- block: - name: Initialize tempfile ansible.builtin.tempfile: state: file register: values_file - name: Write chart values w/ password to tempfile ansible.builtin.copy: dest: "{{ values_file.path }}" content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}" no_log: true - name: Install step-ca chart kubernetes.core.helm: name: step-certificates chart_ref: /opt/metacluster/helm-charts/step-certificates release_namespace: step-ca create_namespace: true # Unable to use REST api based readycheck due to lack of ingress wait: true kubeconfig: "{{ kubeconfig.path }}" values_files: - "{{ values_file.path }}" - name: Cleanup tempfile ansible.builtin.file: path: "{{ values_file.path }}" state: absent when: values_file.path is defined - name: Retrieve configmap w/ root certificate kubernetes.core.k8s_info: kind: ConfigMap name: step-certificates-certs namespace: step-ca kubeconfig: "{{ kubeconfig.path }}" register: stepca_cm_certs - name: Create target namespaces kubernetes.core.k8s: kind: Namespace name: "{{ item }}" state: present kubeconfig: "{{ kubeconfig.path }}" loop: - argo-cd # - kube-system - name: Store root certificate in namespaced configmaps/secrets kubernetes.core.k8s: state: present template: "{{ item.kind }}.j2" kubeconfig: "{{ kubeconfig.path }}" vars: _template: name: "{{ item.name }}" namespace: "{{ item.namespace }}" annotations: "{{ item.annotations | default('{}') | indent(width=4, first=True) }}" labels: "{{ item.labels | default('{}') | indent(width=4, first=True) }}" data: "{{ item.data }}" loop: - name: argocd-tls-certs-cm namespace: argo-cd kind: configmap annotations: | meta.helm.sh/release-name: argo-cd meta.helm.sh/release-namespace: argo-cd labels: | app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd data: - key: git.{{ vapp['metacluster.fqdn'] }} value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}" - name: step-certificates-certs namespace: kube-system kind: secret data: - key: root_ca.crt value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}" loop_control: label: "{{ item.kind ~ '/' ~ item.name ~ ' (' ~ item.namespace ~ ')' }}" - name: Configure step-ca passthrough ingress ansible.builtin.template: src: ingressroutetcp.j2 dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml owner: root group: root mode: 0600 vars: _template: name: step-ca namespace: step-ca config: |2 entryPoints: - websecure routes: - match: HostSNI(`ca.{{ vapp['metacluster.fqdn'] }}`) services: - name: step-certificates port: 443 tls: passthrough: true notify: - Apply manifests - name: Inject step-ca certificate into traefik container ansible.builtin.blockinfile: path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml block: |2 volumes: - name: step-certificates-certs mountPath: /step-ca type: secret env: - name: LEGO_CA_CERTIFICATES value: /step-ca/root_ca.crt marker: ' # {mark} ANSIBLE MANAGED BLOCK [rootca]' notify: - Apply manifests - name: Trigger handlers ansible.builtin.meta: flush_handlers - name: Ensure step-ca API availability ansible.builtin.uri: url: https://ca.{{ vapp['metacluster.fqdn'] }}/health method: GET register: api_readycheck until: - api_readycheck.json.status is defined - api_readycheck.json.status == 'ok' retries: "{{ playbook.retries }}" delay: "{{ (storage_benchmark | int) * (playbook.delay.long | int) }}" module_defaults: ansible.builtin.uri: validate_certs: no status_code: [200, 201] body_format: json