diff --git a/.github/workflows/ansible.yml b/.github/workflows/ansible.yml index 863e3bc..744e1e6 100644 --- a/.github/workflows/ansible.yml +++ b/.github/workflows/ansible.yml @@ -30,3 +30,4 @@ jobs: ansible-lint -x fqcn-builtins,var-spacing -c .ansible-lint molecule test -s default + molecule test -s tls diff --git a/README.md b/README.md index 29d0c7b..4c0f5b3 100644 --- a/README.md +++ b/README.md @@ -43,12 +43,6 @@ Name and group of the user running the minio server. minio_server_envfile: /etc/default/minio ``` -You can specify the location of your existing config using --config-dir (default: ${HOME}/.minio) - -```yaml -minio_config_dir: "/etc/minio" -``` - Path to the file containing the minio server configuration ENV variables. ```yaml @@ -116,6 +110,132 @@ minio_install_server: true minio_install_client: true ``` +### TLS + +```yaml +minio_enable_tls: false +``` +Turn on or off TLS support. This requires also configuring TLS certificates, but if you just want TLS and don't care about serving multiple domains (SNI) or about proper handling of the private keys, just set `minio_enable_tls: true` and fill out the `minio_tls_public_cert` and `minio_tls_private_key` variables accordingly (you may want to use e.g. [certgen](https://github.com/minio/certgen/) to generate a certificate if you don't have one already). + +If you need to serve multiple domains (SNI), you can put the contents of your PEM-encoded certificate files and keys in the Ansible variables documented below, or you can opt to have this role create symlinks to certificate files managed outside of this role. The latter is useful when using automatically renewing certificates such as those from the LetsEncrypt CA. + +If you need to specify custom certificate authorities (CAs) you also have a similar choice of storing them in Ansible variables or create symlinks - or both. + +It's possible to mix and match these two methods for any combination of certificates/keys/CAs, but keep in mind that for private keys stored in Ansible variables, you should probably use something like [Ansible Vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html). + +Refer to the MinIO TLS documentation for more information: https://min.io/docs/minio/linux/operations/network-encryption.html + +```yaml +minio_certs_dir: "/etc/minio/certs" +``` +Directory to store MinIO certificates. + +```yaml +minio_certs_dir_basedir_owner: root +``` +Owner of the directory above the certs dir (default location /etc/minio) + +```yaml +minio_certs_dir_owner: "{{ minio_user }}" +``` +Owner of the certs directory. It's recommended to change this to root (or whichever user manages the renewal of certs) in production. + +```yaml +minio_certs_owner: "{{ minio_user }}" +``` +Owner of the files in the certs directory. It's recommended to change this to root (or whichever user manages the renewal of certs) in production + +```yaml +minio_tls_directory_permissions: '0750' +minio_tls_file_permissions: '0640' +``` + +File and directory permissions for certificates stored under `minio_certs_dir`. There is typically no need to change these and if there is, it is usually to just remove the owner's write permissions on the files. + +```yaml +minio_tls_hostnames: [] +``` +Hostnames to set up for multiple domain-based TLS certificates (SNI). Must match the hostnames in `minio_hostspecific_*` vars (or those part of the paths specified in in externally managed certs) + +```yaml +minio_tls_public_cert: "" +``` +If you only want to use a single certificate regardless of domain, this is the variable to put the (public) certificate in. +```yaml +minio_tls_private_key: "" +``` +If you only want to use a single certificate regardless of domain, this is the variable to put the private key for it it in. + +```yaml +minio_tls_hostspecific_public_certs: + - hostname: example1.lan + content: | + -----BEGIN CERTIFICATE----- + ..... + -----END CERTIFICATE----- + - hostname: example2.lan + content: | + -----BEGIN CERTIFICATE----- + ..... + -----END CERTIFICATE----- +``` +If you want MinIO to serve content over TLS to multiple domains (hostnames) and use Server Name Indication to answer with different certificates for different domains, this is the variable to put the (public) certificates in and map them to the correct domain (hostname). Any hostnames specified here must also be present in the `minio_tls_hostnames` list. +```yaml +minio_tls_hostspecific_private_keys: + - hostname: example1.lan + content: | + -----BEGIN PRIVATE KEY----- + ..... + -----END PRIVATE KEY----- + - hostname: example2.lan + content: | + -----BEGIN PRIVATE KEY----- + ..... + -----END PRIVATE KEY----- +``` +If you want MinIO to serve content over TLS to multiple domains (hostnames) and use Server Name Indication to answer with different certificates for different domains, this is the variable to put the (private) keys in and map them to the correct domain (hostname). Any hostnames specified here must also be present in the `minio_tls_hostnames` list. + +```yaml +minio_tls_cacerts: + - filename: ca1.crt + content: | + -----BEGIN CERTIFICATE----- + ..... + -----END CERTIFICATE----- + - filename: ca2.crt + content: | + -----BEGIN CERTIFICATE----- + ..... + -----END CERTIFICATE----- +``` + +This is for putting CA certs in the `CAs` subdirectory of `minio_certs_dir`. If your certificate(s) +are signed by certificate authorities that the system doesn't already trust, you'll want to put them +here. + +```yaml +minio_tls_externally_managed_certs: [] + - crt_src: /usr/local/share/minio/certs/example1.lan.crt + key_src: /usr/local/share/minio/private/example1.lan.key + crt_dst: example1.lan/public.crt + key_dst: example1.lan/private.key + - crt_src: /usr/local/share/minio/certs/example2.lan.crt + key_src: /usr/local/share/minio/private/example2.lan.key + crt_dst: example2.lan/public.crt + key_dst: example2.lan/private.key +``` + +If you want to use certificate files (and corresponding private key files) that are stored outside the `minio_certs_dir` (such as if they are managed by something other than this role), you can use this variable to specify a mapping and the role will then create the appropriate symlinks. Just make sure the source files are accessible to the user/group specified in `minio_user`/`minio_group`. + +```yaml +minio_tls_externally_managed_cacerts: [] + - ca_src: /usr/local/share/minio/CAs/ca1.crt + ca_dst: ca1.crt + - ca_src: /usr/local/share/minio/CAs/ca2.crt + ca_dst: ca2.crt +``` +Like the `minio_tls_externally_managed_certs` variable, this is just for setting up symlinks to externally managed CA certificates located outside the `minio_certs_dir`. + ## Dependencies None. diff --git a/defaults/main.yml b/defaults/main.yml index 83c702d..2b5c421 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,9 +19,6 @@ minio_group: minio # Path to the file containing the ENV variables for the MinIO server minio_server_envfile: /etc/default/minio -# Directory to store minio config. Will default to minio_user/.minio if not defined -minio_config_dir: "/etc/minio" - # Minio server ip/fqdn and port. This makes up the server_addr below minio_server_ip: "" minio_server_port: "9000" @@ -59,5 +56,89 @@ minio_root_password: "{{ minio_secret_key | default('minioadmin') }}" minio_install_server: true minio_install_client: true -# TODO: in future -minio_enable_ssl: false +# Enable TLS +minio_enable_tls: false + +# Directory to store minio certificates +minio_certs_dir: "/etc/minio/certs" + +# Owner of the directory above the certs dir (default location /etc/minio) +minio_certs_dir_basedir_owner: root + +# Owner of the certs dir +minio_certs_dir_owner: "{{ minio_user }}" + +# Owner of the files in the certs dir +minio_certs_owner: "{{ minio_user }}" + +minio_tls_directory_permissions: '0750' +minio_tls_file_permissions: '0640' + +# Hostnames to set up for multiple domain-based TLS certificates (SNI) +# Must match the hostnames in `minio_hostspecific_*` vars (or those part of the paths specified in in externally managed certs) +minio_tls_hostnames: [] +# - example1.lan +# - example2.lan + +minio_tls_public_cert: "" # | +# -----BEGIN CERTIFICATE----- +# ..... +# -----END CERTIFICATE----- + +minio_tls_private_key: "" # | +# -----BEGIN PRIVATE KEY----- +# ..... +# -----END PRIVATE KEY----- + +minio_tls_hostspecific_public_certs: [] +# - hostname: example.lan +# content: | +# -----BEGIN CERTIFICATE----- +# ..... +# -----END CERTIFICATE----- +# - hostname: example2.lan +# content: | +# -----BEGIN CERTIFICATE----- +# ..... +# -----END CERTIFICATE----- + +minio_tls_hostspecific_private_keys: [] +# - hostname: example.lan +# content: | +# -----BEGIN PRIVATE KEY----- +# ..... +# -----END PRIVATE KEY----- +# - hostname: example2.lan +# content: | +# -----BEGIN PRIVATE KEY----- +# ..... +# -----END PRIVATE KEY----- + +minio_tls_cacerts: [] +# - filename: ca1.crt +# content: | +# -----BEGIN CERTIFICATE----- +# ..... +# -----END CERTIFICATE----- +# - filename: ca2.crt +# content: | +# -----BEGIN CERTIFICATE----- +# ..... +# -----END CERTIFICATE----- + + +minio_tls_externally_managed_certs: [] +# - crt_src: /usr/local/share/minio/certs/example1.crt +# key_src: /usr/local/share/minio/private/example1.key +# crt_dst: example1.lan/public.crt +# key_dst: example1.lan/private.key +# - crt_src: /usr/local/share/minio/certs/example2.crt +# key_src: /usr/local/share/minio/private/example2.key +# crt_dst: example2.lan/public.crt +# key_dst: example2.lan/private.key + +minio_tls_externally_managed_cacerts: [] +# - ca_src: /usr/local/share/minio/CAs/ca1.crt +# ca_dst: ca1.crt +# - ca_src: /usr/local/share/minio/CAs/ca2.crt +# ca_dst: ca2.crt diff --git a/molecule/resources/tests/verify-tls.yml b/molecule/resources/tests/verify-tls.yml new file mode 100644 index 0000000..251d47d --- /dev/null +++ b/molecule/resources/tests/verify-tls.yml @@ -0,0 +1,25 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Populate service facts + service_facts: + + - name: Assert that minio service is running + assert: + that: | + "'running' in ansible_facts.services['minio.service'].state" + or + "'running' in ansible_facts.services['minio'].state" + + - name: Check MinIO WebUI + ansible.builtin.uri: + url: "https://localhost:9000/minio/login" + status_code: 200 + headers: + User-Agent: "Mozilla/5.0" + validate_certs: false + register: login_page + until: login_page.status == 200 + retries: 10 + delay: 1 diff --git a/molecule/tls/converge.yml b/molecule/tls/converge.yml new file mode 100644 index 0000000..6451545 --- /dev/null +++ b/molecule/tls/converge.yml @@ -0,0 +1,6 @@ +--- + +- hosts: all + any_errors_fatal: true + roles: + - ansible-minio diff --git a/molecule/tls/molecule.yml b/molecule/tls/molecule.yml new file mode 100644 index 0000000..f3c4e49 --- /dev/null +++ b/molecule/tls/molecule.yml @@ -0,0 +1,175 @@ +--- +scenario: + name: tls + +dependency: + name: galaxy + options: + role-file: requirements.yml + +driver: + name: docker + +platforms: + - name: test-docker-centos7-minio + image: quay.io/minio/centos-systemd:7 + privileged: true + pre_build_image: true + command: /sbin/init + published_ports: + - "0.0.0.0:9000:9000" + - "0.0.0.0:9001:9001" + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + groups: + - rhel_family + + - name: test-docker-ubuntu2004-minio + image: quay.io/minio/ubuntu-systemd:20.04 + command: /sbin/init + privileged: true + pre_build_image: true + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + groups: + - debian_family + +provisioner: + name: ansible + log: true + options: + diff: True + v: True + config_options: + defaults: + callback_whitelist: profile_tasks,timer + playbooks: + verify: ../resources/tests/verify-tls.yml + inventory: + group_vars: + all: + minio_enable_tls: true + minio_tls_hostnames: + - localhost + minio_tls_public_cert: | + -----BEGIN CERTIFICATE----- + MIIB1zCCAX6gAwIBAgIRALH4vSwfYCbrxzlP2gVz2KYwCgYIKoZIzj0EAwIwMzEc + MBoGA1UEChMTQ2VydGdlbiBEZXZlbG9wbWVudDETMBEGA1UECwwKamxzbUBwb29m + eTAeFw0yMzAyMjcxNDUzMjRaFw0yNDAyMjcxNDUzMjRaMDMxHDAaBgNVBAoTE0Nl + cnRnZW4gRGV2ZWxvcG1lbnQxEzARBgNVBAsMCmpsc21AcG9vZnkwWTATBgcqhkjO + PQIBBggqhkjOPQMBBwNCAAR6RTZIYaqp5YzfbubWs/dnMlruh2flsOKnIlaNdNMb + nwt24M0Rv7rTA0TCWZ8l6oMrtsX2ucYRDsZmfLn1ekSmo3MwcTAOBgNVHQ8BAf8E + BAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNV + HQ4EFgQULzqn39hJ/tAyUzxWUvpKUGy3ocUwGgYDVR0RBBMwEYIJbG9jYWxob3N0 + hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIGohf4yxSMtg5uut6cGvhEUolb7L73F6 + rXsBbZ7ycw+QAiB5dlkw5Npi5BsoiERUzauU2AK6UcvWU4vvTMj0VJz7jg== + -----END CERTIFICATE----- + minio_tls_private_key: | + -----BEGIN PRIVATE KEY----- + MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgb21ltysvxul2Be8b + DPt8KvyB0bwy9fo2lq13jKRO8kuhRANCAAR6RTZIYaqp5YzfbubWs/dnMlruh2fl + sOKnIlaNdNMbnwt24M0Rv7rTA0TCWZ8l6oMrtsX2ucYRDsZmfLn1ekSm + -----END PRIVATE KEY----- + minio_tls_hostspecific_public_certs: + - hostname: localhost + content: | + -----BEGIN CERTIFICATE----- + MIIESzCCArOgAwIBAgIQHcUxdSm5JxhgnLe2G9+whjANBgkqhkiG9w0BAQsFADB5 + MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJzAlBgNVBAsMHnZhZ3Jh + bnRAdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjEuMCwGA1UEAwwlbWtjZXJ0IHZhZ3Jh + bnRAdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjAeFw0yMzAzMDMxMjMzMzhaFw0yNTA2 + MDMxMjMzMzhaMFIxJzAlBgNVBAoTHm1rY2VydCBkZXZlbG9wbWVudCBjZXJ0aWZp + Y2F0ZTEnMCUGA1UECwwedmFncmFudEB1YnVudHUyMDA0LmxvY2FsZG9tYWluMIIB + IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrqRhvQhfN8cc6cPtK+hwzqB + hwM8orgdH2VEc2Xfl/QMcdjAHMhHqXTHzOuSDU9IP/xJeuEza1kep9CO7k0j5rPc + ing3AEYKUdkatJytiknIr7h+Y/hgY8Y44HJRyNVYGYT3UG8iKNfQgVjBgxXaQytM + vuQ5nGUZE7Bh12IjdCQBvG8G0GSZ9AP8ImGggckddeOnf+0LDPqCfQcaD3tu7DLA + ojgpCLUkPH23uDmJnCbN6D3A/+qUYcDOgPRkVI+ZwtzfL4hvB5SRje6v29oa6vTb + A+eM/76nYFUdvRygD6ZlI+E1Jk84NZszXmXu5O46le55r8n+3fb3K7i8XEgHwQID + AQABo3YwdDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYD + VR0jBBgwFoAU8brXvr84wb7LDUdYwuRbHDGQI8gwLAYDVR0RBCUwI4IJbG9jYWxo + b3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBgQCI + 22klWZglzog7yn1Rz0tOl9lcMUKLIlOeJIVCdDSGwdE67LRZ/Bx8TyzervdmPhvg + fQDOWC82vMY76H7Mx3mLLWSbY/JrQSuzp54CedMxdHdFnEc5R3aiD0cO6YqgJfhV + Bst1hG+XvoJ2rRtqY5uHlltpPn9Vdd7+FUB2QbO4ArLMelV4vjNbCjFOblrvs5Va + KGLg3EyYcn6YKF/seEyaXnYNvxKEETbDedXYA1StDV4FL57t7qOz2oH5h+dcYKSS + 5XFPt4qkuaONuZi8BiTAiH8zdgwh3MpKvF5F4kV4FHeZ2XvViiV9XeqCAqC+zz/i + d/L9oCVCmEh3fx/eu9fKh8LCagzt3zKMrSt9kEYan146T3gikLddDt3o88BLS8bJ + MZ4ejfFS+FsYyEcuzu/t80ikWikg6OPYIbp1t22XXBYBl0YTVhZLWGVv3HH1ZbEl + NRg32I0ejnKNa06ZKHp91E0PqTm8R6VUhdYyyaWqGQR7adfU6Tlg1t3v67GUGrw= + -----END CERTIFICATE----- + minio_tls_hostspecific_private_keys: + - hostname: localhost + content: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDKupGG9CF83xxz + pw+0r6HDOoGHAzyiuB0fZURzZd+X9Axx2MAcyEepdMfM65INT0g//El64TNrWR6n + 0I7uTSPms9yKeDcARgpR2Rq0nK2KScivuH5j+GBjxjjgclHI1VgZhPdQbyIo19CB + WMGDFdpDK0y+5DmcZRkTsGHXYiN0JAG8bwbQZJn0A/wiYaCByR1146d/7QsM+oJ9 + BxoPe27sMsCiOCkItSQ8fbe4OYmcJs3oPcD/6pRhwM6A9GRUj5nC3N8viG8HlJGN + 7q/b2hrq9NsD54z/vqdgVR29HKAPpmUj4TUmTzg1mzNeZe7k7jqV7nmvyf7d9vcr + uLxcSAfBAgMBAAECggEAR4MUfrRzc6cIVEukIKqrt0BWHJgptYSY0VBZmxNeki2G + jkpVSlHj5YTKTiDy/jrvU5LdILl79+wSAkRxhuIzPdhIfZf2XuRWE5Uv9HIoTVXF + syazfvRInCl6OsJY0y1ezHG5A+iP9jRa2qXCbUkyGuuVQOkk4WRQOj/H48A8nWTN + FS2qx1BFypHwCfNkMdwivHWSB0BKHnyaGt6YZRDdfxrNoOVG/VllOv/scVoYplYn + l+ZSYjfaAsU7A8C/+mDTRNXilFghMqBRs0jc8XUSK2XU+wdX/fA8L8K/vQ1c2Xtz + MJ6xaa30ULKKm/U5QaiEmnBwTmZCWTJHTrl0bO6LmQKBgQD0EB3qaN9ssLXr3Bkk + nR5XgpX+hLPKZoZ22YMSSdXNwgHdcrUtlkflexMHfB5+7KEHKcZmwL/dxPKl2dKI + J4SGbzVdv/UmK5ZJtQaSVgK9elxtcNZ3YgY2IgAnAoT60U0makL1GSP9ewCVltv1 + USaQ2sr9lIfb4P05A/vNpHquOwKBgQDUpOlOqvJqu/z/d00iHdj86cx98K2Tq/AV + 68CWzX7MmIwgP7ahgAVYkykYLglB6oOP+ShIojqXImfoSDY3Y1E4P/83FcKpompx + tcC2fYOFCK43ezuS3eDna9WIuchqMIwtHgNOxnWwQdNX1TpR6bEMOzoLaXnlKLtI + MBnqgXbWMwKBgQDbzugihfEzYrN1iPTcFOWOyv1sDPggAdZ4k82IWxdECMbFOtoS + BJccBoxM4WxVw6gDW4xkXpRul0IyPMtv9KdWrDHUDV4s0nS4TWFtyikNnXZA2q9N + NeuCNX0NpSc+/eIOBwXm2I2hbXZJQ2U2u6+QJn1LhMoXLbrh7sSJoOkcoQKBgQCo + ezl34S5Nr0EX0JjGzUtdqIkjyAxfkr2ZQL/JPGyZAs0TyCeV8m9J7N+EjwU6uuse + qdVnJ1Kw6MvXWU/Ltt9laB94r78a1Nrt2YoljXEleOlAgF2FUlOeSOxZdon6yRhn + rv4D7m7VBnLDhui8eiKThGHLJPk1vn4VBjeifI2BzQKBgQDTdsyuSpsjGh6GcFZa + XPNcw4qZJwfT1TBPGpv/f20OyrSxj8MflgVPnDCakp9uqlLxD7gh3h9U19907PK2 + bhDT2DZDmetm2YsZe3T03v14za83jR6L4AYMeuW2A8yOI+uXHw95lnZlljPEIJcT + vQ/OmKksWUspGTZioNlcUWZZZg== + -----END PRIVATE KEY----- + minio_tls_cacerts: + - filename: localhost-ca.crt + content: | + -----BEGIN CERTIFICATE----- + MIIEwTCCAymgAwIBAgIQecABhOVkk/NF+lFUQ5BghjANBgkqhkiG9w0BAQsFADB5 + MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJzAlBgNVBAsMHnZhZ3Jh + bnRAdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjEuMCwGA1UEAwwlbWtjZXJ0IHZhZ3Jh + bnRAdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjAeFw0yMzAzMDMxMDE4NTdaFw0zMzAz + MDMxMDE4NTdaMHkxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEnMCUG + A1UECwwedmFncmFudEB1YnVudHUyMDA0LmxvY2FsZG9tYWluMS4wLAYDVQQDDCVt + a2NlcnQgdmFncmFudEB1YnVudHUyMDA0LmxvY2FsZG9tYWluMIIBojANBgkqhkiG + 9w0BAQEFAAOCAY8AMIIBigKCAYEAw8RJnHIlictLLEP4w4hxhRh4CTECEd8cFshM + RkbUL2ji3JMeFpOIl/wBM5TmmEkiVCcFoPJMxQRLYp4PKBNAckmf/WCvefdp9Qxr + xi2XfaUZHkFcCLIeGYpxogz1nl95T/yX/Yf//M4TA2hwyNWLCIid2/T1Un7vsRpi + 1lA2tyN5IzP6A18CwC/1eg8sJtq8yRzMXG5kRF9sqPvJvXGiGaV1lIPqc0zgJNtG + xIiEQZAIiWIOMqSvF47ZtA1FDv8sO2pY/6qbrSifjMT51iO3aZECQr1qBWEzDzjC + GmR/WWld6kum19GWYBvyzHkqiTcggUTiFBhKbPJnZ38L9TrIXXCuhYNIUgWeVO2K + 1PiIavdG5CunIHaamn9MRjCjoHWFKVwdS9nm/t5dFQzA2AZvNf1XiDsVNcPbyOwL + 7cMI7kf/o8ayIJFoHn0+9Xmjn/64P/2S+ftkp3ameXNLgbbgjagCM5QcQbmAmF0Y + feuFoMqxKUtfc6pd1fNV09BkDfIvAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICBDAS + BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTxute+vzjBvssNR1jC5FscMZAj + yDANBgkqhkiG9w0BAQsFAAOCAYEAXRBq+5rojRjFURJq6C+yIBBhrntQXCGE9Ojb + F7DHba+z3O1WSdi6tDd1GJbrgi1q96a7PWeBNB47ao2gN3ivzI6Su8VR9oSka0FH + CZv2uhdyUWj3CFu485oexk2eznDkfdeLI7qA1ZNCi6HxOg59NOOqjMRCLz6Vu1xV + hTlBIRjCvsMhPkEeVyR8g9h37L/vcxYWvzD2xqgPECaK9oRd1nllwZUvGnzGx4b8 + xBoMAVu/WFwkF/3ecM3a9MssZViL2eOwMv3QIvFZaF5DIKOzwGNILmOLhzB8awvJ + STK5qWflyTQsbjBlBTq4X5nEXKV+Qxi8WADNqKscrm4Rmbr7MJraEwHmxXFKz76H + 1LmhlMrjiCI0i39CPsFsLHlERNA0SENVHv0zZSPnx5fQkL0Ln8Kv9d/RO6/qs06O + ODO/cqhRpktOsrXzMcC8QANINCtvzp5GN255Q1dMR6Vg/wN4qSRqD+tMZ1A8kp8B + 3Z12+4IQKv6OFYA44v91hehbMKkx + -----END CERTIFICATE----- + +lint: | + set -e + yamllint . + +verifier: + name: ansible diff --git a/tasks/install-server.yml b/tasks/install-server.yml index 773abda..71e6525 100644 --- a/tasks/install-server.yml +++ b/tasks/install-server.yml @@ -18,10 +18,12 @@ minio_server_opts: "--console-address {{ minio_console_addr }} {{ minio_server_opts }}" when: minio_console_addr | length > 1 -- name: "Append the MinIO config directory var to minio_server_opts" +- name: "Append the MinIO certs directory var to minio_server_opts" set_fact: - minio_server_opts: "--config-dir {{ minio_config_dir }} {{ minio_server_opts }}" - when: minio_config_dir | length > 0 + minio_server_opts: "--certs-dir {{ minio_certs_dir }} {{ minio_server_opts }}" + when: + - minio_certs_dir | length > 0 + - minio_enable_tls - name: Create MinIO group group: @@ -45,6 +47,9 @@ when: minio_server_make_datadirs with_items: "{{ minio_server_datadirs }}" +- include_tasks: server-tls-cert-setup.yml + when: minio_enable_tls + - name: Download the MinIO server get_url: url: "{{ _minio_server_download_url }}" @@ -60,6 +65,7 @@ notify: restart minio - name: Generate the MinIO server envfile + no_log: true template: src: minio.env.j2 dest: "{{ minio_server_envfile }}" @@ -90,14 +96,8 @@ when: ansible_service_mgr != "systemd" notify: restart minio -- name: Create the MinIO config dir - file: - path: "{{ minio_config_dir }}" - owner: "{{ minio_user }}" - group: "{{ minio_group }}" - state: directory - mode: 0755 - when: minio_config_dir is defined +- name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Enable and start the MinIO service service: diff --git a/tasks/server-tls-cert-setup.yml b/tasks/server-tls-cert-setup.yml new file mode 100644 index 0000000..73a5c5a --- /dev/null +++ b/tasks/server-tls-cert-setup.yml @@ -0,0 +1,125 @@ +--- +- name: Create certs directory base path + become: true + ansible.builtin.file: + path: "{{ minio_certs_dir | dirname }}" + state: directory + owner: "{{ minio_certs_dir_basedir_owner }}" + group: "{{ minio_group }}" + mode: "{{ minio_tls_directory_permissions }}" + +- name: Create certs directories + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ minio_certs_dir_owner }}" + group: "{{ minio_group }}" + mode: "{{ minio_tls_directory_permissions }}" + loop: + - "{{ minio_certs_dir }}" + - "{{ minio_certs_dir }}/CAs" + +- name: Create certs hostname subdirectories + become: true + ansible.builtin.file: + path: "{{ minio_certs_dir }}/{{ item }}" + state: directory + owner: "{{ minio_certs_dir_owner }}" + group: "{{ minio_group }}" + mode: "{{ minio_tls_directory_permissions }}" + loop: "{{ minio_tls_hostnames }}" + when: minio_tls_hostnames | length > 0 + +- name: Install fallback certificate and private key from variables + when: + - minio_tls_public_cert | length > 0 + - minio_tls_private_key | length > 0 + block: + - name: Install certificate file to certs dir + become: true + ansible.builtin.copy: + content: "{{ item }}" + dest: "{{ minio_certs_dir }}/public.crt" + mode: "{{ minio_tls_file_permissions }}" + owner: "{{ minio_certs_owner }}" + group: "{{ minio_group }}" + loop: + - "{{ minio_tls_public_cert }}" + - name: Install certificate private key to certs dir + no_log: true + become: true + ansible.builtin.copy: + content: "{{ item }}" + dest: "{{ minio_certs_dir }}/private.key" + mode: "{{ minio_tls_file_permissions }}" + owner: "{{ minio_certs_owner }}" + group: "{{ minio_group }}" + loop: + - "{{ minio_tls_private_key }}" + +- name: Install host-specific certificates and private keys from variables + when: + - minio_tls_hostspecific_public_certs | length > 0 + - minio_tls_hostspecific_private_keys | length > 0 + block: + - name: Install certificate public files to host-specific certs dirs + become: true + ansible.builtin.copy: + content: "{{ item.content }}" + dest: "{{ minio_certs_dir }}/{{ item.hostname }}/public.crt" + mode: "{{ minio_tls_file_permissions }}" + owner: "{{ minio_certs_owner }}" + group: "{{ minio_group }}" + loop: "{{ minio_tls_hostspecific_public_certs }}" + - name: Install certificate private keys to host-specific certs dirs + no_log: true + become: true + ansible.builtin.copy: + content: "{{ item.content }}" + dest: "{{ minio_certs_dir }}/{{ item.hostname }}/private.key" + mode: "{{ minio_tls_file_permissions }}" + owner: "{{ minio_certs_owner }}" + group: "{{ minio_group }}" + loop: "{{ minio_tls_hostspecific_private_keys }}" + +- name: Install CA certificates from variables to CA certs dir + become: true + ansible.builtin.copy: + content: "{{ item.content }}" + dest: "{{ minio_certs_dir }}/CAs/{{ item.filename }}" + mode: "{{ minio_tls_file_permissions }}" + owner: "{{ minio_certs_owner }}" + group: "{{ minio_group }}" + loop: "{{ minio_tls_cacerts }}" + when: + - minio_tls_cacerts | length > 0 + +- name: Create symlinks to externally managed certificates + when: + - minio_tls_externally_managed_certs | length > 0 + block: + - name: Install certificates symlinks to certs dir + become: true + ansible.builtin.file: + state: link + src: "{{ item.crt_src }}" + dest: "{{ minio_certs_dir }}/{{ item.crt_dst }}" + loop: "{{ minio_tls_externally_managed_certs }}" + - name: Install private key symlinks to certs dir + become: true + ansible.builtin.file: + state: link + src: "{{ item.key_src }}" + dest: "{{ minio_certs_dir }}/{{ item.key_dst }}" + loop: "{{ minio_tls_externally_managed_certs }}" + +- name: Manage symlinks to externally managed CA certificates + become: true + ansible.builtin.file: + state: link + src: "{{ item.ca_src }}" + dest: "{{ minio_certs_dir }}/CAs/{{ item.ca_dst }}" + loop: "{{ minio_tls_externally_managed_cacerts }}" + when: + - minio_tls_externally_managed_cacerts | length > 0 diff --git a/vars/main.yml b/vars/main.yml index 5b7f106..4f05dfb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,6 @@ --- # vars file for ansible-minio -minio_connection_type: "{{ minio_enable_ssl | ternary('https', 'http') }}" +minio_connection_type: "{{ minio_enable_tls | ternary('https', 'http') }}" go_arch_map: i386: '386'