Add roles and example playbook for PVC cert renewal (cloudera-labs#189)

* Add roles and example playbook for PVC cert renewal
* Add documentation for TLS roles
* Fix lint issues
* Remove tasks and variables used to create openssl.cnf

Signed-off-by: Jim Enright <[email protected]>

playbooks/pvc_renew_certs.yml

@@ -0,0 +1,128 @@
+---
+
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Pre - Initialization of local working directories
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: Create temporary build directory
+      ansible.builtin.tempfile:
+        state: directory
+        prefix: pvc_tls_
+      register: __pvc_tls_tempdir
+
+    - name: Create a directory for csrs and signed certs
+      ansible.builtin.file:
+        path: "{{ [__pvc_tls_tempdir.path, item] | path_join }}"
+        state: directory
+        mode: '0755'
+      loop:
+        - csrs
+        - certs
+        - ca_certs
+
+- name: Play 1 - Generate CSR on each host
+  hosts: "{{ target | default('cluster') }}"
+  become: yes
+  gather_facts: yes
+  tasks:
+
+  - name: Call tls_generate_csr role
+    ansible.builtin.import_role:
+      name: cloudera.exe.tls_generate_csr
+    vars:
+      local_csrs_dir: "{{ (hostvars['localhost']['__pvc_tls_tempdir']['path'], 'csrs') | path_join }}"
+
+- name: Get the list of CSRs to sign
+  hosts: localhost
+  connection: local
+  tasks:
+    - name: "Set fact for all CSRs in {{ local_csrs_dir }}"
+      ansible.builtin.find:
+        paths: "{{ local_csrs_dir }}"
+        file_type: file
+      register: __csrs_to_sign
+      vars:
+        local_csrs_dir: "{{ (hostvars['localhost']['__pvc_tls_tempdir']['path'], 'csrs') | path_join }}"
+
+    - name: Set fact for csrs to sign
+      ansible.builtin.set_fact:
+        local_csrs_to_sign: "{{ __csrs_to_sign.files | json_query('[*].path') | flatten }}"
+
+- name: Play 2 - Sign the CSR
+  hosts: ca_server
+  become: yes
+  gather_facts: yes
+  tasks:
+
+    - name: Call tls_signing role
+      ansible.builtin.import_role:
+        name: cloudera.exe.tls_signing
+      vars:
+        csrs_to_sign: "{{ hostvars['localhost']['local_csrs_to_sign'] }}"
+        copy_from_controller: true
+        local_certs_dir: "{{ (hostvars['localhost']['__pvc_tls_tempdir']['path'], 'certs') | path_join }}"
+
+- name: Play 3 - Install the sign certs on each host
+  hosts: "{{ target | default('cluster') }}"
+  become: yes
+  gather_facts: yes
+  tasks:
+
+  - name: Call tls_install_certs role
+    ansible.builtin.import_role:
+      name: cloudera.exe.tls_install_certs
+    vars:
+      local_tls_signed_certs_dir: "{{ (hostvars['localhost']['__pvc_tls_tempdir']['path'], 'certs') | path_join }}"
+
+- name: Post 1 - Restart CM Server service
+  hosts: cloudera_manager
+  become: yes
+  gather_facts: yes
+  tasks:
+
+  - name: Restart CM Server service
+    when:
+      - restart_services | default(False)
+    ansible.builtin.service:
+      name: cloudera-scm-server
+      state: restarted
+
+- name: Post 2 - Restart DB Server service
+  hosts: db_server
+  become: yes
+  gather_facts: yes
+  tasks:
+
+  - name: Restart DB Server service
+    when:
+      - restart_services | default(False)
+    ansible.builtin.service:
+      name: "{{ db_service_name }}"
+      state: reloaded
+
+- name: Post 3 - Restart CM Agent service
+  hosts: cluster
+  become: yes
+  gather_facts: yes
+  tasks:
+
+  - name: Restart CM Agent service
+    when:
+      - restart_services | default(False)
+    ansible.builtin.service:
+      name: cloudera-scm-agent
+      state: restarted

roles/tls_fetch_ca_certs/README.md

@@ -0,0 +1,17 @@
+<!--
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+-->
+
+# cloudera.exe.tls_fetch_ca_certs

roles/tls_fetch_ca_certs/defaults/main.yml

@@ -0,0 +1,22 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+ca_server_intermediate_path: /ca/intermediate/certs
+ca_server_intermediate_cert_name: intermediate.cert.pem
+ca_server_root_path: /ca/certs
+ca_server_root_cert_name: ca.cert.pem
+
+# local_ca_certs_dir

roles/tls_fetch_ca_certs/meta/argument_specs.yml

@@ -0,0 +1,44 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+argument_specs:
+  main:
+    short_description: "Bring CA root and intermediate cert back to controller"
+    description:
+      - Fetch the named root and intermediate CA TLS Certificates from the CA Server.
+    author:
+      - "Jim Enright <[email protected]>"
+    options:
+      ca_server_intermediate_path:
+        description: "Path to intermediate CA cert on the CA server"
+        default: "/ca/intermediate/certs"
+        type: "str"
+      ca_server_intermediate_cert_name:
+        description: "Name of the intermediate CA cert file"
+        type: "str"
+        default: "intermediate.cert.pem"
+      ca_server_root_path:
+        description: "Path to root CA cert on the CA server"
+        default: "/ca/certs"
+        type: "str"
+      ca_server_root_cert_name:
+        description: "Name of the root CA cert file"
+        type: "str"
+        default: "ca.cert.pem"
+      local_ca_certs_dir:
+        description: "Directory on Ansible controller to store the root and intermediate CA cert files"
+        type: "str"
+        required: true

roles/tls_fetch_ca_certs/tasks/main.yml

@@ -0,0 +1,26 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: Bring ca root and intermediate cert back to controller
+  ansible.builtin.fetch:
+    src: "{{ item.cert_path }}/{{ item.cert_filename }}"
+    dest: "{{ local_ca_certs_dir }}/{{ item.cert_filename }}"
+    flat: yes
+  loop:
+    - cert_path: "{{ ca_server_intermediate_path }}"
+      cert_filename: "{{ ca_server_intermediate_cert_name }}"
+    - cert_path: "{{ ca_server_root_path }}"
+      cert_filename: "{{ ca_server_root_cert_name }}"

roles/tls_generate_csr/README.md

@@ -0,0 +1,17 @@
+<!--
+# Copyright 2024 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+-->
+
+# cloudera.exe.tls_generate_csr

roles/tls_generate_csr/defaults/main.yml

@@ -0,0 +1,33 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+openssl_path: /usr/bin/openssl
+
+base_dir_security: /opt/cloudera/security
+base_dir_security_pki: "{{ base_dir_security }}/pki"
+tls_csr_path: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.csr"
+
+# local_csrs_dir: "/tmp/csrs"
+
+ca_server_attrs_general:
+  OU: PS
+  O: Cloudera, Inc.
+  ST: CA
+  C: US
+
+
+tls_key_password: changeme
+
+tls_key_path: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"

roles/tls_generate_csr/meta/argument_specs.yml

@@ -0,0 +1,57 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+argument_specs:
+  main:
+    short_description: "Generates a CSR on each host and copies it back to the Ansible controller"
+    description:
+      - Generates a TLS Certificate Signing Request (CSR).
+      - Once created the CSR file is copied back to the Ansibles controller.
+    author:
+      - "Jim Enright <[email protected]>"
+    options:
+      base_dir_security:
+        description: "Base directory for Cloudera CDP security related files"
+        type: "str"
+        default: "/opt/cloudera/security"
+      base_dir_security_pki:
+        description: "Base directory for Cloudera CDP PKI security related files"
+        type: "str"
+        default: "{{ base_dir_security }}/pki"
+      tls_csr_path:
+        description: "Location of the OpenSSL Certificate Signing Request file that will be created by the role"
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.csr"
+      ca_server_attrs_general:
+        description: "Attributes to use in the certificate signing request"
+        type: "dict"
+        default:
+          OU: PS
+          O: "Cloudera, Inc."
+          ST: "CA"
+          C: "US"
+      tls_key_password:
+        description: "Password for the TLS Key."
+        type: "str"
+        default: "changeme"
+      tls_key_path:
+        description: "Location of the TLS key."
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"
+      local_csrs_dir:
+        description: "Location on the Ansible Controller where the CSR will be copied."
+        type: "str"
+        default: "{{ base_dir_security_pki }}/{{ inventory_hostname }}.key"