From fba2e3e4b18624603235e8d7dc4c3cd607da1643 Mon Sep 17 00:00:00 2001 From: djpbessems Date: Thu, 25 Aug 2022 12:04:51 +0200 Subject: [PATCH] Disable http challenge;Inject stepca cert;Set default certresolver --- .../roles/metacluster/tasks/main.yml | 16 +++++++++++++++- ansible/vars/metacluster.yml | 5 +++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml index 717a0ba..eaf6ae5 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml @@ -110,7 +110,7 @@ kubernetes.core.helm: name: step-certificates chart_ref: /opt/metacluster/helm-charts/step-certificates - release_namespace: step-ca + release_namespace: kube-system create_namespace: yes wait: yes kubeconfig: "{{ kubeconfig.path }}" @@ -140,6 +140,20 @@ notify: - Apply manifests +- name: Inject step-ca certificate into traefik container + ansible.builtin.blockinfile: + path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml + block: | + volumes: + - name: step-certificates-certs + mountPath: /step-ca + type: configMap + env: + - name: LEGO_CA_CERTIFICATES + value: /step-ca/root_ca.crt + notify: + - Apply manifests + - name: Trigger handlers ansible.builtin.meta: flush_handlers diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index aa5f00d..2d40e60 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -16,8 +16,6 @@ platform: additionalArguments: - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory" - "--certificatesResolvers.stepca.acme.email=admin" - - "--certificatesResolvers.stepca.acme.httpChallenge=true" - - "--certificatesResolvers.stepca.acme.httpChallenge.entryPoint=web" - "--certificatesResolvers.stepca.acme.storage=/data/acme.json" - "--certificatesResolvers.stepca.acme.tlsChallenge=true" globalArguments: [] @@ -30,6 +28,9 @@ platform: protocol: TCP web: redirectTo: websecure + websecure: + tls: + certResolver: stepca helm_repositories: - name: longhorn