Skip to content

davepoltorak/ansible-collection-smallstep

 
 

Repository files navigation

maxhoesel.smallstep - Ansible Collection for Smallstep CA/CLI

Release CI Status License

An Ansible collection containing roles/modules to install, configure and interact with the Smallstep certificate server and the CLI tool. Possible uses for this collection include:


⚠️ SUPPORTED SMALLSTEP VERSION NOTICE ⚠️

The smallstep tools (and this collection) are constantly changing and breaking changes may be introduced in each minor version (e.g. from 0.20 to 0.21). To help maintain compatibility, you should use the version of this collection that corresponds to your step-cli version.

For example, if you are using step-cli==0.20, you should use the collection version >=0.20,<0.21. Newer and older collection versions may work, but are not supported.

For step-cli versions <0.20: Use the collection version >=0.4,<0.5. This was the last collection version released under the old versioning scheme.


Components

Roles

Role Description
step_ca Install step-ca as an internal CA.
step_bootstrap_host Configure a client host to trust your CA using step-cli.
step_acme_cert Set up a Let's Encrypt-style certificate on a host using your ca, including automatic renewal.
step_cli Install step-cli and nothing else. Used by bootstrap_host and step_ca under the hood.

Standalone Modules

None so far

CA Modules


NOTE

To learn more about the differences between Online/Offline/Local-Only Modules, see this section


Module Description Remote (Online mode) Local (Offline mode)
step_ca_bootstrap Initialize step-cli to trust a step-ca server
step_ca_certificate Generate a new private key and certificate signed by the CA root certificate offline parameter
step_ca_provisioner Manage provisioners on a step-ca server admin parameters, if configured
step_ca_renew Renew a valid certificate offline parameter
step_ca_provisioner_claims DECREPATED! (use step_ca_provisioner instead) Manage provisioner claims
step_ca_revoke Revoke a Certificate offline parameter
step_ca_token Generate an OTT granting access to the CA offline parameter

Installation

Dependencies

  • A recent release of Ansible. This collection officially supports the 2 most recent Ansible releases. Older versions might still work, but are not supported
  • Python 3.6 or newer

Individual roles or modules may have additional dependencies, please check their respective documentation.

Install

Via ansible-galaxy (recommended):

ansible-galaxy collection install maxhoesel.smallstep>=your-step-cli-version,<next-major-version

For more information about supported step-cli versions, see the support notice at the beginning of this file.

Alternatively, you can download a collection archive from a previous release.

You can also clone this repository directly if you want a slightly more up-to-date (and potentially buggy) version.

ansible-galaxy collection install git+https://github.com/maxhoesel-ansible/ansible-collection-smallstep

Getting started (Step-By-Step)

This section will show you how to install a step-ca server and configure clients to trust that CA using this collection. This guide will give you a good overview of how to use the tools in this collection.

Let's start with our inventory: In this example, we have a single server that we want to use as a step CA and three clients that we want to trust the server:

all:
  children:
    step_ca:
      my-ca.localdomain
    clients:
      hosta.localdomain
      hostb.localdomain
      hostc.localdomain

Create a CA

To create a CA server from scratch, this role contains the step_ca role. It will install and initialize a step-ca server for you, which you can then configure however you want. Below is a simple example for how to do so. If you want to know more, check out the documentation for step_ca.


NOTE

Please make sure that you have read the considerations for running a step-ca server in production. step_ca follows these considerations where possible, but you should still be familiar with the basic operation of the step-ca server. See the step_ca documentation for more details on how private keys are handled.


ca.yml:

- hosts: step_ca
  become: yes
  tasks:
    # Install and initialize the CA server.
    # There are a lot of configuration options, see the step_ca README for details
    - name: Install step-ca
      include_role:
        name: maxhoesel.smallstep.step_ca
      vars:
        step_ca_name: Foobar Internal CA
        step_ca_root_password: "incredibly secret password"
        step_ca_intermediate_password: "very secret password"

    # The CA root cert fingerprint is used by clients to verify the authenticity of your CA.
    # You can save the output of this task and then pass it on to any client that you want to trust the CA.
    - name: Get root CA fingerprint
      command: 'step-cli certificate fingerprint /etc/step-ca/certs/root_ca.crt'
      register: root_ca_fp
    - name: Show root CA fingerprint
      debug:
        msg: "Fingerprint of root cert: {{ root_ca_fp.stdout }}"

Bootstrap the clients

To establish trust between your clients and the CA, you will need the fingerprint of the CA root cert - see the Create a CA section for more details. This fingerprint identifies your CA to your clients and allows them to verify the CA cert.

To actually initialize the clients, you can use step_bootstrap_host. This role will install step-cli and configure the host to trust your CA.

clients.yml:

- hosts: clients
  become: yes
  tasks:
    - name: Bootstrap the hosts to trust the CA
      include_role:
        name: maxhoesel.smallstep.step_bootstrap_host
      vars:
        # These values point the hosts to your newly created CA
        step_bootstrap_ca_url: https://my-ca.localdomain
        step_bootstrap_fingerprint: "your root CA certs fingerprint"

    - name: Verify that everything is working
      command: step-cli ca health
      changed_when: no

At this point, your CA is up and running and your hosts are configured to trust it. You're ready to go! You can take a look at the available modules to further configure your CA and hosts if you wish to do so.

Module Usage

This collection contains several modules for mamaging your smallstep environment. Most of them wrap around step-cli commands, so they usually support all the features of the respective command.

If you'd like to know more about an individual module, you can view its documentation using ansible-doc maxhoesel.smallstep.<step_module_name>.

The step-cli tool has two sets of commands - standalone and CA.

  • Standalone commands are executed by step-cli directly with no external CA required. Example: step-cli certificate create
  • CA commands require the usage of an external step CA (Example: step-cli ca certificate). Depending on the module, there are two modes:
    • Online mode: step-cli communicates with the CA over HTTPS and requests the data it needs.
    • Offline/Local mode: step-cli accesses the CA files (certificates, config) directly. This only works on the CA host itself.

Most CA modules can use either online or offline mode using the offline parameter, but there are some exceptions. For example, the step_ca_provisioner_(claims) modules(s) need to run in offline mode as they directly write to the CA config. See this table for details.

In order to talk to your CA in online mode, step-cli needs to already trust it. You can achieve this by:

  • Running the module on a host that was configured with step_bootstrap_host as root (recommended).
  • Pasing the ca_url and root parameters to the module.

For offline mode, you need to:

  • Provide step-cli with the path to your CA config ($STEPPATH/config/ca.json by default). You can override this with the ca_config parameter if required.
  • Run the module as the user the CA is running as to prevent permission issues

Below are some examples to showcase the different options. These examples assume that a CA is already set up on the local host.

- hosts: ca
  tasks:
    - name: Run a module in online mode by specifying the CA URL and CA cert
      maxhoesel.smallstep.step_ca_certificate:
        root: /etc/ssl/myca.crt
        ca_url: https://my-ca.localdomain
        #params go here

    # This will only work if you ran step_bootstrap_host on this host first!
    - name: Run a module as root to use the CA configured during bootstrapping
      maxhoesel.smallstep.step_ca_certificate:
        #params go here
      become: yes

    - name: Run a module in offline mode
      maxhoesel.smallstep.step_ca_certificate:
        offline: yes
        # params go here
      become: yes
      # You should run modules acting on a local CA as the user that the CA runs as.
      # If you configured your CA with `step_ca`, the default user name is `step-ca`.
      become_user: step-ca

    - name: Run a offline-only module and manually supply the ca_config
      maxhoesel.smallstep.step_ca_provisioner:
        ca_config: /etc/step-ca/config/ca.json
        #params go here
      become: yes
      become_user: step-ca

About $STEPPATH

All modules in this collection respect the $STEPPATH environment variable used to customize the step-cli config directory. If you want to use a custom $STEPPATH for your environment, you can use the step_cli_steppath role variables and the environment ansible parameter for modules:

  - name: Initialize a host with a custom STEPPATH
    maxhoesel.smallstep.step_bootstrap_host:
    vars:
      step_bootstrap_ca_url: https://my-ca.localdomain
      step_bootstrap_fingerprint: "your root CA certs fingerprint"
      step_cli_steppath: /etc/step-cli

  - name: Use the custom $STEPPATH in a module
    maxhoesel.smallstep.step_ca_certificate:
      # params go here
    environment:
      STEPPATH: /etc/step-cli

License & Author

Created & Maintained by Max Hösel (@maxhoesel) and Contributors

Licensed under the GPL 3.0 or later

About

Unofficial Ansible Collection for Smallstep CLI and the step-ca server

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 95.3%
  • Jinja 3.0%
  • Shell 1.7%