From 46fe962e77cb13b8ba81fc7d24c105f8f2d48db3 Mon Sep 17 00:00:00 2001
From: djpbessems <danny@bessems.eu>
Date: Tue, 11 Jun 2024 21:57:38 +1000
Subject: [PATCH] chore: Duplicate certificate provisioner w/ custom claims

---
 .../roles/metacluster/tasks/certauthority.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
index 75af6b5..cb26f45 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@@ -8,6 +8,34 @@
             combine( components['step-certificates'].chart_values | from_yaml, recursive=True, list_merge='append')
           }}
 
+    - name: Duplicate default provisioner with modified claims
+      ansible.builtin.set_fact:
+        values_new: |
+          {{
+            values_initial |
+              combine({'inject':{'config':{'files':{'ca.json':{'authority': {'provisioners': [
+                values_initial.inject.config.files['ca.json'].authority.provisioners[0] | combine({'name':'long-lived', 'claims':{'maxTLSCertDuration':'87660h'}})
+              ]}}}}}}, list_merge='append_rp', recursive=true)
+          }}
+
+    # We're facing several bugs or niche cases that result in incorrect output, despite being behaviour by design:
+    # - Ansible's `to_yaml` filter, sees `\n` escape sequences in PEM certificate strings and correctly converts them to actual newlines - without any way to prevent this
+    #   So we cannot rely on Ansible to (re)create the helm chart values file
+    # - Python's yaml interpreter sees strings with a value of `y` as short for `yes` or `true`, even when that string is a key name.
+    #   So we cannot use a straightforward yaml document as input for the Ansible helm module (which is written in Python)
+    #
+    # Lets explain the following workaround steps:
+    # - First we convert the dictionary to a json-object (through Ansible), so that yq can read it
+    # - Second we convert the json-object in its entirety to yaml (through yq), so that yq can actually manipulate it.
+    # - Finally, we take one specific subkey's contents (list of dictionaries) and iterate over each with the following steps (with `map`):
+    #   - Convert the dictionary to json with `tojson`
+    #   - Remove newlines (and spaces) with `sub`
+    #   - Remove outer quotes (') with `sed`
+    - name: Save updated values file
+      ansible.builtin.shell:
+        cmd: |
+          echo '{{ values_new | to_nice_json }}' | yq -p json -o yaml | yq e '.inject.config.files["ca.json"].authority.provisioners |= map(tojson | sub("[\n ]";""))' | sed -e "s/- '/- /;s/'$//" > {{ stepconfig.path }}
+
     - name: Install step-ca chart
       kubernetes.core.helm:
         name: step-certificates