirname }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
mode: "0755"

- name: "Generate CA private key"
community.crypto.openssl_privatekey:
path: "/etc/tls/ca.key"
path: "{{ tls_ca_key_path | default('/etc/tls/ca.key') }}"
size: "{{ tls_privatekey_size | default(4096) }}"
type: "{{ tls_privatekey_type | default('RSA') }}"

- name: "Create CSR for CA certificate"
community.crypto.openssl_csr_pipe:
privatekey_path: "/etc/tls/ca.key"
privatekey_path: "{{ tls_ca_key_path | default('/etc/tls/ca.key') }}"
common_name: PostgreSQL CA
use_common_name_for_san: false
basic_constraints:
Expand All @@ -75,22 +74,22 @@

- name: "Create self-signed CA certificate from CSR"
community.crypto.x509_certificate:
path: "/etc/tls/ca.crt"
path: "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "/etc/tls/ca.key"
privatekey_path: "{{ tls_ca_key_path | default('/etc/tls/ca.key') }}"
provider: "{{ tls_cert_provider | default('selfsigned') }}"
entrust_not_after: "+{{ tls_cert_valid_days | default(3650) }}d"

######## Generate Server cert/key ########
- name: "Create server private key"
community.crypto.openssl_privatekey:
path: "/etc/tls/server.key"
path: "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
size: "{{ tls_privatekey_size | default(4096) }}"
type: "{{ tls_privatekey_type | default('RSA') }}"

- name: "Create server CSR"
community.crypto.openssl_csr_pipe:
privatekey_path: "/etc/tls/server.key"
privatekey_path: "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
common_name: "{{ patroni_cluster_name }}"
key_usage:
- digitalSignature
Expand All @@ -110,15 +109,15 @@
community.crypto.x509_certificate_pipe:
csr_content: "{{ csr.csr }}"
provider: ownca
ownca_path: "/etc/tls/ca.crt"
ownca_privatekey_path: "/etc/tls/ca.key"
ownca_path: "{{ tls_ca_cert_path | default('/etc/tls/ca.crt') }}"
ownca_privatekey_path: "{{ tls_ca_key_path | default('/etc/tls/ca.key') }}"
ownca_not_after: +{{ tls_cert_valid_days | default(3650) }}d
ownca_not_before: "-1d"
register: certificate

- name: "Write server certificate"
ansible.builtin.copy:
dest: "/etc/tls/server.crt"
dest: "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
content: "{{ certificate.certificate }}"
delegate_to: "{{ groups.master[0] }}"
run_once: true
6 changes: 3 additions & 3 deletions automation/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -177,9 +177,9 @@ consul_services:
# TLS certificate (for PostgreSQL, PgBouncer and etcd)
tls_cert_generate: true
tls_cert_valid_days: 3650
tls_cert_path: "{{ postgresql_home_dir }}/tls/server.crt"
tls_privatekey_path: "{{ postgresql_home_dir }}/tls/server.key"
tls_ca_cert_path: "{{ postgresql_home_dir }}/tls/ca.crt"
tls_cert_path: "/etc/tls/server.crt"
tls_privatekey_path: "/etc/tls/server.key"
tls_ca_cert_path: "/etc/tls/ca.crt"
tls_owner: "postgres"
tls_etcd_cert_path: "/etc/etcd/tls/server.crt"
tls_etcd_ca_cert_path: "/etc/etcd/tls/ca.crt"
Expand Down

0 comments on commit 7b0077a

Please sign in to comment.