Housekeeping;Generate root ca preemptively

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml

@@ -6,10 +6,10 @@
         chart_ref: /opt/metacluster/helm-charts/step-certificates
         release_namespace: step-ca
         create_namespace: yes
-        # Unable to use REST api based readycheck due to missing ingress
+        # Unable to use REST api based readycheck due to 'missing' ingress
         wait: yes
         kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ components.stepcertificates.chart_values }}"
+        values: "{{ stepca_values.stdout }}"
 
     - name: Retrieve configmap w/ root certificate
       kubernetes.core.k8s_info:

ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml

@@ -11,3 +11,45 @@
     - ingress
     - registry
     - storage
+
+- name: Initialize tempfile
+  ansible.builtin.tempfile:
+    state: file
+  register: stepca_password
+
+- name: Store password in tempfile
+  ansible.builtin.copy:
+    dest: "{{ stepca_password.path }}"
+    content: "{{ vapp['metacluster.password'] }}"
+  no_log: true
+
+- name: Generate root CA
+  ansible.builtin.shell:
+    cmd: >-
+      step ca init \
+        --helm \
+        --deployment-type=standalone \
+        --name=ca.{{ vapp['metacluster.fqdn'] }} \
+        --dns=ca.{{ vapp['metacluster.fqdn'] }} \
+        --dns=step-certificates.step-ca.svc.cluster.local \
+        --dns=127.0.0.1 \
+        --address=:443 \
+        --provisioner=admin \
+        --acme \
+        --password-file={{ stepca_password.path }}
+  register: stepca_helmvalues
+
+- name: Cleanup tempfile
+  ansible.builtin.file:
+    path: "{{ stepca_password.path }}"
+    state: absent
+  when: stepca_password.path is defined
+
+- name: Store root CA certificate
+  ansible.builtin.copy:
+    dest: /usr/local/share/ca-certificates/root_ca.crt
+    content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
+
+- name: Update certificate truststore
+  ansible.builtin.command:
+    cmd: update-ca-certificates

ansible/vars/metacluster.yml

@@ -183,7 +183,6 @@ components:
 
   step-certificates:
     helm:
-      # version: 1.18.2+20220324
       version: 1.23.0
       chart: smallstep/step-certificates
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u

packer/vsphere.auto.pkrvars.hcl

@@ -1,9 +1,9 @@
 vcenter_server         = "bv11-vc.bessems.lan"
 vsphere_username       = "administrator@vsphere.local"
 vsphere_datacenter     = "DeSchakel"
-vsphere_cluster        = "Cluster.Legacy"
-vsphere_host           = "bv11-esx.bessems.lan"
-vsphere_datastore      = "ESX00.SSD01"
+vsphere_cluster        = "Cluster.01"
+vsphere_host           = "bv11-esx01.bessems.lan"
+vsphere_datastore      = "ESX01.SSD02"
 vsphere_folder         = "/Packer"
 vsphere_templatefolder = "/Templates"
 vsphere_network        = "LAN"