Adds the ability to write certs as a pem bundle or individual files (#36)

k-s-dean · mnasiadka · web-flow · commit 016280d88202 · 2023-04-26T16:09:58.000+02:00
* Adds the ability to write out certs and keys as either a pem bundle or individually

Co-authored-by: Michal Nasiadka &lt;michal@stackhpc.com&gt;
diff --git a/roles/vault_pki/README.md b/roles/vault_pki/README.md
@@ -21,29 +21,32 @@ Role variables
     * Mandatory if `vault_pki_root_create` equals `true`
         * `vault_pki_root_ca_name`: The name of the RootCA to create (string)
         * `vault_pki_root_ca_common_name`: The common name of the RootCA (default: vault_pki_root_ca_name)
-    * `vault_pki_write_root_ca_to_file`: whether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
     * `vault_pki_root_default_lease_ttl`: The default time in hours before expiry of the root CA certificate (default: "43830h")
     * `vault_pki_root_max_lease_ttl`: The max time in hours that is allowed before expiry of the root CA certificate (default: "43830h")
     * `vault_pki_root_ttl`: The time in hours before the root CA certificate expires (default: "43830h")
     * `vault_pki_root_key_bits`: The key bits for the root RSA private key (default: 4096)
+    * `vault_pki_write_root_ca_to_file`: whether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
 ---
 * Vault Create Intermediate
     * `vault_pki_intermediate_create`: whether to create an intermediate CA or not (default: `true`)
+    * `vault_pki_intermediate_default_lease_ttl`: The default time in hours before expiry of the intermediate CA certificate (default: "43830h")
     * `vault_pki_intermediate_import`: whether to import a pre-existing intermediate pem bundle (default: `false`)
     * `vault_pki_intermediate_export`: whether to export the generated intermediate pem bundle (default: `false`)
         * Mandatory if `vault_pki_intermediate_create` equals `true`
             * `vault_pki_intermediate_ca_name`: The name of the Intermediate CA to create
             * `vault_pki_intermediate_ca_common_name`:  The common name of the Intermediate CA (default: `vault_pki_intermediate_ca_name`)
         * Mandatory if `vault_pki_intermediate_import`: equals `true`
             * `vault_pki_intermediate_ca_bundle`: Concatenated certificate, intermediate and private key
-    * `vault_pki_intermediate_default_lease_ttl`: The default time in hours before expiry of the intermediate CA certificate (default: "43830h")
-    * `vault_pki_intermediate_max_lease_ttl`: The max time in hours that is allowed before expiry of the intermediate CA certificate (default: "43830h")
-    * `vault_pki_intermediate_ttl`: The time in hours before the intermediate CA certificate expires (default: "43830h")
     * `vault_pki_intermediate_key_bits`: The key bits for the intermediate RSA private key (default: 4096)
+    * `vault_pki_intermediate_max_lease_ttl`: The max time in hours that is allowed before expiry of the intermediate CA certificate (default: "43830h")
     * `vault_pki_intermediate_roles`: Certificate Roles to create for the intermediate CA. List of Dicts containing `{name: <role_name>, config: { <pki_option>: <value> ...}`
+    * `vault_pki_intermediate_ttl`: The time in hours before the intermediate CA certificate expires (default: "43830h")
+    * `vault_pki_write_int_ca_to_file`: Whether to write out the intermediate CA to file (default: `false`)
 ---
 * Certificate Output
+    * `vault_pki_certificate_subject`: The certificate subject parameters e.g. `ttl` `ip_sans`. List of Dicts containing `{role: <name of Certificate role>, common_name: <common name of certificate>, extra_params: {ttl: <value>, alt_sans: <value>, ip_sans: <value> }}`
+    * `vault_pki_certificates_directory`: directory to output certificate files to.
     * `vault_pki_generate_certificates`: whether to generate leaf certificates or not (default: `false`)
+    * `vault_pki_overwrite_certificates`: whether to overwrite certificates (default: `false`)
     * `vault_pki_write_certificates_host:` The host on which certificates will be written to. (default: "localhost")
-    * `vault_pki_certificates_directory`: directory to output certificate files to.
-    * `vault_pki_certificate_subject`: The certificate subject parameters e.g. `ttl` `ip_sans`. List of Dicts containing `{role: <name of Certificate role>, common_name: <common name of certificate>, extra_params: {ttl: <value>, alt_sans: <value>, ip_sans: <value> }}`
+    * `vault_pki_write_pem_bundle`: output the generated certificate and private key into a single file (default: `true`)
diff --git a/roles/vault_pki/defaults/main.yml b/roles/vault_pki/defaults/main.yml
@@ -1,31 +1,40 @@
 ---
-vault_pki_root_create: true
+# Allow vault_vip_url and vault_vip_address for backwards compatibility.
+vault_api_addr: "{{ vault_protocol ~ '://' ~ vault_vip_address ~ ':8200' }}"
+vault_bind_address: "127.0.0.1"
+vault_protocol: "https"
+vault_vip_address: "{{ vault_vip_url | default(vault_bind_address) }}"
+
+vault_pki_certificates_directory: ""
+
 vault_pki_root_ca_name: ""
 vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
-vault_pki_write_root_ca_to_file: false
+vault_pki_root_create: true
 vault_pki_root_default_lease_ttl: "43830h"
+vault_pki_root_key_bits: 4096
 vault_pki_root_max_lease_ttl: "43830h"
 vault_pki_root_ttl: "43830h"
-vault_pki_root_key_bits: 4096
-
+vault_pki_write_root_ca_to_file: false
 
-vault_pki_intermediate_create: true
-vault_pki_intermediate_import: false
-vault_pki_intermediate_export: false
 vault_pki_intermediate_ca_name: ""
 vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
 vault_pki_intermediate_ca_bundle: ""
+vault_pki_intermediate_create: true
 vault_pki_intermediate_default_lease_ttl: "43830h"
+vault_pki_intermediate_import: false
+vault_pki_intermediate_export: false
+vault_pki_intermediate_key_bits: 4096
 vault_pki_intermediate_max_lease_ttl: "43830h"
 vault_pki_intermediate_ttl: "43830h"
-vault_pki_intermediate_key_bits: 4096
+vault_pki_write_int_ca_to_file: false
 
 vault_pki_intermediate_roles: {}
 
 vault_pki_generate_certificates: false
+vault_pki_write_pem_bundle: true
 
+vault_pki_overwrite_certificates: false
 vault_pki_write_certificates_host: "localhost"
-vault_pki_write_certificates_directory: ""
 vault_pki_write_certificate_files: false
 
 vault_pki_certificate_subject: []
diff --git a/roles/vault_pki/tasks/create_cert.yml b/roles/vault_pki/tasks/create_cert.yml
@@ -1,4 +1,14 @@
 ---
+- name: "Check if Cert already exists in certificates directory"
+  stat:
+    path: "{{ vault_pki_certificates_directory }}/{{ item.common_name | replace(' ', '-') }}.crt"
+  register: cert_stat_file
+  delegate_to: "{{ vault_pki_write_certificates_host }}"
+  loop: "{{ vault_pki_certificate_subject }}"
+  loop_control:
+    label: "{{ item.common_name }}"
+  when: vault_pki_write_certificate_files | bool
+
 - name: "Generate Certificate"
   hashivault_pki_cert_issue:
     url: "{{ vault_api_addr }}"
@@ -9,11 +19,14 @@
     role: "{{ item.role }}"
     extra_params: "{{ item.extra_params }}"
   loop: "{{ vault_pki_certificate_subject }}"
-  register: certificate_data
+  loop_control:
+    label: "{{ item.common_name }}"
+  register: cert_data
 
 - name: "Write out certificate pem_bundle"
   vars:
-    cert_name: "{{ item.item.common_name if item.item.common_name | length > 0 else item.item.extra_params.ip_sans }}"
+    cert_name: "{{ item.item.common_name if item.item.common_name | default() | length > 0 else item.item.extra_params.ip_sans | default() }}"
+    cert_file: "{{ cert_stat_file.results | selectattr('item.common_name', 'match', item.item.common_name) | first }}"
   copy:
     content: |
       {{ item.data.certificate }}
@@ -22,5 +35,47 @@
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.pem"
     mode: 0600
   delegate_to: "{{ vault_pki_write_certificates_host }}"
-  loop: "{{ certificate_data.results }}"
-  when: vault_pki_write_certificate_files | bool
+  loop: "{{ cert_data.results }}"
+  loop_control:
+    label: "{{ cert_name | default() }}"
+  when:
+    - vault_pki_write_pem_bundle | bool
+    - vault_pki_write_certificate_files | bool
+    - not cert_file.stat.exists or vault_pki_overwrite_certificates | bool
+
+- name: "Write out certificate"
+  vars:
+    cert_name: "{{ item.item.common_name if item.item.common_name | default() | length > 0 else item.item.extra_params.ip_sans | default() }}"
+    cert_file: "{{ cert_stat_file.results | selectattr('item.common_name', 'match', item.item.common_name) | first }}"
+  copy:
+    content: |
+      {{ item.data.certificate }}
+      {{ item.data.issuing_ca }}
+    dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.crt"
+    mode: 0600
+  delegate_to: "{{ vault_pki_write_certificates_host }}"
+  loop: "{{ cert_data.results }}"
+  loop_control:
+    label: "{{ cert_name | default() }}"
+  when:
+    - not vault_pki_write_pem_bundle | bool
+    - vault_pki_write_certificate_files | bool
+    - not cert_file.stat.exists or vault_pki_overwrite_certificates | bool
+    
+- name: "Write out key"
+  vars:
+    cert_name: "{{ item.item.common_name if item.item.common_name | default() | length > 0 else item.item.extra_params.ip_sans | default() }}"
+    cert_file: "{{ cert_stat_file.results | selectattr('item.common_name', 'match', item.item.common_name) | first }}"
+  copy:
+    content: |
+      {{ item.data.private_key }}
+    dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.key"
+    mode: 0600
+  delegate_to: "{{ vault_pki_write_certificates_host }}"
+  loop: "{{ cert_data.results }}"
+  loop_control:
+    label: "{{ cert_name | default() }}"
+  when:
+    - not vault_pki_write_pem_bundle | bool
+    - vault_pki_write_certificate_files | bool
+    - not cert_file.stat.exists or vault_pki_overwrite_certificates | bool
diff --git a/roles/vault_pki/tasks/intermediate.yml b/roles/vault_pki/tasks/intermediate.yml
@@ -37,6 +37,9 @@
         common_name: "{{ vault_pki_intermediate_ca_common_name }}"
         type: intermediate
       register: intermediate_ca_csr_signed
+      when:
+        - intermediate_ca_csr.changed
+        - intermediate_ca_csr.data is defined
 
     - name: "Set Intermediate as signed"
       hashivault_pki_set_signed:
@@ -62,6 +65,18 @@
           {{ intermediate_ca_csr.data.private_key }}
       when:
         - vault_pki_intermediate_export | bool
+        - intermediate_ca_csr.changed
+        - intermediate_ca_csr.data is defined
+
+    - name: "Write out Intermediate CA to file"
+      copy:
+        content: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+        dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name | replace(' ', '-') }}.pem"
+        mode: 0600
+      delegate_to: "{{ vault_pki_write_certificates_host }}"
+      when:
+        - vault_pki_write_int_ca_to_file | bool
 
     - name: "Write out Intermediate Certs and keys to file"
       copy:
@@ -74,6 +89,9 @@
       delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_intermediate_export | bool
+        - intermediate_ca_csr.changed
+        - intermediate_ca_csr.data is defined
+        - intermediate_ca_csr_signed.data is defined
 
   when: not vault_pki_intermediate_import | bool
 
diff --git a/roles/vault_pki/tasks/prechecks.yml b/roles/vault_pki/tasks/prechecks.yml
@@ -3,6 +3,7 @@
   fail:
     msg: "variable {{ item.name }} is not set"
   when:
+    - vars[item.name] is defined
     - vars[item.name] | length == 0
     - item.when
   loop:
diff --git a/roles/vault_pki/tasks/root.yml b/roles/vault_pki/tasks/root.yml
@@ -33,4 +33,5 @@
     mode: 0600
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   when:
+    - root_ca_data.data.certificate is defined
     - vault_pki_write_root_ca_to_file | bool
diff --git a/tests/test_vault.yml b/tests/test_vault.yml
@@ -5,6 +5,7 @@
   vars:
     vault_config_dir: "/etc/vault"
     vault_log_keys: true
+    vault_protocol: http
     vault_set_keys_fact: true
     vault_write_keys_file: true
   tasks:
@@ -22,20 +23,27 @@
         name: vault
 
     - name: Unseal vault
-      import_role:
+      include_role:
         name: vault_unseal
       vars:
         vault_unseal_keys: "{{ vault_keys.keys_base64 }}"
-        vault_protocol: "http"
 
-    - name: Configure PKI
-      import_role:
+    - name: Configure PKI - create root/intermediate and generate certificates
+      include_role:
         name: vault_pki
       vars:
-        vault_token: "{{ vault_keys.root_token }}"
-        vault_pki_root_ca_name: "OS-TLS-ROOT"
+        vault_pki_certificate_subject:
+          - role: 'ServerCert'
+            common_name: "OS-CERT-TEST"
+            extra_params:
+              ttl: "8760h"
+              ip_sans: "127.0.0.1"
+              alt_names: "example.com"
+              exclude_cn_from_sans: true
+        vault_pki_certificates_directory: "/tmp/"
+        vault_pki_generate_certificates: true
         vault_pki_intermediate_ca_name: "OS-TLS-INT"
-        vault_pki_generate_certificates: True
+        vault_pki_intermediate_create: true
         vault_pki_intermediate_roles:
           - name: "ServerCert"
             config:
@@ -51,17 +59,58 @@
               locality: ["Bristol"]
               organization: ["StackHPC"]
               ou: ["HPC"]
+        vault_pki_root_ca_name: "OS-TLS-ROOT"
+        vault_pki_root_create: true
+        vault_pki_write_certificate_files: true
+        vault_pki_write_int_ca_to_file: true
+        vault_pki_write_pem_bundle: false
+        vault_pki_write_root_ca_to_file: true
+        vault_token: "{{ vault_keys.root_token }}"
+
+    - name: Configure PKI - generate certificate pem bundle
+      include_role:
+        name: vault_pki
+      vars:
         vault_pki_certificate_subject:
-          - role: 'ServerCert'
-            common_name: "OS-CERT-TEST"
-            extra_params:
-              ttl: "8760h"
-              ip_sans: "127.0.0.1"
-              alt_names: "example.com"
-              exclude_cn_from_sans: true
           - role: 'ServerCert'
             common_name: "OS-CERT-TEST2"
             extra_params:
               ttl: "8760h"
               ip_sans: "192.168.38.72"
               exclude_cn_from_sans: true
+        vault_pki_certificates_directory: "/tmp/"
+        vault_pki_generate_certificates: true
+        vault_pki_intermediate_ca_name: "OS-TLS-INT"
+        vault_pki_intermediate_create: false
+        vault_pki_root_ca_name: "OS-TLS-ROOT"
+        vault_pki_root_create: false
+        vault_pki_write_certificate_files: true
+        vault_pki_write_pem_bundle: true
+        vault_token: "{{ vault_keys.root_token }}"
+
+    - name: Validate if certificates exist
+      stat:
+        path: "/tmp/{{ item }}"
+      register: stat_result
+      failed_when: not stat_result.stat.exists
+      loop:
+        - OS-CERT-TEST.crt
+        - OS-CERT-TEST2.pem
+
+    - name: concatenate CAs
+      shell: | 
+        cat /tmp/OS-TLS-ROOT.pem /tmp/OS-TLS-INT.pem > /tmp/CA-CHAIN.pem
+      args:
+        executable: /bin/bash
+      become: true
+
+    - name: verify certificate chain
+      command: | 
+        openssl verify -CAfile /tmp/CA-CHAIN.pem
+        /tmp/{{ item }}
+      register: verify_result
+      failed_when: verify_result.rc != 0
+      loop:
+        - OS-CERT-TEST.crt
+        - OS-CERT-TEST2.pem
+
