Self signed certs

chatops_deployment/ansible/roles/elastic/tasks/kibana.yml

@@ -50,7 +50,7 @@
 - name: Copy certificate and key
   become: true
   ansible.builtin.copy:
-    src: "./SSL/{{ item }}"
+    src: "./{{ env }}_ssl/{{ item }}"
     dest: "/etc/kibana/{{ item }}"
     owner: root
     group: kibana

chatops_deployment/ansible/roles/grafana/tasks/main.yml

@@ -75,6 +75,19 @@
     - haproxy.json
     - alerts.json
     - status.json
+    - node.json
+
+- name: Copy certificate and key
+  become: true
+  ansible.builtin.copy:
+    src: "./{{ env }}_ssl/grafana.{{ item }}"
+    dest: "/etc/grafana/grafana.{{ item }}"
+    owner: root
+    group: grafana
+    mode: "0440"
+  loop:
+    - key
+    - crt
 
 - name: Make sure grafana-server.service is running
   become: true

chatops_deployment/ansible/roles/grafana/templates/grafana.ini.j2

@@ -3,8 +3,10 @@
 domain = grafana.{{ domain }}
 root_url = https://grafana.{{ domain }}:443/
 http_addr = 127.0.0.1
-protocol = http
+protocol = https
 http_port = 3000
+cert_file = /etc/grafana/grafana.crt
+cert_key = /etc/grafana/grafana.key
 
 [auth.generic_oauth]
 # Configure Iris IAM log in

chatops_deployment/ansible/roles/ssl_certificates/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Create ssl directory
+  ansible.builtin.file:
+    path: ./{{ env }}_ssl
+    state: directory
+    owner: "{{ ansible_env.USER }}"
+    group: "{{ ansible_env.USER }}"
+    mode: "0700"
+
+- name: Loop over play
+  ansible.builtin.include_tasks: ssl.yml
+  loop:
+    - kibana
+    - logstash
+    - chatops
+    - grafana
+    - alertmanager
+    - prometheus
+    - elasticsearch
+  loop_control:
+    loop_var: service

chatops_deployment/ansible/roles/ssl_certificates/tasks/ssl.yml

@@ -0,0 +1,45 @@
+---
+- name: Get key info
+  community.crypto.openssl_privatekey_info:
+    path: "./{{ env }}_ssl/{{ service }}.key"
+  register: ssl_certificates_privatekey_info
+  ignore_errors: true
+
+- name: Get certificate info
+  community.crypto.x509_certificate_info:
+    path: "./{{ env }}_ssl/{{ service }}.crt"
+  register: ssl_certificates_certificate_info
+  ignore_errors: true
+
+- name: Set fact if key matches
+  ansible.builtin.set_fact:
+    ssl_certificates_pair_valid: "{{ ssl_certificates_certificate_info.public_key == ssl_certificates_privatekey_info.public_key }}"
+  when: not ssl_certificates_privatekey_info.failed and not ssl_certificates_certificate_info.failed
+
+- name: Set fact if files don't exist or aren't valid
+  ansible.builtin.set_fact:
+    ssl_certificates_pair_valid: ""
+  when: ssl_certificates_privatekey_info.failed or ssl_certificates_certificate_info.failed
+
+- name: Generate private key
+  community.crypto.openssl_privatekey:
+    path: "./{{ env }}_ssl/{{ service }}.key"
+  when: not ssl_certificates_pair_valid
+
+- name: Generate an OpenSSL Certificate Signing Request
+  community.crypto.openssl_csr:
+    path: "./{{ env }}_ssl/{{ service }}.csr"
+    privatekey_path: "./{{ env }}_ssl/{{ service }}.key"
+    common_name: "localhost"
+    subject_alt_name:
+      - "IP:127.0.0.1"
+      - "DNS:localhost"
+  when: not ssl_certificates_pair_valid
+
+- name: Generate self-signed SSL certificates
+  community.crypto.x509_certificate:
+    path: "./{{ env }}_ssl/{{ service }}.crt"
+    privatekey_path: "./{{ env }}_ssl/{{ service }}.key"
+    csr_path: "./{{ env }}_ssl/{{ service }}.csr"
+    provider: selfsigned
+  when: not ssl_certificates_pair_valid

chatops_deployment/ansible/roles/terraform/tasks/destroy.yml

@@ -38,3 +38,8 @@
       ansible.builtin.file:
         path: "../terraform/{{ env }}-bastion-key.pub"
         state: absent
+
+    - name: Remove ssl directory
+      ansible.builtin.file:
+        path: "./{{ env }}_ssl"
+        state: absent