trombik.cfssl

`trombik.cfssl`

This is an ansible role for cfssl. It supports running the API server (cfssl serve).

For Everyone

Not all distributions have the API server available in their packages, so the role variables cfssl_db_* might change.

To run cfssl as a server, your package must come with a startup script and other necessary changes. As far as I know, the Ubuntu package does not include this. Therefore, support for the API server is not available for Debian-based distributions.

Requirements

None

Role Variables

Variable	Description	Default
`cfssl_user`	Username for `cfssl`	`{{ __cfssl_user }}`
`cfssl_group`	Group name for `cfssl`	`{{ __cfssl_group }}`
`cfssl_package`	Name of the `cfssl` package	`{{ __cfssl_package }}`
`cfssl_extra_packages`	List of extra packages to install	`[]`
`cfssl_ca_root_dir`	Path to the root CA directory	`{{ __cfssl_ca_root_dir }}`
`cfssl_ca_secret_key_file`	Path to the root secret key file	`{{ cfssl_ca_root_dir }}/ca-key.pem`
`cfssl_ca_public_key_file`	Path to the root public key file	`{{ cfssl_ca_root_dir }}/ca.pem`
`cfssl_ca_csr_file`	Path to the CSR JSON file for root CA	`{{ cfssl_ca_root_dir }}/ca.csr`
`cfssl_ca_csr_config`	Content of the CSR configuration file	`{}`
`cfssl_ca_config_file`	Path to the CA's JSON configuration file	`{{ cfssl_ca_root_dir }}/ca-config.json`
`cfssl_ca_csr_config_file`	Path to the CA's CSR config file in JSON	`"{{ cfssl_ca_root_dir }}/ca-csr.json"`
`cfssl_ca_config`	Content of the CA configuration file	`{}`
`cfssl_certs_dir`	Directory for storing signed certificates	`{{ cfssl_ca_root_dir }}/certs`
`cfssl_service`	Name of the `cfssl` service	`cfssl`
`cfssl_db_config`	Database configuration in YAML. See certdb/README.md for details.	`{}`
`cfssl_db_type`	Type of the database (only `sqlite` is supported)	`""`
`cfssl_db_dir`	Path to the database directory	`{{ __cfssl_db_dir }}`
`cfssl_db_sqlite_bin`	Filename for the `sqlite` command	`sqlite3`
`cfssl_db_sqlite_database_file`	Path to the SQLite database file	`{{ cfssl_db_dir }}/certdb.db`
`cfssl_db_sqlite_sql_file_dir`	Directory for SQL files	`{{ __cfssl_db_sqlite_sql_file_dir }}`
`cfssl_db_migration_dir`	Database migration directory	`{{ cfssl_ca_root_dir }}/goose/{{ cfssl_db_type }}`
`cfssl_db_migration_config`	Configuration for database migration	`{}`
`cfssl_db_migration_environment`	Migration environment	`development`
`cfssl_flags`	Extra options for the startup script	`""`
`cfssl_certs`	List of certificates to sign	`""`

`cfssl_certs`

This is a list of dictionaries, where each element represents a CSR.

Key	Description	Required?
`name`	Relative filename from `cfssl_certs_dir`	yes
`SAN`	List of Subject Alternative Names	no
`profile`	Profile name for signing	yes
`json`	Content of request JSON file in YAML format	yes
`owner`	Unix username of the key file owner (default is `cfssl_user`)	no

Using `trombik.cfssl`

You can include the role in your tasks or other roles. Use vars to specify any role variables.

- name: Include role trombik.cfssl
  include_role:
    name: trombik.cfssl
  vars:
    cfssl_extra_packages:
      - zsh

If you want to pass a single variable that has role variables, use the specific bridge variable cfssl_vars.

- name: Include role trombik.cfssl
  include_role:
    name: trombik.cfssl
  vars:
    cfssl_vars: "{{ my_variable }}"

The example below will NOT work:

- name: Include role trombik.cfssl
  include_role:
    name: trombik.cfssl
  vars: "{{ my_variable }}"

Refer to tests/serverspec/intermediate.yml for an example of including the role multiple times to create intermediate CAs.

Debian

Variable	Default
`__cfssl_user`	`cfssl`
`__cfssl_group`	`cfssl`
`__cfssl_package`	`golang-cfssl`
`__cfssl_ca_root_dir`	`/etc/cfssl`
`__cfssl_db_dir`	`/var/lib/cfssl`
`__cfssl_db_sqlite_sql_file_dir`	`""`

FreeBSD

Variable	Default
`__cfssl_user`	`cfssl`
`__cfssl_group`	`cfssl`
`__cfssl_package`	`security/cfssl`
`__cfssl_ca_root_dir`	`/usr/local/etc/cfssl`
`__cfssl_db_dir`	`/var/db/cfssl`
`__cfssl_db_sqlite_sql_file_dir`	`/usr/local/share/cfssl/certdb/sqlite/migrations`

OpenBSD

Variable	Default
`__cfssl_user`	`_cfssl`
`__cfssl_group`	`_cfssl`
`__cfssl_package`	`cfssl`
`__cfssl_ca_root_dir`	`/etc/cfssl`
`__cfssl_db_dir`	`/var/db/cfssl`
`__cfssl_db_sqlite_sql_file_dir`	`/usr/local/share/cfssl/certdb/sqlite/migrations`

Dependencies

None

Example Playbook

This example handles cfssl and signs a few certificates.

For using the API server, see tests/serverspec/api.yml.

For creating multiple intermediate CAs under a root CA, see tests/serverspec/intermediate.yml.

---
- hosts: localhost
  roles:
    - role: ansible-role-cfssl
  vars:
    cfssl_certs:
      - name: agent1.example.com.json
        SAN: []
        profile: agent
        owner: nobody
        json:
          CN: agent1.example.com
          hosts:
            - ""
          key:
            algo: rsa
            size: 2048
      - name: backend-1.example.com.json
        SAN:
          - localhost
          - 127.0.0.1
          - 10.0.0.1
          - backend-1
        profile: backend
        json:
          CN: backend-1.example.com
          hosts:
            - ""
          key:
            algo: rsa
            size: 2048
      - name: backend-2.example.com.json
        SAN:
          - localhost
          - 127.0.0.1
          - 10.0.0.2
          - backend-2
        profile: backend
        json:
          CN: backend-2.example.com
          hosts:
            - ""
          key:
            algo: rsa
            size: 2048
      - name: backend-3.example.com.json
        SAN:
          - localhost
          - 127.0.0.1
          - 10.0.0.3
          - backend-3
        profile: backend
        json:
          CN: backend-3.example.com
          hosts:
            - ""
          key:
            algo: rsa
            size: 2048
    cfssl_ca_config:
      signing:
        default:
          expiry: 17520h
          usages:
            - signing
            - key encipherment
            - client auth
        profiles:
          backend:
            expiry: 4320h
            usages:
              - signing
              - key encipherment
              - server auth
          agent:
            expiry: 4320h
            usages:
              - signing
              - key encipherment
              - client auth

    cfssl_ca_csr_config:
      CN: Sensu Test CA
      key:
        algo: rsa
        size: 2048

License

Copyright (c) 2020 Tomoyuki Sakurai <[email protected]>

You can use, copy, modify, and share this software for any purpose for free, as long as the copyright notice remains in all copies.

THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES. THE AUTHOR IS NOT LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OR PERFORMANCE OF THIS SOFTWARE.

Author Information

Tomoyuki Sakurai y@trombik.org

This README was created using qansible

Informazioni sul progetto

ansible role for cfssl

role certificate cfssl ssl tls

Installa

ansible-galaxy install trombik.cfssl

GitHub repository

0 stelle

0 fork

0 problemi aperti

Licenza

isc

Download

1.1k

Proprietario

Tomoyuki Sakurai

PGP finger print: 03EB 3D97 5E04 9B0C AB21 93A2 D693 42A9 EFBC 3577 Makerspace and Coliving in Siem Reap, Cambodia: http://info.mkrsgh.org/