From e3ce60bcb46ac644fe02cc52496464fc9636f442 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Sun, 29 Jan 2023 12:43:55 +0100 Subject: [PATCH] Housekeeping;Generate root ca preemptively --- .../roles/metacluster/tasks/certauthority.yml | 4 +- .../roles/metacluster/tasks/init.yml | 42 +++++++++++++++++++ ansible/vars/metacluster.yml | 1 - packer/vsphere.auto.pkrvars.hcl | 6 +-- 4 files changed, 47 insertions(+), 6 deletions(-) diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml index d421837..9eea057 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml @@ -6,10 +6,10 @@ chart_ref: /opt/metacluster/helm-charts/step-certificates release_namespace: step-ca create_namespace: yes - # Unable to use REST api based readycheck due to missing ingress + # Unable to use REST api based readycheck due to 'missing' ingress wait: yes kubeconfig: "{{ kubeconfig.path }}" - values: "{{ components.stepcertificates.chart_values }}" + values: "{{ stepca_values.stdout }}" - name: Retrieve configmap w/ root certificate kubernetes.core.k8s_info: diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml index 18e9b58..b3e812b 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml @@ -11,3 +11,45 @@ - ingress - registry - storage + +- name: Initialize tempfile + ansible.builtin.tempfile: + state: file + register: stepca_password + +- name: Store password in tempfile + ansible.builtin.copy: + dest: "{{ stepca_password.path }}" + content: "{{ vapp['metacluster.password'] }}" + no_log: true + +- name: Generate root CA + ansible.builtin.shell: + cmd: >- + step ca init \ + --helm \ + --deployment-type=standalone \ + --name=ca.{{ vapp['metacluster.fqdn'] }} \ + --dns=ca.{{ vapp['metacluster.fqdn'] }} \ + --dns=step-certificates.step-ca.svc.cluster.local \ + --dns=127.0.0.1 \ + --address=:443 \ + --provisioner=admin \ + --acme \ + --password-file={{ stepca_password.path }} + register: stepca_helmvalues + +- name: Cleanup tempfile + ansible.builtin.file: + path: "{{ stepca_password.path }}" + state: absent + when: stepca_password.path is defined + +- name: Store root CA certificate + ansible.builtin.copy: + dest: /usr/local/share/ca-certificates/root_ca.crt + content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}" + +- name: Update certificate truststore + ansible.builtin.command: + cmd: update-ca-certificates diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 70cd34c..722e303 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -183,7 +183,6 @@ components: step-certificates: helm: - # version: 1.18.2+20220324 version: 1.23.0 chart: smallstep/step-certificates parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u diff --git a/packer/vsphere.auto.pkrvars.hcl b/packer/vsphere.auto.pkrvars.hcl index 5c0e322..5329ad1 100644 --- a/packer/vsphere.auto.pkrvars.hcl +++ b/packer/vsphere.auto.pkrvars.hcl @@ -1,9 +1,9 @@ vcenter_server = "bv11-vc.bessems.lan" vsphere_username = "administrator@vsphere.local" vsphere_datacenter = "DeSchakel" -vsphere_cluster = "Cluster.Legacy" -vsphere_host = "bv11-esx.bessems.lan" -vsphere_datastore = "ESX00.SSD01" +vsphere_cluster = "Cluster.01" +vsphere_host = "bv11-esx01.bessems.lan" +vsphere_datastore = "ESX01.SSD02" vsphere_folder = "/Packer" vsphere_templatefolder = "/Templates" vsphere_network = "LAN"