Running your own Ansible Driven CA
Overview & Purpose
As a preparation for running a swarm cluster in production, I needed a way to manage my Root CA and distribute the certificates between my SWARM nodes, configuring their services to use them etc etc
A root CA
There is a bunch of posts / articles out there managing your own CA, none of them offer a free, automated solution which scales.
If running in a public DNS there ss a nice free online solution which can be configured programtically (and via ansible module) called https://letsencrypt.org/ there are also provides which give a free official SSL certificate which expire every 3 monthes which could be also a suitable solution …
In my case I needed a CA I can create | destroy | redistribute etc so I had in a way to create my own kind of solution …
CA Objectives
-
Install OpenSSL on your CA server host
-
Configure the CA server options
-
Generate CA private key
-
Generate CA certificate generated with that key
-
Generate the required certificate requests for each of your nodes {
including the CA server itself }
-
Distribute both the CA cert and the Host certificates to clients
-
Configure my services to use these certs & keys
Materials Needed
-
An inventory of hosts you wish to generate certificates for …
-
How does this work ?
Install OpenSSL on your CA server host
-
Configure the CA server options
-
Generate CA private key
-
Generate CA certificate generated with that key
Generate the required certificate requests for each of your nodes { including the CA server itself }
Distribute both the CA cert and the Host certificates to clients
Configure my services to use these certs & keys
-
An inventory of hosts you wish to generate certificates for …
How does this work ?
In “shelleg context” the hosts / inventory could be either generated on the fly via a Dynamic Inventor*y or via general group_vars/all/xx_hosts file (more on this in another post …)
- Ansible managed hosts:
Let’s take a look at a part of our group vars which hold our inventory, this example has 1 CA server and 2 nodes like so:
- Ansible CA role -> https://github.com/shelleg/ansible-role-ca/ whic has the following steps:
- Setting up the CA server:
- Generating the node certificates:
- Fetching the keys for distribution (copy from CA server to Ansible control machine):
- Distribute the Certs & keys to the various nodes:
Gotchas
This role is still under development …
Currently running the following playbook will result in all the 6 steps unless you set the available vars to prevent them as seen in the main.yml above.
The supporting vars are:
An example playbook utilizing the CA role - in the CA server:
On the nodes which needs certificates …
Go ahead and give a try and tell me what you think (open an issue if needed ;))
Going forward
Issue #1: Control the creating of the server kay only when the existing CA kay has expired, unless force create is defined … there is a mechanism in place which needs testing … Issue #2: Add support for more hosts / groups of nodes - currently supports only the shelleg.infra and shelleg.swarm.* node groups.
Hope you enjoyed this post at least as much as I enjoyed writing this role …
Comments and findings are welcome.