From 9a3898e0b8553b389f772d28b5783a3782f0d841 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Wed, 24 Aug 2022 17:44:30 +0200 Subject: [PATCH] Retrieve step-ca more reliably;Configure step-ca admin credentials --- .../roles/metacluster/tasks/main.yml | 15 ++++++++------- ansible/vars/metacluster.yml | 11 ++++------- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml index 426f11a..5d24fc3 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml @@ -131,7 +131,7 @@ entryPoints: - websecure routes: - - match: HostSNI(`ca.{{ vapp['metadata.fqdn'] }}`) + - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`) services: - name: step-certificates port: 443 @@ -144,20 +144,21 @@ ansible.builtin.meta: flush_handlers - name: Retrieve step-ca configuration - kubernetes.core.k8s_log: - kind: Job + kubernetes.core.k8s_info: + kind: ConfigMap name: step-certificates namespace: step-ca kubeconfig: "{{ kubeconfig.path }}" - register: stepca_bootstraplog + register: stepca_configmap - name: Install root CA in system truststore ansible.builtin.shell: cmd: | step ca bootstrap \ - --ca-url={{ stepca_bootstraplog.log | regex_search('CA URL: (.+)', '\\1') | first }} \ - --fingerprint={{ stepca_bootstraplog.log | regex_search('CA Fingerprint: (.+)', '\\1') | first }} \ - --install + --ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \ + --fingerprint={{ stepca_configmap.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \ + --install \ + --force - name: Install harbor chart kubernetes.core.helm: diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 9aa82d3..00d43e1 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -70,17 +70,14 @@ components: chart_values: !unsafe | ca: dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 + password: "{{ vapp['guestinfo.rootpw'] }}" + provisioner: + name: admin + password: "{{ vapp['guestinfo.rootpw'] }}" inject: secrets: ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" - # ingress: - # enabled: true - # hosts: - # - host: ca.{{ vapp['metacluster.fqdn'] }} - # paths: - # - path: / - # pathType: Prefix service: targetPort: 9000