From 9a3898e0b8553b389f772d28b5783a3782f0d841 Mon Sep 17 00:00:00 2001
From: Danny Bessems <danny@bessems.eu>
Date: Wed, 24 Aug 2022 17:44:30 +0200
Subject: [PATCH] Retrieve step-ca more reliably;Configure step-ca admin
 credentials

---
 .../roles/metacluster/tasks/main.yml              | 15 ++++++++-------
 ansible/vars/metacluster.yml                      | 11 ++++-------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
index 426f11a..5d24fc3 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -131,7 +131,7 @@
           entryPoints:
             - websecure
           routes:
-          - match: HostSNI(`ca.{{ vapp['metadata.fqdn'] }}`)
+          - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
             services:
             - name: step-certificates
               port: 443
@@ -144,20 +144,21 @@
   ansible.builtin.meta: flush_handlers
 
 - name: Retrieve step-ca configuration
-  kubernetes.core.k8s_log:
-    kind: Job
+  kubernetes.core.k8s_info:
+    kind: ConfigMap
     name: step-certificates
     namespace: step-ca
     kubeconfig: "{{ kubeconfig.path }}"
-  register: stepca_bootstraplog
+  register: stepca_configmap
 
 - name: Install root CA in system truststore
   ansible.builtin.shell:
     cmd: |
       step ca bootstrap \
-        --ca-url={{ stepca_bootstraplog.log | regex_search('CA URL: (.+)', '\\1') | first }} \
-        --fingerprint={{ stepca_bootstraplog.log | regex_search('CA Fingerprint: (.+)', '\\1') | first }} \
-        --install
+        --ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \
+        --fingerprint={{ stepca_configmap.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
+        --install \
+        --force
 
 - name: Install harbor chart
   kubernetes.core.helm:
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index 9aa82d3..00d43e1 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -70,17 +70,14 @@ components:
       chart_values: !unsafe |
         ca:
           dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
+          password: "{{ vapp['guestinfo.rootpw'] }}"
+          provisioner:
+            name: admin
+            password: "{{ vapp['guestinfo.rootpw'] }}"
         inject:
           secrets:
             ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
             provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
-        # ingress:
-        #   enabled: true
-        #   hosts:
-        #     - host: ca.{{ vapp['metacluster.fqdn'] }}
-        #       paths:
-        #         - path: /
-        #           pathType: Prefix
         service:
           targetPort: 9000