feat: trust private acme CA (#1216)
Related: #1185
We disscused with @mpiscaer on Slack about the reason why this happens and found that such a configuration was not foreseen.
Mounting whole directory like here: https://github.com/vexxhost/ansible-collection-kubernetes/blob/main/roles/cert_manager/vars/main.yml#L21 is a bad idea because on EL distros this host path doesn't exist.
Reviewed-by: Mohammed Naser <mnaser@vexxhost.com>
Reviewed-by: Michiel Piscaer <michiel@piscaer.com>
Reviewed-by: Tadas Sutkaitis
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
index 407acaf..15db6a4 100644
--- a/roles/cluster_issuer/defaults/main.yml
+++ b/roles/cluster_issuer/defaults/main.yml
@@ -15,6 +15,8 @@
cluster_issuer_name: "{{ atmosphere_ingress_cluster_issuer }}"
cluster_issuer_type: acme
+cluster_issuer_acme_private_ca: false
+
cluster_issuer_acme_server: https://acme-v02.api.letsencrypt.org/directory
# cluster_issuer_acme_email:
cluster_issuer_acme_private_key_secret_name: cert-manager-issuer-account-key
diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2
index 416a825..00635a1 100644
--- a/roles/openstack_cli/templates/atmosphere.sh.j2
+++ b/roles/openstack_cli/templates/atmosphere.sh.j2
@@ -3,7 +3,10 @@
--volume /etc/openstack:/etc/openstack:ro \
{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
--volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
- in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/etc/pki/ca-trust/source/anchors/atmosphere.crt:ro' }} \
+ in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+ --volume {{ '/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro' if ansible_facts['os_family']
+ in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:/etc/ssl/certs/ca-certificates.crt:ro' }} \
{% endif %}
--env-file <(env | grep OS_) \
{{ atmosphere_images['openstack_cli'] }}'
diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2
index 87e5e34..a5d7acb 100644
--- a/roles/openstack_cli/templates/openrc.j2
+++ b/roles/openstack_cli/templates/openrc.j2
@@ -12,5 +12,7 @@
export OS_PROJECT_NAME=admin
{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
-export OS_CACERT={{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt
+export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
{% endif %}
diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2
index efb2245..5b47879 100644
--- a/roles/openstacksdk/templates/clouds.yaml.j2
+++ b/roles/openstacksdk/templates/clouds.yaml.j2
@@ -9,5 +9,7 @@
project_domain_name: Default
region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
- cacert: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+ cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+ cacert: "/etc/ssl/certs/ca-certificates.crt"
{% endif %}