96 lines
2.7 KiB
YAML
96 lines
2.7 KiB
YAML
|
- name: Install step-ca chart
|
||
|
kubernetes.core.helm:
|
||
|
name: step-certificates
|
||
|
chart_ref: /opt/metacluster/helm-charts/step-certificates
|
||
|
release_namespace: step-ca
|
||
|
create_namespace: yes
|
||
|
wait: yes
|
||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||
|
values: "{{ components.stepcertificates.chart_values }}"
|
||
|
|
||
|
- block:
|
||
|
|
||
|
- name: Retrieve configmap w/ root certificate
|
||
|
kubernetes.core.k8s_info:
|
||
|
kind: ConfigMap
|
||
|
name: step-certificates-certs
|
||
|
namespace: step-ca
|
||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||
|
register: stepca_cm_certs
|
||
|
|
||
|
- name: Store root certificate in namespaced secrets
|
||
|
kubernetes.core.k8s:
|
||
|
state: present
|
||
|
definition:
|
||
|
apiVersion: v1
|
||
|
kind: Secret
|
||
|
metadata:
|
||
|
name: step-certificates-certs
|
||
|
namespace: "{{ item }}"
|
||
|
data:
|
||
|
root_ca.crt: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
|
||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||
|
loop:
|
||
|
- argo-cd
|
||
|
- kube-system
|
||
|
|
||
|
- name: Configure step-ca passthrough ingress
|
||
|
ansible.builtin.template:
|
||
|
src: ingressroutetcp.j2
|
||
|
dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
|
||
|
owner: root
|
||
|
group: root
|
||
|
mode: 0600
|
||
|
vars:
|
||
|
_template:
|
||
|
name: step-ca
|
||
|
namespace: step-ca
|
||
|
config: |2
|
||
|
entryPoints:
|
||
|
- websecure
|
||
|
routes:
|
||
|
- match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
|
||
|
services:
|
||
|
- name: step-certificates
|
||
|
port: 443
|
||
|
tls:
|
||
|
passthrough: true
|
||
|
notify:
|
||
|
- Apply manifests
|
||
|
|
||
|
- name: Inject step-ca certificate into traefik container
|
||
|
ansible.builtin.blockinfile:
|
||
|
path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
|
||
|
block: |2
|
||
|
volumes:
|
||
|
- name: step-certificates-certs
|
||
|
mountPath: /step-ca
|
||
|
type: configMap
|
||
|
env:
|
||
|
- name: LEGO_CA_CERTIFICATES
|
||
|
value: /step-ca/root_ca.crt
|
||
|
marker: ' # {mark} ANSIBLE MANAGED BLOCK'
|
||
|
notify:
|
||
|
- Apply manifests
|
||
|
|
||
|
- name: Trigger handlers
|
||
|
ansible.builtin.meta: flush_handlers
|
||
|
|
||
|
- name: Retrieve step-ca configuration
|
||
|
kubernetes.core.k8s_info:
|
||
|
kind: ConfigMap
|
||
|
name: step-certificates-config
|
||
|
namespace: step-ca
|
||
|
kubeconfig: "{{ kubeconfig.path }}"
|
||
|
register: stepca_cm_config
|
||
|
|
||
|
- name: Install root CA in system truststore
|
||
|
ansible.builtin.shell:
|
||
|
cmd: >-
|
||
|
step ca bootstrap \
|
||
|
--ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \
|
||
|
--fingerprint={{ stepca_cm_config.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
|
||
|
--install \
|
||
|
--force
|
||
|
update-ca-certificates
|