[stable/zed] Enable setting CA for Venafi (#1297)
\n\nCloses #1276
diff --git a/doc/source/deploy/certificates.rst b/doc/source/deploy/certificates.rst
index f99d4f0..8c351c6 100644
--- a/doc/source/deploy/certificates.rst
+++ b/doc/source/deploy/certificates.rst
@@ -216,6 +216,12 @@
.. code-block:: yaml
cluster_issuer_type: venafi
+ cluster_issuer_venafi_ca: |
+ -----BEGIN CERTIFICATE-----
+ MIIDBjCCAe4CCQDQ3Z0Z2Z0Z0jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
+ VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+ ...
+ -----END CERTIFICATE-----
cluster_issuer_venafi_zone: <ZONE>
cluster_issuer_venafi_tpp_url: <URL>
cluster_issuer_venafi_tpp_ca_bundle: |
@@ -225,6 +231,12 @@
...
-----END CERTIFICATE-----
+.. note::
+
+ If your issuer is an intermediate certificate, you will need to ensure that
+ the ``certificate`` key includes the full chain in the correct order of issuer,
+ intermediate(s), then root.
+
Authentication
~~~~~~~~~~~~~~
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
index 28ff024..1c6f4b5 100644
--- a/roles/cluster_issuer/defaults/main.yml
+++ b/roles/cluster_issuer/defaults/main.yml
@@ -30,6 +30,7 @@
#cluster_issuer_acme_cloudflare_api_token: <CLOUDFLARE_API_TOKEN>
cluster_issuer_venafi_secret_name: cert-manager-venafi-credentials
+# cluster_issuer_venafi_ca:
# cluster_issuer_venafi_access_token:
# cluster_issuer_venafi_username:
# cluster_issuer_venafi_password:
diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml
index 006012f..9baffca 100644
--- a/roles/cluster_issuer/tasks/type/venafi/main.yml
+++ b/roles/cluster_issuer/tasks/type/venafi/main.yml
@@ -61,3 +61,11 @@
caBundle: "{{ cluster_issuer_venafi_tpp_ca_bundle }}"
credentialsRef:
name: "{{ cluster_issuer_venafi_secret_name }}"
+
+- name: Copy CA certificate on host
+ ansible.builtin.copy:
+ content: "{{ cluster_issuer_venafi_ca }}"
+ dest: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+ mode: "0644"
+ notify:
+ - Update CA certificates on host
diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2
index 00635a1..9717677 100644
--- a/roles/openstack_cli/templates/atmosphere.sh.j2
+++ b/roles/openstack_cli/templates/atmosphere.sh.j2
@@ -1,7 +1,7 @@
alias osc='nerdctl run --rm --network host \
--volume $PWD:/opt --volume /tmp:/tmp \
--volume /etc/openstack:/etc/openstack:ro \
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
--volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2
index a5d7acb..d8bed16 100644
--- a/roles/openstack_cli/templates/openrc.j2
+++ b/roles/openstack_cli/templates/openrc.j2
@@ -11,7 +11,7 @@
export OS_PROJECT_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2
index 5b47879..4de4d22 100644
--- a/roles/openstacksdk/templates/clouds.yaml.j2
+++ b/roles/openstacksdk/templates/clouds.yaml.j2
@@ -8,7 +8,7 @@
user_domain_name: Default
project_domain_name: Default
region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
cacert: "/etc/ssl/certs/ca-certificates.crt"