Housekeeping;Generate root ca preemptively
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Danny Bessems 2023-01-29 12:43:55 +01:00
parent 79b794dba2
commit e3ce60bcb4
4 changed files with 47 additions and 6 deletions

View File

@ -6,10 +6,10 @@
chart_ref: /opt/metacluster/helm-charts/step-certificates chart_ref: /opt/metacluster/helm-charts/step-certificates
release_namespace: step-ca release_namespace: step-ca
create_namespace: yes create_namespace: yes
# Unable to use REST api based readycheck due to missing ingress # Unable to use REST api based readycheck due to 'missing' ingress
wait: yes wait: yes
kubeconfig: "{{ kubeconfig.path }}" kubeconfig: "{{ kubeconfig.path }}"
values: "{{ components.stepcertificates.chart_values }}" values: "{{ stepca_values.stdout }}"
- name: Retrieve configmap w/ root certificate - name: Retrieve configmap w/ root certificate
kubernetes.core.k8s_info: kubernetes.core.k8s_info:

View File

@ -11,3 +11,45 @@
- ingress - ingress
- registry - registry
- storage - storage
- name: Initialize tempfile
ansible.builtin.tempfile:
state: file
register: stepca_password
- name: Store password in tempfile
ansible.builtin.copy:
dest: "{{ stepca_password.path }}"
content: "{{ vapp['metacluster.password'] }}"
no_log: true
- name: Generate root CA
ansible.builtin.shell:
cmd: >-
step ca init \
--helm \
--deployment-type=standalone \
--name=ca.{{ vapp['metacluster.fqdn'] }} \
--dns=ca.{{ vapp['metacluster.fqdn'] }} \
--dns=step-certificates.step-ca.svc.cluster.local \
--dns=127.0.0.1 \
--address=:443 \
--provisioner=admin \
--acme \
--password-file={{ stepca_password.path }}
register: stepca_helmvalues
- name: Cleanup tempfile
ansible.builtin.file:
path: "{{ stepca_password.path }}"
state: absent
when: stepca_password.path is defined
- name: Store root CA certificate
ansible.builtin.copy:
dest: /usr/local/share/ca-certificates/root_ca.crt
content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
- name: Update certificate truststore
ansible.builtin.command:
cmd: update-ca-certificates

View File

@ -183,7 +183,6 @@ components:
step-certificates: step-certificates:
helm: helm:
# version: 1.18.2+20220324
version: 1.23.0 version: 1.23.0
chart: smallstep/step-certificates chart: smallstep/step-certificates
parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u

View File

@ -1,9 +1,9 @@
vcenter_server = "bv11-vc.bessems.lan" vcenter_server = "bv11-vc.bessems.lan"
vsphere_username = "administrator@vsphere.local" vsphere_username = "administrator@vsphere.local"
vsphere_datacenter = "DeSchakel" vsphere_datacenter = "DeSchakel"
vsphere_cluster = "Cluster.Legacy" vsphere_cluster = "Cluster.01"
vsphere_host = "bv11-esx.bessems.lan" vsphere_host = "bv11-esx01.bessems.lan"
vsphere_datastore = "ESX00.SSD01" vsphere_datastore = "ESX01.SSD02"
vsphere_folder = "/Packer" vsphere_folder = "/Packer"
vsphere_templatefolder = "/Templates" vsphere_templatefolder = "/Templates"
vsphere_network = "LAN" vsphere_network = "LAN"