djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable Harbor tls (rely on Traefik);Configure Traefik with custom certResolver;Retrieve & install root ca in truststore
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems 2022-08-23 14:31:53 +02:00
parent 1cd7e1510f
commit 585e39cb97
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
View File

@ -116,6 +116,22 @@
kubeconfig: "{{ kubeconfig.path }}" kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components.stepcertificates.chart_values }}" values: "{{ components.stepcertificates.chart_values }}"
- name: Retrieve step-ca configuration
kubernetes.core.k8s_log:
kind: Job
name: step-certificates
namespace: step-ca
kubeconfig: "{{ kubeconfig.path }}"
register: stepca_bootstraplog
- name: Install root CA in system truststore
ansible.builtin.shell:
cmd: |
step ca bootstrap \
--ca-url={{ stepca_bootstraplog.log | regex_search('CA URL: (.+)', '\\1') | first }} \
--fingerprint={{ stepca_bootstraplog.log | regex_search('CA Fingerprint: (.+)', '\\1') | first }} \
--install
- name: Install harbor chart - name: Install harbor chart
kubernetes.core.helm: kubernetes.core.helm:
name: harbor name: harbor

17
ansible/vars/metacluster.yml
View File

@ -13,16 +13,23 @@ platform:
- name: traefik - name: traefik
namespace: kube-system namespace: kube-system
config: |2 config: |2
additionalArguments:
- "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
- "--certificatesResolvers.stepca.acme.email=admin"
- "--certificatesResolvers.stepca.acme.httpChallenge=true"
- "--certificatesResolvers.stepca.acme.httpChallenge.entryPoint=web"
- "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
- "--certificatesResolvers.stepca.acme.tlsChallenge=true"
globalArguments: [] globalArguments: []
ingressRoute:
dashboard:
enabled: false
ports: ports:
ssh: ssh:
port: 8022 port: 8022
protocol: TCP protocol: TCP
web: web:
redirectTo: websecure redirectTo: websecure
ingressRoute:
dashboard:
enabled: false
helm_repositories: helm_repositories:
- name: longhorn - name: longhorn
@ -83,8 +90,12 @@ components:
chart_values: !unsafe | chart_values: !unsafe |
expose: expose:
ingress: ingress:
annotations: {}
hosts: hosts:
core: registry.{{ vapp['metacluster.fqdn'] }} core: registry.{{ vapp['metacluster.fqdn'] }}
tls:
certSource: none
enabled: false
externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}" harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}"
notary: notary: