From 8d13b527beca9f4f01f63a44d7b2e526828d6db8 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Tue, 30 Aug 2022 21:14:51 +0200 Subject: [PATCH] Store certificate in configmap/secret dynamically;Remove helmchart values --- .../roles/metacluster/tasks/certauthority.yml | 30 ++++++---- .../roles/metacluster/tasks/init.yml | 1 + .../ansible_payload/templates/configmap.j2 | 9 +++ ansible/vars/metacluster.yml | 58 +++++++++---------- 4 files changed, 59 insertions(+), 39 deletions(-) create mode 100644 ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2 diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml index c9f0da9..d1bbdd3 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml @@ -26,24 +26,34 @@ - argo-cd # - kube-system -- name: Store root certificate in namespaced secrets +- name: Store root certificate in namespaced configmaps/secrets kubernetes.core.k8s: state: present - template: secret.j2 + template: "{{ item.kind }}.j2" kubeconfig: "{{ kubeconfig.path }}" vars: _template: - name: step-certificates-certs + name: "{{ item.name }}" namespace: "{{ item.namespace }}" - key: "{{ item.filename }}" - value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}" + labels: "{{ item.labels | default({}) | indent(width=4, indent=True) }}" + key: "{{ item.key }}" + value: "{{ item.value }}" loop: - - namespace: argo-cd - filename: custom-ca-certificates.crt - - namespace: kube-system - filename: root_ca.crt + - name: argocd-tls-certs-cm + namespace: argo-cd + kind: configmap + labels: | + app.kubernetes.io/name: argocd-cm + app.kubernetes.io/part-of: argocd + key: git.{{ vapp['metacluster.fqdn'] }} + value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}" + - name: step-certificates-certs + namespace: kube-system + kind: secret + key: root_ca.crt + value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}" loop_control: - label: "{{ item.namespace }}" + label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}" - name: Configure step-ca passthrough ingress ansible.builtin.template: diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml index a28eb42..ff0be03 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml @@ -5,6 +5,7 @@ state: present loop: # TODO: Make this list dynamic + - ca - git - gitops - ingress diff --git a/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2 b/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2 new file mode 100644 index 0000000..fe4a625 --- /dev/null +++ b/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ _template.name }} + namespace: {{ _template.namespace }} + labels: +{{ _template.labels }} +data: + "{{ _template.key }}": {{ _template.value }} diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 5c0bbbf..6a3ad5b 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -149,26 +149,26 @@ components: configs: secret: argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}" - controller: - volumeMounts: - - name: custom-ca-certificates - mountPath: /etc/ssl/certs/custom-ca-certificates.crt - subPath: custom-ca-certificates.crt - volumes: - - name: custom-ca-certificates - secret: - defaultMode: 420 - secretName: step-certificates-certs - repoServer: - volumeMounts: - - name: custom-ca-certificates - mountPath: /etc/ssl/certs/custom-ca-certificates.crt - subPath: custom-ca-certificates.crt - volumes: - - name: custom-ca-certificates - secret: - defaultMode: 420 - secretName: step-certificates-certs + # controller: + # volumeMounts: + # - name: custom-ca-certificates + # mountPath: /etc/ssl/certs/custom-ca-certificates.crt + # subPath: custom-ca-certificates.crt + # volumes: + # - name: custom-ca-certificates + # secret: + # defaultMode: 420 + # secretName: step-certificates-certs + # repoServer: + # volumeMounts: + # - name: custom-ca-certificates + # mountPath: /etc/ssl/certs/custom-ca-certificates.crt + # subPath: custom-ca-certificates.crt + # volumes: + # - name: custom-ca-certificates + # secret: + # defaultMode: 420 + # secretName: step-certificates-certs server: extraArgs: - --insecure @@ -176,15 +176,15 @@ components: enabled: true hosts: - gitops.{{ vapp['metacluster.fqdn'] }} - volumeMounts: - - name: custom-ca-certificates - mountPath: /etc/ssl/certs/custom-ca-certificates.crt - subPath: custom-ca-certificates.crt - volumes: - - name: custom-ca-certificates - secret: - defaultMode: 420 - secretName: step-certificates-certs + # volumeMounts: + # - name: custom-ca-certificates + # mountPath: /etc/ssl/certs/custom-ca-certificates.crt + # subPath: custom-ca-certificates.crt + # volumes: + # - name: custom-ca-certificates + # secret: + # defaultMode: 420 + # secretName: step-certificates-certs sealed-secrets: helm: