When managing configuration for various services, you'll (hopefully) end up having to install TLS certificates at some point. Instead of having to come up with the same logic in various modules, roles or formulas I've had an Ansible role for a while that bundled all the logic into a single role that used the vault to obtain all certificates, keys and bundles that needed to be managed on a given node.
I assign this formula to all minions, simply because it won't do anything if a minion doesn't have any TLS configuration in it's pillar. So it's safe to enable everywhere:
base: '*': - tls
In your pillar you define the certificates, keys and chains as:
#!yaml|gpg tls: certs: /etc/ssl/path_to_cert.crt: content: | -----BEGIN CERTIFICATE----- MIIE+jCCA+KgAwIBAgIRALRW5MT6nSki0VQR6/Ff66owDQYJKoZIhvcNAQELBQAw [...] -----END CERTIFICATE----- keys: /etc/ssl/private/path_to_key.key: content: | -----BEGIN PGP MESSAGE----- hQIMA+f23ydFPEDmAQ//RxJmNOb82mMEyTECRH/EGhMjrQDwt0trpIPXATzMUzCj [...] -----END PGP MESSAGE-----
As you can see, I chose to use the GPG renderer which allows for storing secrets along with your regular pillar data.
This formula also takes care of setting default permissions on the files; keys default to
0600 so forgetting to specify the mode
doesn't result in a security incident due to too open permissions.
All in all it's a simple formula, but one that's proven to be quite nifty nonetheless.