Add acme provisioner;Force system certs update

2022-08-25 08:22:28 +02:00 · 2022-08-25 08:22:28 +02:00 · 1c43bb19d2
parent 9a3898e0b8
commit 1c43bb19d2
2 changed files with 9 additions and 0 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@ -159,6 +159,7 @@
        --fingerprint={{ stepca_configmap.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
        --install \
        --force
+      update-ca-certificates

 - name: Install harbor chart
  kubernetes.core.helm:
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -69,6 +69,14 @@ components:
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
      chart_values: !unsafe |
        ca:
+        bootstrap:
+          postInitHook: |
+            echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile
+            step ca provisioner add acme \
+              --type ACME \
+              --password-file=~/pwfile \
+              --force-cn
+            rm ~/pwfile
          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
          password: "{{ vapp['guestinfo.rootpw'] }}"
          provisioner: