From 46fe962e77cb13b8ba81fc7d24c105f8f2d48db3 Mon Sep 17 00:00:00 2001 From: djpbessems Date: Tue, 11 Jun 2024 21:57:38 +1000 Subject: [PATCH] chore: Duplicate certificate provisioner w/ custom claims --- .../roles/metacluster/tasks/certauthority.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml index 75af6b5..cb26f45 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml @@ -8,6 +8,34 @@ combine( components['step-certificates'].chart_values | from_yaml, recursive=True, list_merge='append') }} + - name: Duplicate default provisioner with modified claims + ansible.builtin.set_fact: + values_new: | + {{ + values_initial | + combine({'inject':{'config':{'files':{'ca.json':{'authority': {'provisioners': [ + values_initial.inject.config.files['ca.json'].authority.provisioners[0] | combine({'name':'long-lived', 'claims':{'maxTLSCertDuration':'87660h'}}) + ]}}}}}}, list_merge='append_rp', recursive=true) + }} + + # We're facing several bugs or niche cases that result in incorrect output, despite being behaviour by design: + # - Ansible's `to_yaml` filter, sees `\n` escape sequences in PEM certificate strings and correctly converts them to actual newlines - without any way to prevent this + # So we cannot rely on Ansible to (re)create the helm chart values file + # - Python's yaml interpreter sees strings with a value of `y` as short for `yes` or `true`, even when that string is a key name. + # So we cannot use a straightforward yaml document as input for the Ansible helm module (which is written in Python) + # + # Lets explain the following workaround steps: + # - First we convert the dictionary to a json-object (through Ansible), so that yq can read it + # - Second we convert the json-object in its entirety to yaml (through yq), so that yq can actually manipulate it. + # - Finally, we take one specific subkey's contents (list of dictionaries) and iterate over each with the following steps (with `map`): + # - Convert the dictionary to json with `tojson` + # - Remove newlines (and spaces) with `sub` + # - Remove outer quotes (') with `sed` + - name: Save updated values file + ansible.builtin.shell: + cmd: | + echo '{{ values_new | to_nice_json }}' | yq -p json -o yaml | yq e '.inject.config.files["ca.json"].authority.provisioners |= map(tojson | sub("[\n ]";""))' | sed -e "s/- '/- /;s/'$//" > {{ stepconfig.path }} + - name: Install step-ca chart kubernetes.core.helm: name: step-certificates