fix: Incorrect secret types;Missing newline in ca-bundle

2023-08-23 13:46:44 +02:00 · 2023-08-23 13:46:44 +02:00 · 21f03ba048
commit 21f03ba048
parent b009395f62
4 changed files with 7 additions and 7 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
@ -1,4 +1,5 @@
 - block:
    - name: Install dex
      kubernetes.core.helm:
        name: dex
@ -97,12 +98,11 @@
          type: kubernetes.io/tls
          data:
            - key: tls.crt
-              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}"
+              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') | b64encode }}"
            - key: tls.key
-              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}"
+              value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') | b64encode }}"
    # TODO: Migrate to step-ca
    -
    - name: Create pinniped resources
      kubernetes.core.k8s:
        template: "{{ item.kind }}.j2"
@ -112,6 +112,7 @@
        _template:
          name: "{{ item.name }}"
          namespace: "{{ item.namespace }}"
          type: "{{ item.type | default('') }}"
          data: "{{ item.data | default(omit) }}"
          spec: "{{ item.spec | default(omit) }}"
      loop:
@ -121,7 +122,7 @@
          spec: |2
              issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
              tls:
-                certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
+                certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
              authorizationConfig:
                additionalScopes: [offline_access, groups, email]
                allowPasswordGrant: false
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@ -47,6 +47,7 @@
          namespace: "{{ item.namespace }}"
          annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}"
          labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}"
          type: "{{ item.type | default('') }}"
          data: "{{ item.data }}"
      loop:
        - name: argocd-tls-certs-cm
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/templates/secret.j2
@ -3,9 +3,7 @@ kind: Secret
 metadata:
  name: {{ _template.name }}
  namespace: {{ _template.namespace }}
 {% if _template.type is defined %}
 type: {{ _template.type }}
 {% endif %}
 data:
 {% for kv_pair in _template.data %}
  "{{ kv_pair.key }}": {{ kv_pair.value }}
--- a/ansible/vars/workloadcluster.yml
+++ b/ansible/vars/workloadcluster.yml
@ -37,7 +37,7 @@ downstream:
                issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso
                audience: {{ vapp['workloadcluster.name'] | lower }}
                tls:
-                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
+                  certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ '\n' ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}"
    sealed-secrets:
      version: 2.8.1  # (= Sealed Secrets v0.20.2)