Packer.Images/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml

- name: Install step-ca chart
  kubernetes.core.helm:
    name: step-certificates
    chart_ref: /opt/metacluster/helm-charts/step-certificates
    release_namespace: step-ca
    create_namespace: yes
    wait: yes
    kubeconfig: "{{ kubeconfig.path }}"
    values: "{{ components.stepcertificates.chart_values }}"

- block:

    - name: Retrieve configmap w/ root certificate
      kubernetes.core.k8s_info:
        kind: ConfigMap
        name: step-certificates-certs
        namespace: step-ca
        kubeconfig: "{{ kubeconfig.path }}"
      register: stepca_cm_certs

    - name: Store root certificate in namespaced secrets
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: v1
          kind: Secret
          metadata:
            name: step-certificates-certs
            namespace: "{{ item }}"
          data:
            root_ca.crt: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
        kubeconfig: "{{ kubeconfig.path }}"
      loop:
        - argo-cd
        - kube-system

- name: Configure step-ca passthrough ingress
  ansible.builtin.template:
    src: ingressroutetcp.j2
    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
    owner: root
    group: root
    mode: 0600
  vars:
    _template:
      name: step-ca
      namespace: step-ca
      config: |2
          entryPoints:
            - websecure
          routes:
          - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
            services:
            - name: step-certificates
              port: 443
          tls:
            passthrough: true
  notify:
    - Apply manifests

- name: Inject step-ca certificate into traefik container
  ansible.builtin.blockinfile:
    path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
    block: |2
          volumes:
            - name: step-certificates-certs
              mountPath: /step-ca
              type: configMap
          env:
            - name: LEGO_CA_CERTIFICATES
              value: /step-ca/root_ca.crt
    marker: '    # {mark} ANSIBLE MANAGED BLOCK'
  notify:
    - Apply manifests

- name: Trigger handlers
  ansible.builtin.meta: flush_handlers

- name: Retrieve step-ca configuration
  kubernetes.core.k8s_info:
    kind: ConfigMap
    name: step-certificates-config
    namespace: step-ca
    kubeconfig: "{{ kubeconfig.path }}"
  register: stepca_cm_config

- name: Install root CA in system truststore
  ansible.builtin.shell:
    cmd: >-
      step ca bootstrap \
        --ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \
        --fingerprint={{ stepca_cm_config.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
        --install \
        --force
      update-ca-certificates
Split up tasklist;Revert namespace;Distribute root cert 2022-08-27 19:10:51 +00:00			`- name: Install step-ca chart`
			`kubernetes.core.helm:`
			`name: step-certificates`
			`chart_ref: /opt/metacluster/helm-charts/step-certificates`
			`release_namespace: step-ca`
			`create_namespace: yes`
			`wait: yes`
			`kubeconfig: "{{ kubeconfig.path }}"`
			`values: "{{ components.stepcertificates.chart_values }}"`

			`- block:`

			`- name: Retrieve configmap w/ root certificate`
			`kubernetes.core.k8s_info:`
			`kind: ConfigMap`
			`name: step-certificates-certs`
			`namespace: step-ca`
			`kubeconfig: "{{ kubeconfig.path }}"`
			`register: stepca_cm_certs`

			`- name: Store root certificate in namespaced secrets`
			`kubernetes.core.k8s:`
			`state: present`
			`definition:`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: step-certificates-certs`
			`namespace: "{{ item }}"`
			`data:`
			`root_ca.crt: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] \| b64encode }}"`
			`kubeconfig: "{{ kubeconfig.path }}"`
			`loop:`
			`- argo-cd`
			`- kube-system`

			`- name: Configure step-ca passthrough ingress`
			`ansible.builtin.template:`
			`src: ingressroutetcp.j2`
			`dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml`
			`owner: root`
			`group: root`
			`mode: 0600`
			`vars:`
			`_template:`
			`name: step-ca`
			`namespace: step-ca`
			`config: \|2`
			`entryPoints:`
			`- websecure`
			`routes:`
			- match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
			`services:`
			`- name: step-certificates`
			`port: 443`
			`tls:`
			`passthrough: true`
			`notify:`
			`- Apply manifests`

			`- name: Inject step-ca certificate into traefik container`
			`ansible.builtin.blockinfile:`
			`path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml`
			`block: \|2`
			`volumes:`
			`- name: step-certificates-certs`
			`mountPath: /step-ca`
			`type: configMap`
			`env:`
			`- name: LEGO_CA_CERTIFICATES`
			`value: /step-ca/root_ca.crt`
			`marker: ' # {mark} ANSIBLE MANAGED BLOCK'`
			`notify:`
			`- Apply manifests`

			`- name: Trigger handlers`
			`ansible.builtin.meta: flush_handlers`

			`- name: Retrieve step-ca configuration`
			`kubernetes.core.k8s_info:`
			`kind: ConfigMap`
			`name: step-certificates-config`
			`namespace: step-ca`
			`kubeconfig: "{{ kubeconfig.path }}"`
			`register: stepca_cm_config`

			`- name: Install root CA in system truststore`
			`ansible.builtin.shell:`
			`cmd: >-`
			`step ca bootstrap \`
			`--ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \`
			`--fingerprint={{ stepca_cm_config.resources[0].data['defaults.json'] \| from_json \| json_query('fingerprint') }} \`
			`--install \`
			`--force`
			`update-ca-certificates`