diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml index 5438b5c..90eddff 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml @@ -15,7 +15,7 @@ kubernetes.core.helm: name: pinniped chart_ref: /opt/metacluster/helm-charts/pinniped - release_namespace: pinniped + release_namespace: pinniped-supervisor create_namespace: true wait: false kubeconfig: "{{ kubeconfig.path }}" @@ -30,7 +30,7 @@ _template: name: "{{ item.name }}" namespace: "{{ item.namespace }}" - config: "{{ item.config }}" + spec: "{{ item.spec }}" loop: - kind: ingressroute name: pinniped-supervisor @@ -55,6 +55,8 @@ spec: |2 insecureSkipVerify: true serverName: auth.{{ vapp['metacluster.fqdn'] }} + loop_control: + label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}" - name: Ensure pinniped API availability ansible.builtin.uri: @@ -94,10 +96,13 @@ namespace: pinniped-supervisor type: kubernetes.io/tls data: - - tls.crt: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}" - - tls.key: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}" + - key: tls.crt + value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.crt') }}" + - key: tls.key + value: "{{ lookup('ansible.builtin.file', certificate.path ~ '/certificate.key') }}" # TODO: Migrate to step-ca + - - name: Create pinniped resources kubernetes.core.k8s: template: "{{ item.kind }}.j2" @@ -107,7 +112,6 @@ _template: name: "{{ item.name }}" namespace: "{{ item.namespace }}" - config: "{{ item.config }}" data: "{{ item.data | default(omit) }}" spec: "{{ item.spec | default(omit) }}" loop: @@ -117,7 +121,7 @@ spec: |2 issuer: https://idps.{{ vapp['metacluster.fqdn'] }} tls: - certificateAuthorityData: {{ ca_bundle }} + certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" authorizationConfig: additionalScopes: [offline_access, groups, email] allowPasswordGrant: false @@ -131,8 +135,10 @@ namespace: pinniped-supervisor type: secrets.pinniped.dev/oidc-client data: - - clientID: pinniped-supervisor - - clientSecret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}" + - key: clientID + value: "{{ 'pinniped-supervisor' | b64encode }}" + - key: clientSecret + value: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | b64encode }}" - kind: federationdomain name: metacluster-sso namespace: pinniped-supervisor @@ -140,3 +146,5 @@ issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso tls: secretName: pinniped-supervisor-tls + loop_control: + label: "{{ item.kind ~ '/' ~ item.name }}" diff --git a/ansible/vars/workloadcluster.yml b/ansible/vars/workloadcluster.yml index 454ae6f..b87ba80 100644 --- a/ansible/vars/workloadcluster.yml +++ b/ansible/vars/workloadcluster.yml @@ -37,7 +37,7 @@ downstream: issuer: https://auth.{{ vapp['metacluster.fqdn'] }}/sso audience: {{ vapp['workloadcluster.name'] | lower }} tls: - certificateAuthorityData: {{ ca_bundle }} + certificateAuthorityData: "{{ (stepca_cm_certs.resources[0].data['intermediate_ca.crt'] ~ stepca_cm_certs.resources[0].data['root_ca.crt']) | b64encode }}" sealed-secrets: version: 2.8.1 # (= Sealed Secrets v0.20.2)