Store certificate in configmap/secret dynamically;Remove helmchart values

2022-08-30 21:14:51 +02:00 · 2022-08-30 21:14:51 +02:00 · 8d13b527be
commit 8d13b527be
parent d8299ee90c
4 changed files with 59 additions and 39 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml
@ -26,24 +26,34 @@
    - argo-cd
    # - kube-system

- name: Store root certificate in namespaced secrets
+- name: Store root certificate in namespaced configmaps/secrets
  kubernetes.core.k8s:
    state: present
-    template: secret.j2
+    template: "{{ item.kind }}.j2"
    kubeconfig: "{{ kubeconfig.path }}"
  vars:
    _template:
-      name: step-certificates-certs
+      name: "{{ item.name }}"
      namespace: "{{ item.namespace }}"
-      key: "{{ item.filename }}"
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
+      labels: "{{ item.labels | default({}) | indent(width=4, indent=True) }}"
+      key: "{{ item.key }}"
+      value: "{{ item.value }}"
  loop:
-    - namespace: argo-cd
-      filename: custom-ca-certificates.crt
-    - namespace: kube-system
-      filename: root_ca.crt
+    - name: argocd-tls-certs-cm
+      namespace: argo-cd
+      kind: configmap
+      labels: |
+        app.kubernetes.io/name: argocd-cm
+        app.kubernetes.io/part-of: argocd
+      key: git.{{ vapp['metacluster.fqdn'] }}
+      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+    - name: step-certificates-certs
+      namespace: kube-system
+      kind: secret
+      key: root_ca.crt
+      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
  loop_control:
-    label: "{{ item.namespace }}"
+    label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"

 - name: Configure step-ca passthrough ingress
  ansible.builtin.template:
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/init.yml
@ -5,6 +5,7 @@
    state: present
  loop:
    # TODO: Make this list dynamic
+    - ca
    - git
    - gitops
    - ingress
--- a/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ _template.name }}
+  namespace: {{ _template.namespace }}
+  labels:
+{{ _template.labels }}
+data:
+  "{{ _template.key }}": {{ _template.value }}
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -149,26 +149,26 @@ components:
        configs:
          secret:
            argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
-        controller:
-          volumeMounts:
-            - name: custom-ca-certificates
-              mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-              subPath: custom-ca-certificates.crt
-          volumes:
-            - name: custom-ca-certificates
-              secret:
-                defaultMode: 420
-                secretName: step-certificates-certs
-        repoServer:
-          volumeMounts:
-            - name: custom-ca-certificates
-              mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-              subPath: custom-ca-certificates.crt
-          volumes:
-            - name: custom-ca-certificates
-              secret:
-                defaultMode: 420
-                secretName: step-certificates-certs
+        # controller:
+        #   volumeMounts:
+        #     - name: custom-ca-certificates
+        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
+        #       subPath: custom-ca-certificates.crt
+        #   volumes:
+        #     - name: custom-ca-certificates
+        #       secret:
+        #         defaultMode: 420
+        #         secretName: step-certificates-certs
+        # repoServer:
+        #   volumeMounts:
+        #     - name: custom-ca-certificates
+        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
+        #       subPath: custom-ca-certificates.crt
+        #   volumes:
+        #     - name: custom-ca-certificates
+        #       secret:
+        #         defaultMode: 420
+        #         secretName: step-certificates-certs
        server:
          extraArgs:
            - --insecure
@ -176,15 +176,15 @@ components:
            enabled: true
            hosts:
              - gitops.{{ vapp['metacluster.fqdn'] }}
-          volumeMounts:
-            - name: custom-ca-certificates
-              mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-              subPath: custom-ca-certificates.crt
-          volumes:
-            - name: custom-ca-certificates
-              secret:
-                defaultMode: 420
-                secretName: step-certificates-certs
+        #   volumeMounts:
+        #     - name: custom-ca-certificates
+        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
+        #       subPath: custom-ca-certificates.crt
+        #   volumes:
+        #     - name: custom-ca-certificates
+        #       secret:
+        #         defaultMode: 420
+        #         secretName: step-certificates-certs

  sealed-secrets:
    helm: