Use ansible module to generate TLS certificates instead of OpenSSL

vitabaks · Dec 16, 2024 · 38159d5 · 38159d5
1 parent 12d5196
commit 38159d5
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 18 deletions.
diff --git a/automation/roles/patroni/tasks/main.yml b/automation/roles/patroni/tasks/main.yml
@@ -428,20 +428,23 @@
         mode: "0700"
 
     # Generating TLS Certificates
-    - name: Generating TLS Certificates to {{ postgresql_home_dir }}/{{ postgresql_version }}
+    - name: Generate a private key for TLS
       become: true
       become_user: postgres
-      ansible.builtin.command:
-        cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
-        chdir: "{{ postgresql_home_dir }}/{{ postgresql_version }}/"
-
-    - name: Changing permissions for {{ postgresql_home_dir }}/{{ postgresql_version }}/server.key
-      ansible.builtin.file:
+      community.crypto.openssl_privatekey:
         path: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.key"
-        state: file
+        size: '4096'
+        mode: '0400'
+
+    - name: Generate a self-signed certificate for Postgres
+      community.crypto.x509_certificate:
+        path: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.crt"
+        privatekey_path: "{{ postgresql_home_dir }}/{{ postgresql_version }}/server.key"
         owner: postgres
         group: postgres
-        mode: "0400"
+        mode: '0644'
+        provider: selfsigned
+        entrust_not_after: "+1000d"
 
     # for Debian based distros only
     # patroni bootstrap failure is possible if the PostgreSQL config files are missing

diff --git a/automation/roles/pgbouncer/tasks/main.yml b/automation/roles/pgbouncer/tasks/main.yml
@@ -125,20 +125,23 @@
   tags: pgbouncer_logrotate, pgbouncer
 
 # Generating TLS Certificates
-- name: Generating TLS Certificates to {{ pgbouncer_conf_dir }}
+- name: Generate a private key for TLS
   become: true
   become_user: postgres
-  ansible.builtin.command:
-    cmd: openssl req -nodes -new -x509 -days 3650 -keyout server.key -out server.crt -subj '/C=AL/L=City/O=Org/CN=PostgreSQL'
-    chdir: "{{ pgbouncer_conf_dir }}/"
-
-- name: Changing permissions for {{ pgbouncer_conf_dir }}/server.key
-  ansible.builtin.file:
+  community.crypto.openssl_privatekey:
     path: "{{ pgbouncer_conf_dir }}/server.key"
-    state: file
+    size: '4096'
+    mode: '0400'
+
+- name: Generate a self-signed certificate for PGBouncer
+  community.crypto.x509_certificate:
+    path: "{{ pgbouncer_conf_dir }}/server.crt"
+    privatekey_path: "{{ pgbouncer_conf_dir }}/server.key"
     owner: postgres
     group: postgres
-    mode: "0400"
+    mode: '0644'
+    provider: selfsigned
+    entrust_not_after: "+1000d"
 
 - name: Configure pgbouncer.ini
   ansible.builtin.template:

diff --git a/automation/vars/Debian.yml b/automation/vars/Debian.yml
@@ -40,6 +40,7 @@ system_packages:
   - python3-psycopg2
   - python3-setuptools
   - python3-pip
+  - python3-cryptography
   - curl
   - less
   - sudo

diff --git a/automation/vars/RedHat.yml b/automation/vars/RedHat.yml
@@ -60,6 +60,7 @@ system_packages:
   - python{{ python_version }}-setuptools
   - python{{ python_version }}-pip
   - python{{ python_version }}-urllib3
+  - python3-cryptography
   - less
   - sudo
   - vim