Disable http challenge;Inject stepca cert;Set default certresolver

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -110,7 +110,7 @@
   kubernetes.core.helm:
     name: step-certificates
     chart_ref: /opt/metacluster/helm-charts/step-certificates
-    release_namespace: step-ca
+    release_namespace: kube-system
     create_namespace: yes
     wait: yes
     kubeconfig: "{{ kubeconfig.path }}"
@@ -140,6 +140,20 @@
   notify:
     - Apply manifests
 
+- name: Inject step-ca certificate into traefik container
+  ansible.builtin.blockinfile:
+    path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+    block: |
+      volumes:
+        - name: step-certificates-certs
+          mountPath: /step-ca
+          type: configMap
+      env:
+        - name: LEGO_CA_CERTIFICATES
+          value: /step-ca/root_ca.crt
+  notify:
+    - Apply manifests
+
 - name: Trigger handlers
   ansible.builtin.meta: flush_handlers
 

ansible/vars/metacluster.yml

@@ -16,8 +16,6 @@ platform:
             additionalArguments:
               - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
               - "--certificatesResolvers.stepca.acme.email=admin"
-              - "--certificatesResolvers.stepca.acme.httpChallenge=true"
-              - "--certificatesResolvers.stepca.acme.httpChallenge.entryPoint=web"
               - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
               - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
             globalArguments: []
@@ -30,6 +28,9 @@ platform:
                 protocol: TCP
               web:
                 redirectTo: websecure
+              websecure:
+                tls:
+                  certResolver: stepca
 
   helm_repositories:
     - name: longhorn