| # Copyright (c) 2022 VEXXHOST, Inc. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| # not use this file except in compliance with the License. You may obtain |
| # a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| # License for the specific language governing permissions and limitations |
| # under the License. |
| |
| - name: Create namespace |
| kubernetes.core.k8s: |
| state: present |
| definition: |
| apiVersion: v1 |
| kind: Namespace |
| metadata: |
| name: cert-manager |
| |
| - name: Deploy Helm chart |
| kubernetes.core.k8s: |
| state: present |
| definition: |
| - apiVersion: source.toolkit.fluxcd.io/v1beta2 |
| kind: HelmRepository |
| metadata: |
| name: jetstack |
| namespace: cert-manager |
| spec: |
| interval: 60s |
| url: https://charts.jetstack.io |
| |
| - apiVersion: helm.toolkit.fluxcd.io/v2beta1 |
| kind: HelmRelease |
| metadata: |
| name: cert-manager |
| namespace: cert-manager |
| spec: |
| interval: 60s |
| chart: |
| spec: |
| chart: cert-manager |
| version: v1.7.1 |
| sourceRef: |
| kind: HelmRepository |
| name: jetstack |
| install: |
| crds: CreateReplace |
| upgrade: |
| crds: CreateReplace |
| values: |
| installCRDs: true |
| volumes: |
| - name: etc-ssl-certs |
| hostPath: |
| path: /etc/ssl/certs |
| volumeMounts: |
| - name: etc-ssl-certs |
| mountPath: /etc/ssl/certs |
| readOnly: true |
| nodeSelector: |
| openstack-control-plane: enabled |
| webhook: |
| nodeSelector: |
| openstack-control-plane: enabled |
| cainjector: |
| nodeSelector: |
| openstack-control-plane: enabled |
| startupapicheck: |
| nodeSelector: |
| openstack-control-plane: enabled |
| |
| - name: Create Issuer |
| kubernetes.core.k8s: |
| state: present |
| definition: |
| apiVersion: cert-manager.io/v1 |
| kind: Issuer |
| metadata: |
| name: openstack |
| namespace: openstack |
| spec: "{{ cert_manager_issuer }}" |
| # NOTE(mnaser): Since we haven't moved to the operator pattern yet, we need to |
| # keep retrying a few times as the CRDs might not be installed |
| # yet. |
| retries: 60 |
| delay: 5 |
| register: _result |
| until: _result is not failed |
| |
| - name: Bootstrap self-signed PKI |
| block: |
| - name: Create self-signed issuer |
| kubernetes.core.k8s: |
| state: present |
| definition: |
| apiVersion: cert-manager.io/v1 |
| kind: ClusterIssuer |
| metadata: |
| name: selfsigned-issuer |
| spec: |
| selfSigned: {} |
| |
| - name: Bootstrap a custom root certificate for a private PKI |
| kubernetes.core.k8s: |
| state: present |
| definition: |
| apiVersion: cert-manager.io/v1 |
| kind: Certificate |
| metadata: |
| name: selfsigned-ca |
| namespace: openstack |
| spec: |
| isCA: true |
| commonName: selfsigned-ca |
| secretName: root-secret |
| duration: 86400h # 3600d |
| renewBefore: 360h # 15d |
| privateKey: |
| algorithm: ECDSA |
| size: 256 |
| issuerRef: |
| name: selfsigned-issuer |
| kind: ClusterIssuer |
| group: cert-manager.io |
| |
| - name: Wait till the root secret is created |
| kubernetes.core.k8s_info: |
| api_version: v1 |
| kind: Secret |
| wait: true |
| name: root-secret |
| namespace: openstack |
| wait_sleep: 10 |
| wait_timeout: 300 |
| register: _openstack_helm_root_secret |
| |
| - name: Copy CA certificate on host |
| ansible.builtin.copy: |
| content: "{{ _openstack_helm_root_secret.resources[0].data['tls.crt'] | b64decode }}" |
| dest: "/usr/local/share/ca-certificates/self-signed-osh-ca.crt" |
| mode: "0644" |
| |
| - name: Update ca certificates on host |
| ansible.builtin.command: |
| cmd: update-ca-certificates |
| changed_when: false |
| when: |
| - cert_manager_issuer.ca.secretName is defined |
| - cert_manager_issuer.ca.secretName == "root-secret" |