chore: Duplicate certificate provisioner w/ custom claims

2024-06-11 21:57:38 +10:00 · 2024-06-11 21:57:38 +10:00 · 46fe962e77
parent 74070f266c
commit 46fe962e77
1 changed files with 28 additions and 0 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@ -8,6 +8,34 @@
            combine( components['step-certificates'].chart_values | from_yaml, recursive=True, list_merge='append')
          }}

+    - name: Duplicate default provisioner with modified claims
+      ansible.builtin.set_fact:
+        values_new: |
+          {{
+            values_initial |
+              combine({'inject':{'config':{'files':{'ca.json':{'authority': {'provisioners': [
+                values_initial.inject.config.files['ca.json'].authority.provisioners[0] | combine({'name':'long-lived', 'claims':{'maxTLSCertDuration':'87660h'}})
+              ]}}}}}}, list_merge='append_rp', recursive=true)
+          }}
+
+    # We're facing several bugs or niche cases that result in incorrect output, despite being behaviour by design:
+    # - Ansible's `to_yaml` filter, sees `\n` escape sequences in PEM certificate strings and correctly converts them to actual newlines - without any way to prevent this
+    #   So we cannot rely on Ansible to (re)create the helm chart values file
+    # - Python's yaml interpreter sees strings with a value of `y` as short for `yes` or `true`, even when that string is a key name.
+    #   So we cannot use a straightforward yaml document as input for the Ansible helm module (which is written in Python)
+    #
+    # Lets explain the following workaround steps:
+    # - First we convert the dictionary to a json-object (through Ansible), so that yq can read it
+    # - Second we convert the json-object in its entirety to yaml (through yq), so that yq can actually manipulate it.
+    # - Finally, we take one specific subkey's contents (list of dictionaries) and iterate over each with the following steps (with `map`):
+    #   - Convert the dictionary to json with `tojson`
+    #   - Remove newlines (and spaces) with `sub`
+    #   - Remove outer quotes (') with `sed`
+    - name: Save updated values file
+      ansible.builtin.shell:
+        cmd: |
+          echo '{{ values_new | to_nice_json }}' | yq -p json -o yaml | yq e '.inject.config.files["ca.json"].authority.provisioners |= map(tojson | sub("[\n ]";""))' | sed -e "s/- '/- /;s/'$//" > {{ stepconfig.path }}
+
    - name: Install step-ca chart
      kubernetes.core.helm:
        name: step-certificates