{"id":15151575,"url":"https://github.com/edwardtheharris/ansible-ca","last_synced_at":"2025-08-18T20:41:09.783Z","repository":{"id":254184162,"uuid":"845682988","full_name":"edwardtheharris/ansible-ca","owner":"edwardtheharris","description":"Ansible roles for deployment of a local, valid certificate authority.","archived":false,"fork":false,"pushed_at":"2025-01-20T23:23:05.000Z","size":642,"stargazers_count":1,"open_issues_count":6,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-31T00:32:33.876Z","etag":null,"topics":["ansible","certificate-authority","ssl","tls"],"latest_commit_sha":null,"homepage":"https://edwardtheharris.github.io/ansible-ca/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edwardtheharris.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-21T18:11:19.000Z","updated_at":"2024-11-23T21:55:52.000Z","dependencies_parsed_at":"2024-09-11T00:41:14.576Z","dependency_job_id":"321ff241-574f-4717-a7f0-7fd1012ee9b8","html_url":"https://github.com/edwardtheharris/ansible-ca","commit_stats":{"total_commits":12,"total_committers":2,"mean_commits":6.0,"dds":"0.33333333333333337","last_synced_commit":"916e8fc20dd107451547e12d2615c03e2336e4bd"},"previous_names":["edwardtheharris/ansible-ca"],"tags_count":2,"template":false,"template_full_name":"edwardtheharris/ansible-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edwardtheharris%2Fansible-ca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edwardtheharris%2Fansible-ca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edwardtheharris%2Fansible-ca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edwardtheharris%2Fansible-ca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edwardtheharris","download_url":"https://codeload.github.com/edwardtheharris/ansible-ca/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237932070,"owners_count":19389560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","certificate-authority","ssl","tls"],"created_at":"2024-09-26T15:04:24.910Z","updated_at":"2025-08-18T20:41:09.760Z","avatar_url":"https://github.com/edwardtheharris.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"---\nabstract: These roles enable the geneation of a root and interemediate\n  Certificate Auhtority as well as the creation and signing of server\n  and client certificates.\nauthors: Xander Harris\ndate: 2024-03-08\ntitle: Ansible CA Readme\n---\n\n[![Ansible Lint](https://github.com/edwardtheharris/ansible-ca/actions/workflows/ansible.yml/badge.svg)](https://github.com/edwardtheharris/ansible-ca/actions/workflows/ansible.yml)\n[![Documentation](https://github.com/edwardtheharris/ansible-ca/actions/workflows/documentation.yml/badge.svg)](https://github.com/edwardtheharris/ansible-ca/actions/workflows/documentation.yml)\n[![ShellCheck](https://github.com/edwardtheharris/ansible-ca/actions/workflows/shell.yml/badge.svg)](https://github.com/edwardtheharris/ansible-ca/actions/workflows/shell.yml)\n\n## Assumptions\n\nThe default configuration assumes a vault password exists at\n{file}`/etc/ansible/vault`. It also assumes the inventory file is in YAML format\nand located at {file}`/etc/ansible/hosts.yaml`\n\n### Fact Caching\n\nThe default configuration uses fact caching with Redis running on the controller\nwith the default port.\n\n## Usage\n\nThis code was originally developed to automate generation of the PKI infrastructure\nrequired by a bare-metal Kubernetes cluster as described by the [Kubernetes Usage](#kubernetes-usage)\nsection below.\n\nIt evolved into a general-purpose set of roles that can create an OpenSSL server\nfor use in verifying any sort of service that requires TLS.\n\nThe default {file}`site.yml` is shown below.\n\n```{code-block} yaml\n:language: yaml\n\n- name: Create root CA\n  hosts: localhost\n  become: true\n  roles:\n    - role: ca\n      tags:\n        - ca\n      vars:\n        ca_common_name: ca.iana.org\n        ca_dirs:\n          - /etc/ssl/root/private\n          - /etc/ssl/root/certs\n          - /etc/ssl/root/csr\n          - /etc/ssl/root\n        ca_email: user@iana.org\n        ca_localilty: Los Angeles\n        ca_org: Internet Assigned Numbers Authority\n        ca_org_unit: Engineering\n        ca_path_key: /etc/ssl/root/private/ca.key\n        ca_path_crt: /etc/ssl/root/certs/ca.crt\n        ca_path_csr: /etc/ssl/root/csr/ca.csr\n        ca_san:\n          - DNS:ca.iana.org\n          - email:user@iana.org\n        ca_state: California\n    - role: clean\n      tags:\n        - clean\n      vars:\n        ca_dirs:\n          - /etc/ssl/root\n- name: Create int CA\n  hosts: localhost\n  become: true\n  roles:\n    - role: int\n      tags:\n        - int\n      vars:\n        int_ca_host: localhost\n        int_ca_san:\n          - DNS:ca.iana.org\n          - email:user@iana.org\n        int_ca_path_crt: /etc/ssl/root/certs/ca.crt\n        int_ca_path_key: /etc/ssl/root/private/ca.key\n        int_dirs:\n          - /etc/ssl/root/int/private\n          - /etc/ssl/root/int/certs\n          - /etc/ssl/root/int/csr\n          - /etc/ssl/root/int\n        int_path_key: /etc/ssl/root/int/private/int.key\n        int_path_crt: /etc/ssl/root/int/certs/int.crt\n        int_path_csr: /etc/ssl/root/int/csr/int.csr\n        int_san:\n          - DNS:int.iana.org\n          - email:user@iana.org\n- name: Sign End User Certificate\n  hosts: localhost\n  roles:\n    - role: sign\n      tags:\n        - sign\n      vars:\n        sign_ca_san:\n          - DNS:ca.iana.org\n          - email:user@iana.org\n        sign_cert_san:\n          - DNS:cert.iana.org\n          - email:user@iana.org\n        sign_common_name: cert.iana.org\n        sign_int_path_crt: /etc/ssl/root/int/certs/int.crt\n        sign_int_path_key: /etc/ssl/root/int/private/int.key\n        sign_int_san:\n          - DNS:int.iana.org\n          - email:user@iana.org\n        sign_dirs:\n          - /etc/ssl/root/int/certs\n          - /etc/ssl/root/int/csr\n          - /etc/ssl/root/int/private\n          - /etc/ssl/root/int\n        sign_path_crt: /etc/ssl/root/int/certs/iana.crt\n        sign_path_csr: /etc/ssl/rott/int/csr/iana.csr\n        sign_path_key: /etc/ssl/root/int/private/iana.key\n\n```\n\nTo use this playbook you'd need to adjust the variable values to those suiting\nyour needs then you can either run the playbook all at once which should work,\nthough the author has had more success using the tags assigned to each role.\n\n### Single Command\n\n```{code-block} shell\nansible-playbook site.yml\n```\n\n### Tags Commands\n\n```{code-block} shell\nansible-playbook -t root\n\nansible-playbook -t int\n\nansible-playbook -t sign\n```\n\n### Kubernetes Usage\n\nYou can find an example inventory file below, this inventory is intended\nto house a Kubernetes cluster with a pair of control planes that are members\nof a Samba Active Directory Domain that contains a pair of controllers and\nis responsible for authentication, file, and routing services.\n\n```{code-block} yaml\n:caption: /etc/ansible/hosts.yaml\n\ndc:\n  hosts:\n    dc01.example.com:\n      ansible_user: user\n    dc02.example.com:\n      ansible_user: user\nnp:\n  hosts:\n    napalm.example.com:\n      ansible_user: user\nkcp:\n  hosts:\n    kcp01.example.com:\n      ansible_user: user\n    kcp02.example.com:\n      ansible_user: user\nca:\n  hosts:\n    ca.example.com:\n      ansible_user: user\n      secret_ca_passphrase: secret-ca-passphrase\n```\n\nThe remaining usage for a Kubernetes cluster should be roughly the same\nas the general purpose usage above. You will need to deploy a CA\nfor your intended Kubernetes cluster and use that CA to create and sign\nserver and client certificates for both the Kubernetes services and the\nrequired [etcd](https://github.com/edwardtheharris/ansible-etcd) cluster.\n\nMore information about creating as Certificate Authority with OpenSSL\ncan be found in the\n[OpenSSL Certificate Authority Reference](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedwardtheharris%2Fansible-ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedwardtheharris%2Fansible-ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedwardtheharris%2Fansible-ca/lists"}