Housekeeping;Generate root ca preemptively

2023-01-29 12:43:55 +01:00
parent 79b794dba2
commit e3ce60bcb4
4 changed files with 47 additions and 6 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@@ -6,10 +6,10 @@
        chart_ref: /opt/metacluster/helm-charts/step-certificates
        release_namespace: step-ca
        create_namespace: yes
-        # Unable to use REST api based readycheck due to missing ingress
+        # Unable to use REST api based readycheck due to 'missing' ingress
        wait: yes
        kubeconfig: "{{ kubeconfig.path }}"
-        values: "{{ components.stepcertificates.chart_values }}"
+        values: "{{ stepca_values.stdout }}"

    - name: Retrieve configmap w/ root certificate
      kubernetes.core.k8s_info:
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
@@ -11,3 +11,45 @@
    - ingress
    - registry
    - storage
+
+- name: Initialize tempfile
+  ansible.builtin.tempfile:
+    state: file
+  register: stepca_password
+
+- name: Store password in tempfile
+  ansible.builtin.copy:
+    dest: "{{ stepca_password.path }}"
+    content: "{{ vapp['metacluster.password'] }}"
+  no_log: true
+
+- name: Generate root CA
+  ansible.builtin.shell:
+    cmd: >-
+      step ca init \
+        --helm \
+        --deployment-type=standalone \
+        --name=ca.{{ vapp['metacluster.fqdn'] }} \
+        --dns=ca.{{ vapp['metacluster.fqdn'] }} \
+        --dns=step-certificates.step-ca.svc.cluster.local \
+        --dns=127.0.0.1 \
+        --address=:443 \
+        --provisioner=admin \
+        --acme \
+        --password-file={{ stepca_password.path }}
+  register: stepca_helmvalues
+
+- name: Cleanup tempfile
+  ansible.builtin.file:
+    path: "{{ stepca_password.path }}"
+    state: absent
+  when: stepca_password.path is defined
+
+- name: Store root CA certificate
+  ansible.builtin.copy:
+    dest: /usr/local/share/ca-certificates/root_ca.crt
+    content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
+
+- name: Update certificate truststore
+  ansible.builtin.command:
+    cmd: update-ca-certificates