From fba2e3e4b18624603235e8d7dc4c3cd607da1643 Mon Sep 17 00:00:00 2001
From: djpbessems <danny@bessems.eu>
Date: Thu, 25 Aug 2022 12:04:51 +0200
Subject: [PATCH] Disable http challenge;Inject stepca cert;Set default
 certresolver

---
 .../roles/metacluster/tasks/main.yml             | 16 +++++++++++++++-
 ansible/vars/metacluster.yml                     |  5 +++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
index 717a0ba..eaf6ae5 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -110,7 +110,7 @@
   kubernetes.core.helm:
     name: step-certificates
     chart_ref: /opt/metacluster/helm-charts/step-certificates
-    release_namespace: step-ca
+    release_namespace: kube-system
     create_namespace: yes
     wait: yes
     kubeconfig: "{{ kubeconfig.path }}"
@@ -140,6 +140,20 @@
   notify:
     - Apply manifests
 
+- name: Inject step-ca certificate into traefik container
+  ansible.builtin.blockinfile:
+    path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
+    block: |
+      volumes:
+        - name: step-certificates-certs
+          mountPath: /step-ca
+          type: configMap
+      env:
+        - name: LEGO_CA_CERTIFICATES
+          value: /step-ca/root_ca.crt
+  notify:
+    - Apply manifests
+
 - name: Trigger handlers
   ansible.builtin.meta: flush_handlers
 
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index aa5f00d..2d40e60 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -16,8 +16,6 @@ platform:
             additionalArguments:
               - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
               - "--certificatesResolvers.stepca.acme.email=admin"
-              - "--certificatesResolvers.stepca.acme.httpChallenge=true"
-              - "--certificatesResolvers.stepca.acme.httpChallenge.entryPoint=web"
               - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
               - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
             globalArguments: []
@@ -30,6 +28,9 @@ platform:
                 protocol: TCP
               web:
                 redirectTo: websecure
+              websecure:
+                tls:
+                  certResolver: stepca
 
   helm_repositories:
     - name: longhorn