-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfigure_vault_cert_mgmt.yml
213 lines (192 loc) · 9.8 KB
/
configure_vault_cert_mgmt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
---
- name: "Create Vault Certificate Management Config"
hosts: "localhost"
connection: "local"
vars_files:
- '{{ "site_" + deployment_site + ".yml" }}'
tasks:
- name: "Create Vault CA Certificate"
vmware.alb.avi_sslkeyandcertificate:
avi_credentials: "{{ avi_credentials }}"
api_context: "{{ avi_api_context | default(omit) }}"
name: "Vault-CA"
type: "SSL_CERTIFICATE_TYPE_CA"
certificate:
certificate: |
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIUDk+z3O2gTrO2wVBuqKlls9bNvRUwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAxMIVmF1bHQgQ0EwIBcNMjQwMzI4MTIxNTIxWhgPMjEyNDAz
MDQxMjE1NTFaMBMxETAPBgNVBAMTCFZhdWx0IENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAt4eSJTKj3l0azEtHI1vx3kM5hr2ihGTGINT+ixjYAirY
QsScptIVkz4NPvOFvO/P31WGbxhE4udOIQcwnWpHfpPEdR7Y8DfWai4UZIxfGoU6
E9qbWr1aAnpN+Iy7HgJ+1bGS3WG2VPJFDGc5w2Jdha5HZSjvkfDOmcSAMoB1wTXc
ILAbD0DNuyDuDneU88r9BJ26rLuqTuFQ3PVRBZzdxIo73GxhpKaYndOVaXyburBQ
OtJEI+XbQi5yswjX0BV0DH6yx0afqFg8gUis87gauiwIrrjvuIqiqrxY8n2WW/NB
IwyR1s6kN8J7xqBrN48ZN3XN8GbDY71no13KN9UynwIDAQABo2MwYTAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUMK8WWXGYYHMOqnFr
W4dL4TVaMa0wHwYDVR0jBBgwFoAUMK8WWXGYYHMOqnFrW4dL4TVaMa0wDQYJKoZI
hvcNAQELBQADggEBABRT1Di1mhqxHBmGJ4YdYlYJmiMPmm8nfBytgBu7/M+dqxua
g7//JOKfz3RHqVDJRtEPZS5CduQeB4yoVt3dRY9DnQ8jYzWMUiEbZabc0MHcriL2
LZBWCt9LF6xuDFdKJ9+XaEMKwRaVkeCeRxCUwcMYnYdogCdjlM9kvUi3ojitoj0z
0pTX2eCs3t+dIzibG/j8sJXFt1nXrTxgP5xJZCbxfFqYS901y/fa7PLP5A3J6M38
7/wWDmsWMIG2eRqo8zTXcTJa9Mk5Do15w/xYVlbhHLOGPyMGmM47VOvFNegv8yml
LjY0vkCv+yvecg4NTqS3WqKFze9PGs4YEmT4shw=
-----END CERTIFICATE-----
key_params:
algorithm: "SSL_KEY_ALGORITHM_RSA"
rsa_params:
key_size: "SSL_KEY_2048_BITS"
exponent: 65537
format: SSL_PEM
- name: "Create Vault Intermediate CA Certificate"
vmware.alb.avi_sslkeyandcertificate:
avi_credentials: "{{ avi_credentials }}"
api_context: "{{ avi_api_context | default(omit) }}"
name: "Vault-Intermediate-CA"
type: "SSL_CERTIFICATE_TYPE_CA"
certificate:
certificate: |
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIUfxm04C5wI0I1TIkyG4Q9G8HoXZEwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAxMIVmF1bHQgQ0EwHhcNMjUwMTE3MTI0ODAxWhcNMzAwMTE2
MTI0ODMxWjAgMR4wHAYDVQQDExVWYXVsdCBJbnRlcm1lZGlhdGUgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc8j4F2uR6kCR6OkBof8SZeHtTRdwW
XiM97joGnh9FMeDD6lnaKf2d2vzjcfAAji5siBRowsbQz2ZAmiMyPQuvNHaUf5d1
snthukSR0h8zlGFpvXwKQz4NkE2kXbAqeeAzCfJWEBBXa0fnjYsk7fF4UCcGVsvD
7P/ny5LKFc2FYNoovIEOOWKQF87zFztzqH7Iaushxs++FE29XcNh52LERm5qqqtN
V5e7X/cePRbDgHZ2nnmAo3FkqMAFb5Mg+zD4kJBUOIS0HU6Ml35GhqsKbCCjRVM9
9ykUxtSKCq5gfbTDAHhKCZNU5uDwV4NaQkQ/5F09T0EcXghsErsS4yZNAgMBAAGj
ggECMIH/MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBT3ileCvhjsBvqzTmRCC3B+QNkDJzAfBgNVHSMEGDAWgBQwrxZZcZhgcw6qcWtb
h0vhNVoxrTBSBggrBgEFBQcBAQRGMEQwQgYIKwYBBQUHMAKGNmh0dHBzOi8vcmMt
bGludXgtdXRpbHMucmMuZGVtby5pbnRlcm5hbDo4MjAwL3YxL3BraS9jYTBIBgNV
HR8EQTA/MD2gO6A5hjdodHRwczovL3JjLWxpbnV4LXV0aWxzLnJjLmRlbW8uaW50
ZXJuYWw6ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAk3+q7TEpT
HuKn00GyxeYBe8j8wVZ2mWgrgurboi70mh5NwFoQE88G0ZiTS3cCkJ0INH9MfLkM
Ac+AT/NeoQLQUr6u/1+jemoSK0xpJGc7b4cJdTGWiCWEqrYUTLaxu5oD2suRHB8j
WMzpvlvk23jAYSO0UMyo5R9LAxpKhxysMDHG4jCKvsDGeJo6UiBP9cXmEYvlDuTH
XwicB9w8p4eNYbcDD0vTEb3sMXPtmDv5/JBUInlA/yBO64kszAQk7OZ2gi+ylMEG
+ttgIy0ugShwChsrg4tLhuNkevA6bsOx+yRnltkvV7CRGIeR1qkc8XXlHQMFX1+O
ChOS3Gm1jAew
-----END CERTIFICATE-----
key_params:
algorithm: "SSL_KEY_ALGORITHM_RSA"
rsa_params:
key_size: "SSL_KEY_2048_BITS"
exponent: 65537
format: SSL_PEM
- name: "Create ControlScript"
vmware.alb.avi_alertscriptconfig:
avi_credentials: "{{ avi_credentials }}"
api_context: "{{ avi_api_context | default(omit) }}"
name: "Vault-Cert-Management-Script"
action_script: |
#!/usr/bin/python
import os
import sys
import requests
try:
from requests.exceptions import JSONDecodeError
except ImportError:
from simplejson.errors import JSONDecodeError
from tempfile import NamedTemporaryFile
PARAMS_ERROR = 1
REMOTE_API_ERROR = 2
REQUESTS_ERROR = 3
TEMP_FILE_ERROR = 4
def certificate_request(csr, common_name, args_dict):
if 'vault_addr' not in args_dict:
sys.stderr.write('Vault API Root Address (vault_addr) not specified')
sys.exit(PARAMS_ERROR)
if 'vault_token' not in args_dict:
sys.stderr.write('Vault Token (vault_token) not specified')
sys.exit(PARAMS_ERROR)
if 'vault_path' not in args_dict:
sys.stderr.write('Vault Sign API Path (vault_path) not specified')
sys.exit(PARAMS_ERROR)
vault_addr = args_dict['vault_addr']
vault_token = args_dict['vault_token']
vault_path = args_dict['vault_path']
vault_namespace = args_dict.get('vault_namespace', None)
verify_endpoint = args_dict.get('verify_endpoint', None)
api_timeout = args_dict.get('api_timeout', 20)
headers = {'X-Vault-Token': vault_token}
if vault_namespace:
headers['X-Vault-Namespace'] = vault_namespace
url = f'{vault_addr}{vault_path}'
api_data = {
'common_name': common_name,
'csr': csr
}
ca_file = False
try:
if verify_endpoint:
try:
with NamedTemporaryFile(delete=False) as tf:
ca_file = tf.name
sys.stdout.write(f'CA certificate written to {ca_file}')
tf.write(bytes(verify_endpoint, 'utf-8'))
except Exception as e:
sys.stderr.write(str(e))
sys.exit(TEMP_FILE_ERROR)
requests.packages.urllib3.disable_warnings()
r = requests.post(url, headers=headers, json=api_data,
verify=ca_file, timeout=api_timeout)
if r.status_code >= 400:
try:
r_errors = ' | '.join(r.json()['errors'])
except (JSONDecodeError, KeyError):
r_errors = r.text
sys.stderr.write(f'Error from Vault API: {r_errors}')
sys.exit(REMOTE_API_ERROR)
try:
r_data = r.json()
certificate = r_data['data']['certificate']
except (JSONDecodeError, KeyError):
r_data = f'{r.text[:50]} +...' if len(r.text) > 50 else r.text
sys.stderr.write(f'Vault API returned incorrect response: {r_data}')
sys.exit(REMOTE_API_ERROR)
except Exception as e:
sys.stderr.write(f'Error during request: {str(e)}')
sys.exit(REQUESTS_ERROR)
finally:
if ca_file and os.path.exists(ca_file):
os.remove(ca_file)
return certificate
register: ctrl_script
- name: "Create Cert Management Profile"
vmware.alb.avi_certificatemanagementprofile:
avi_credentials: "{{ avi_credentials }}"
api_context: "{{ avi_api_context | default(omit) }}"
name: "Vault-Certificate-Management"
run_script_ref: "{{ ctrl_script.obj.url }}"
script_params:
- is_dynamic: false
is_sensitive: false
name: "vault_addr"
value: "{{ vault_parameters.vault_address }}"
- is_dynamic: false
is_sensitive: true
name: "vault_token"
value: "{{ vault_parameters.vault_token }}"
- is_dynamic: false
is_sensitive: false
name: "vault_path"
value: "{{ vault_parameters.vault_path }}"
- is_dynamic: false
is_sensitive: false
name: "verify_endpoint"
value: |
-----BEGIN CERTIFICATE-----
MIIB/zCCAaWgAwIBAgIQYUcGIH8S175HYqlfsZj4uzAKBggqhkjOPQQDAjBYMRgw
FgYKCZImiZPyLGQBGRYIaW50ZXJuYWwxFDASBgoJkiaJk/IsZAEZFgRkZW1vMRIw
EAYKCZImiZPyLGQBGRYCcmMxEjAQBgNVBAMTCVJDLUxBQi1DQTAeFw0yNDEwMTkw
MDA3MzVaFw0zNDEwMTkwMDE3MzVaMFgxGDAWBgoJkiaJk/IsZAEZFghpbnRlcm5h
bDEUMBIGCgmSJomT8ixkARkWBGRlbW8xEjAQBgoJkiaJk/IsZAEZFgJyYzESMBAG
A1UEAxMJUkMtTEFCLUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2coDhtNF
7Gb9dDRLv2aMiSTy/5tz9ACmCDfAZAajtGJ9SwrbcSArrJ5ZVeDERiT5DysRk1IG
Zxjw45ZcyLYyD6NRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFJBUB37lU+Y0CD5d+Nm2lN+tGSfbMBAGCSsGAQQBgjcVAQQDAgEAMAoG
CCqGSM49BAMCA0gAMEUCIQDzIvATDDcmvNUwviNlWQuKDH4+v3D+BBXSPY7gDInc
rgIgXo9OlJQc7xOmP3Qud5yKTKbTOSiVTtumaUuBVAZC+Yc=
-----END CERTIFICATE-----