roles/cert_manager/tasks/main.yml

# Copyright (c) 2022 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Deploy Helm chart
  kubernetes.core.helm:
    name: cert-manager
    chart_ref: jetstack/cert-manager
    chart_version: v1.7.1
    release_namespace: cert-manager
    create_namespace: true
    kubeconfig: /etc/kubernetes/admin.conf
    values:
      installCRDs: true
      volumes:
        - name: etc-ssl-certs
          hostPath:
            path: /etc/ssl/certs
      volumeMounts:
        - name: etc-ssl-certs
          mountPath: /etc/ssl/certs
          readOnly: true
      nodeSelector:
        openstack-control-plane: enabled
      webhook:
        nodeSelector:
          openstack-control-plane: enabled
      cainjector:
        nodeSelector:
          openstack-control-plane: enabled
      startupapicheck:
        nodeSelector:
          openstack-control-plane: enabled

- name: Create issuer
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: openstack
        namespace: openstack
      spec: "{{ cert_manager_issuer }}"

- name: Bootstrap self-signed PKI
  block:
    - name: Create self-signed issuer
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: cert-manager.io/v1
          kind: ClusterIssuer
          metadata:
            name: selfsigned-issuer
          spec:
            selfSigned: {}

    - name: Bootstrap a custom root certificate for a private PKI
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: cert-manager.io/v1
          kind: Certificate
          metadata:
            name: selfsigned-ca
            namespace: openstack
          spec:
            isCA: true
            commonName: selfsigned-ca
            secretName: root-secret
            duration: 86400h # 3600d
            renewBefore: 360h # 15d
            privateKey:
              algorithm: ECDSA
              size: 256
            issuerRef:
              name: selfsigned-issuer
              kind: ClusterIssuer
              group: cert-manager.io

    - name: Wait till the root secret is created
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Secret
        wait: true
        name: root-secret
        namespace: openstack
        wait_sleep: 10
        wait_timeout: 300
      register: _openstack_helm_root_secret

    - name: Copy CA certificate on host
      ansible.builtin.copy:
        content: "{{ _openstack_helm_root_secret.resources[0].data['tls.crt'] | b64decode }}"
        dest: "/usr/local/share/ca-certificates/self-signed-osh-ca.crt"
        mode: "0644"

    - name: Update ca certificates on host
      ansible.builtin.command:
        cmd: update-ca-certificates
      changed_when: false
  when:
    - cert_manager_issuer.ca.secretName is defined
    - cert_manager_issuer.ca.secretName == "root-secret"