Split up tasklist;Revert namespace;Distribute root cert

2022-08-27 21:10:51 +02:00
parent bd7c1f92e8
commit 675dce4160
11 changed files with 489 additions and 447 deletions
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -14,7 +14,7 @@ platform:
      namespace: kube-system
      config: |2
            additionalArguments:
-              - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.kube-system.svc.cluster.local/acme/acme/directory"
+              - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
              - "--certificatesResolvers.stepca.acme.email=admin"
              - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
              - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
@ -79,7 +79,7 @@ components:
                --password-file=~/pwfile \
                --force-cn
              rm ~/pwfile
-          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.kube-system.svc.cluster.local,127.0.0.1
+          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
          password: "{{ vapp['guestinfo.rootpw'] }}"
          provisioner:
            name: admin
@ -144,6 +144,29 @@ components:
      chart: argo/argo-cd
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
      chart_values: !unsafe |
+        configs:
+          secret:
+            argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
+        controller:
+          volumeMounts:
+            - name: custom-ca-certificates
+              mountPath: /etc/ssl/certs/root_ca.crt
+              subPath: root_ca.crt
+          volumes:
+            - name: custom-ca-certificates
+              secret:
+                defaultMode: 420
+                secretName: step-certificates-certs
+        repoServer:
+          volumeMounts:
+            - name: custom-ca-certificates
+              mountPath: /etc/ssl/certs/root_ca.crt
+              subPath: root_ca.crt
+          volumes:
+            - name: custom-ca-certificates
+              secret:
+                defaultMode: 420
+                secretName: step-certificates-certs
        server:
          extraArgs:
            - --insecure
@ -151,9 +174,15 @@ components:
            enabled: true
            hosts:
              - gitops.{{ vapp['metacluster.fqdn'] }}
-        configs:
-          secret:
-            argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
+          volumeMounts:
+            - name: custom-ca-certificates
+              mountPath: /etc/ssl/certs/root_ca.crt
+              subPath: root_ca.crt
+          volumes:
+            - name: custom-ca-certificates
+              secret:
+                defaultMode: 420
+                secretName: step-certificates-certs

  sealed-secrets:
    helm: