Retrieve step-ca more reliably;Configure step-ca admin credentials

2022-08-24 17:44:30 +02:00 · 2022-08-24 17:44:30 +02:00 · 9a3898e0b8
parent a3da5b8f93
commit 9a3898e0b8
2 changed files with 12 additions and 14 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@ -131,7 +131,7 @@
          entryPoints:
            - websecure
          routes:
-          - match: HostSNI(`ca.{{ vapp['metadata.fqdn'] }}`)
+          - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`)
            services:
            - name: step-certificates
              port: 443
@ -144,20 +144,21 @@
  ansible.builtin.meta: flush_handlers
 - name: Retrieve step-ca configuration
-  kubernetes.core.k8s_log:
+  kubernetes.core.k8s_info:
-    kind: Job
+    kind: ConfigMap
    name: step-certificates
    namespace: step-ca
    kubeconfig: "{{ kubeconfig.path }}"
-  register: stepca_bootstraplog
+  register: stepca_configmap
 - name: Install root CA in system truststore
  ansible.builtin.shell:
    cmd: |
      step ca bootstrap \
-        --ca-url={{ stepca_bootstraplog.log | regex_search('CA URL: (.+)', '\\1') | first }} \
+        --ca-url=https://ca.{{ vapp['metacluster.fqdn'] }} \
-        --fingerprint={{ stepca_bootstraplog.log | regex_search('CA Fingerprint: (.+)', '\\1') | first }} \
+        --fingerprint={{ stepca_configmap.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
-        --install
+        --install \
        --force
 - name: Install harbor chart
  kubernetes.core.helm:
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -70,17 +70,14 @@ components:
      chart_values: !unsafe |
        ca:
          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
          password: "{{ vapp['guestinfo.rootpw'] }}"
          provisioner:
            name: admin
            password: "{{ vapp['guestinfo.rootpw'] }}"
        inject:
          secrets:
            ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
            provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
        # ingress:
        #   enabled: true
        #   hosts:
        #     - host: ca.{{ vapp['metacluster.fqdn'] }}
        #       paths:
        #         - path: /
        #           pathType: Prefix
        service:
          targetPort: 9000