Migrate from helm-controlled ingress to passthrough ingressRoute

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -116,6 +116,33 @@
     kubeconfig: "{{ kubeconfig.path }}"
     values: "{{ components.stepcertificates.chart_values }}"
 
+- name: Configure step-ca passthrough ingress
+  ansible.builtin.template:
+    src: ingressroutetcp.j2
+    dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
+    owner: root
+    group: root
+    mode: 0600
+  vars:
+    _template:
+      name: step-ca
+      namespace: step-ca
+      config: |2
+          entryPoints:
+            - websecure
+          routes:
+          - match: HostSNI(`ca.{{ vapp['metadata.fqdn'] }}`)
+            services:
+            - name: step-certificates
+              port: 443
+          tls:
+            passthrough: true
+  notify:
+    - Apply manifests
+
+- name: Trigger handlers
+  ansible.builtin.meta: flush_handlers
+
 - name: Retrieve step-ca configuration
   kubernetes.core.k8s_log:
     kind: Job

ansible/vars/metacluster.yml

@@ -68,17 +68,19 @@ components:
       chart: smallstep/step-certificates
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
       chart_values: !unsafe |
+        ca:
+          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
         inject:
           secrets:
             ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
             provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
-        ingress:
-          enabled: true
-          hosts:
-            - host: ca.{{ vapp['metacluster.fqdn'] }}
-              paths:
-                - path: /
-                  pathType: Prefix
+        # ingress:
+        #   enabled: true
+        #   hosts:
+        #     - host: ca.{{ vapp['metacluster.fqdn'] }}
+        #       paths:
+        #         - path: /
+        #           pathType: Prefix
         service:
           targetPort: 9000