feat: allow using wildcard certs
diff --git a/roles/openstack_helm_ingress/README.md b/roles/openstack_helm_ingress/README.md
index 38a9547..67d3329 100644
--- a/roles/openstack_helm_ingress/README.md
+++ b/roles/openstack_helm_ingress/README.md
@@ -1 +1,26 @@
# `openstack_helm_ingress`
+
+## Using wildcard certificates
+
+If you have an existing wildcard certificate to use for all your endpoints
+with Atmosphere, you can simply configure it as follows;
+
+1. Create a Kubernetes TLS secret using your wildcard certificate, you can refer
+ to the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
+ for more details.
+
+ ```shell
+ kubectl -n openstack create secret tls wildcard-certs --key=/path/to/tls.key --cert=/path/to/tls.crt
+ ```
+
+2. Update the `openstack_helm_ingress_secret_name` to point towards the name
+ of the secret you created in step 1.
+
+ ```yaml
+ openstack_helm_ingress_secret_name: wildcard-certs
+ ```
+
+> **Note**
+>
+> If you make this change after a deployment, you will need to re-run all of the
+> playbooks in order to update all the `Ingress` resources.
diff --git a/roles/openstack_helm_ingress/defaults/main.yml b/roles/openstack_helm_ingress/defaults/main.yml
index 137c3d4..ed23163 100644
--- a/roles/openstack_helm_ingress/defaults/main.yml
+++ b/roles/openstack_helm_ingress/defaults/main.yml
@@ -18,4 +18,4 @@
# certificate.
#
# See: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
-openstack_helm_ingress_secret_name: "{{ openstack_helm_ingress_service_name }}-certs"
+# openstack_helm_ingress_secret_name: wildcard-certs
diff --git a/roles/openstack_helm_ingress/tasks/main.yml b/roles/openstack_helm_ingress/tasks/main.yml
index 1b70b19..d373513 100644
--- a/roles/openstack_helm_ingress/tasks/main.yml
+++ b/roles/openstack_helm_ingress/tasks/main.yml
@@ -12,6 +12,14 @@
# License for the specific language governing permissions and limitations
# under the License.
+- name: Add ClusterIssuer annotations
+ ansible.builtin.set_fact:
+ _openstack_helm_ingress_annotations: "{{ _openstack_helm_ingress_annotations | combine(annotations, recursive=True) }}"
+ vars:
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ openstack_helm_ingress_cluster_issuer }}"
+ when: openstack_helm_ingress_secret_name is not defined
+
- name: Create Ingress {{ openstack_helm_ingress_name }}
kubernetes.core.k8s:
state: present
@@ -36,6 +44,6 @@
port:
number: "{{ openstack_helm_ingress_service_port }}"
tls:
- - secretName: "{{ openstack_helm_ingress_secret_name }}"
+ - secretName: "{{ openstack_helm_ingress_secret_name | default(openstack_helm_ingress_service_name ~ '-certs') }}"
hosts:
- "{{ openstack_helm_ingress_host }}"
diff --git a/roles/openstack_helm_ingress/vars/main.yml b/roles/openstack_helm_ingress/vars/main.yml
index a1debf7..ed914d0 100644
--- a/roles/openstack_helm_ingress/vars/main.yml
+++ b/roles/openstack_helm_ingress/vars/main.yml
@@ -12,5 +12,4 @@
# License for the specific language governing permissions and limitations
# under the License.
-_openstack_helm_ingress_annotations:
- cert-manager.io/cluster-issuer: "{{ openstack_helm_ingress_cluster_issuer }}"
+_openstack_helm_ingress_annotations: {}