diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml index d1f09af..426f11a 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml @@ -116,6 +116,33 @@ kubeconfig: "{{ kubeconfig.path }}" values: "{{ components.stepcertificates.chart_values }}" +- name: Configure step-ca passthrough ingress + ansible.builtin.template: + src: ingressroutetcp.j2 + dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml + owner: root + group: root + mode: 0600 + vars: + _template: + name: step-ca + namespace: step-ca + config: |2 + entryPoints: + - websecure + routes: + - match: HostSNI(`ca.{{ vapp['metadata.fqdn'] }}`) + services: + - name: step-certificates + port: 443 + tls: + passthrough: true + notify: + - Apply manifests + +- name: Trigger handlers + ansible.builtin.meta: flush_handlers + - name: Retrieve step-ca configuration kubernetes.core.k8s_log: kind: Job diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 7c6c7c3..9aa82d3 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -68,17 +68,19 @@ components: chart: smallstep/step-certificates parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u chart_values: !unsafe | + ca: + dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 inject: secrets: ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}" - ingress: - enabled: true - hosts: - - host: ca.{{ vapp['metacluster.fqdn'] }} - paths: - - path: / - pathType: Prefix + # ingress: + # enabled: true + # hosts: + # - host: ca.{{ vapp['metacluster.fqdn'] }} + # paths: + # - path: / + # pathType: Prefix service: targetPort: 9000