Installs cfssl on Ubuntu 16.04 (Xenial)
This role requires Ansible 2.4 or higher.
Keyring in this node will create CA, all cert and key will generate on this host and a copy of cert will ship to right nodes Node: give fact for cert generations.
+-----------+
| | <-- node-0.cert node-0.key node-0...
| node-0 |
| |
+-----------+ +-------------+
| Bastion |
+-----------+ | |
| | <-- node-1.cert node-0.key node-0... | |
| node-1 | +-------------+
| |
+-----------+
.....
+-----------+
| | <-- node-n.cert node-0.key node-0...
| node-n |
| |
+-----------+
+-----------+
| |
| keyring | <-- ca-key
| | <-- certificate generations
+-----------+ <-- node-0.cert node-0.key node-1.cert node-1.key node-n.cert node-n.key
The role defines its variables in defaults/main.yml
:
download_list: define pakage will be installed in keyring host
download_list:
- "{{ cfssl_pkg.cfssl }}"
- "{{ cfssl_pkg.cfssljson }}"
- "{{ cfssl_pkg.cfssl_bundle }}"
- "{{ cfssl_pkg.cfssl_certinfo }}"
- "{{ cfssl_pkg.cfssl_newkey }}"
- "{{ cfssl_pkg.cfssl_scan }}"
- "{{ cfssl_pkg.mkbundle }}"
- "{{ cfssl_pkg.multirootca }}"
organizations: Organizations Name
certificate_configurations_base_path: /etc/cfssl
certificate_configurations_base_path_organizations: "{{ certificate_configurations_base_path }}/{{ organizations }}"
certificate_base_path: "/etc/ssl/private/{{ organizations }}"
keyring_host: name of keyring host
certificate_directive cfssl configurations
Run with default vars:
- hosts: all
roles:
- { role: ansible-cfssl }
Tests are performed using Molecule.
Install Molecule or use docker-compose run --rm molecule
to run a local Docker container, based on the enterclousuite/molecule project, from where you can use molecule
.
- Run
molecule create
to start the target Docker container on your local engine. - Use
molecule login
to log in to the running container. - Edit the role files.
- Add other required roles (external) in the molecule/default/requirements.yml file.
- Edit the molecule/default/playbook.yml.
- Define infra tests under the molecule/default/tests folder using the goos verifier.
- When ready, use
molecule converge
to run the Ansible Playbook andmolecule verify
to execute the test suite.
Note that the converge process starts performing a syntax check of the role.
Destroy the Docker container with the commandmolecule destroy
.
To run all the steps with just one command, run molecule test
.
In order to run the role targeting a VM, use the playbook_deploy.yml file for example with the following command: ansible-playbook ansible-cfssl/molecule/default/playbook_deploy.yml -i VM_IP_OR_FQDN, -u ubuntu --private-key private.pem
.
MIT