diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml index 90eddff..46e458d 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml @@ -1,4 +1,5 @@ - block: + - name: Install dex kubernetes.core.helm: name: dex @@ -97,12 +98,11 @@ type: kubernetes.io/tls data: - key: tls.crt - value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}" + value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') | b64encode }}" - key: tls.key - value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}" + value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') | b64encode }}" # TODO: Migrate to step-ca - - - name: Create pinniped resources kubernetes.core.k8s: template: "{{ item.kind }}.j2" @@ -112,6 +112,7 @@ _template: name: "{{ item.name }}" namespace: "{{ item.namespace }}" + type: "{{ item.type | default('') }}" data: "{{ item.data | default(omit) }}" spec: "{{ item.spec | default(omit) }}" loop: @@ -121,7 +122,7 @@ spec: |2 issuer: https://idps.{{ vapp['metacluster.fqdn'] }} tls: - certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" + certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" authorizationConfig: additionalScopes: [offline_access, groups, email] allowPasswordGrant: false diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml index 190404f..6d2dff1 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml @@ -47,6 +47,7 @@ namespace: "{{ item.namespace }}" annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}" labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}" + type: "{{ item.type | default('') }}" data: "{{ item.data }}" loop: - name: argocd-tls-certs-cm diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2 b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2 index 98eb72d..c642a71 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2 +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2 @@ -3,9 +3,7 @@ kind: Secret metadata: name: {{ _template.name }} namespace: {{ _template.namespace }} -{% if _template.type is defined %} type: {{ _template.type }} -{% endif %} data: {% for kv_pair in _template.data %} "{{ kv_pair.key }}": {{ kv_pair.value }} diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml index b87ba80..f4cfd45 100644 --- a/ansible/vars/workloadcluster.yml +++ b/ansible/vars/workloadcluster.yml @@ -37,7 +37,7 @@ downstream: issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso audience: {{ vapp['workloadcluster.name'] | lower }} tls: - certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" + certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" sealed-secrets: version: 2.8.1 # (= Sealed Secrets v0.20.2)