Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 384c32b0f9fd47509f9739cd21602da40bf33737 / . / roles / cert_manager / tasks / main.yml
blob: 88cbd8e0d7aebf30291efff25bdd45b5729d7a08 [file] [log] [blame]
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]1# Copyright (c) 2022 VEXXHOST, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15- name: Deploy Helm chart
16 kubernetes.core.helm:
17 name: cert-manager
18 chart_ref: jetstack/cert-manager
19 chart_version: v1.7.1
20 release_namespace: cert-manager
21 create_namespace: true
22 kubeconfig: /etc/kubernetes/admin.conf
23 values:
24 installCRDs: true
25 volumes:
26 - name: etc-ssl-certs
27 hostPath:
28 path: /etc/ssl/certs
29 volumeMounts:
30 - name: etc-ssl-certs
31 mountPath: /etc/ssl/certs
32 readOnly: true
Mohammed Naserf3dffa82022-05-23 14:33:14 -0400[diff] [blame]33 nodeSelector:
34 openstack-control-plane: enabled
35 webhook:
36 nodeSelector:
37 openstack-control-plane: enabled
38 cainjector:
39 nodeSelector:
40 openstack-control-plane: enabled
41 startupapicheck:
42 nodeSelector:
43 openstack-control-plane: enabled
Mohammed Naserb7b97d62022-03-12 16:30:00 -0500[diff] [blame]44
45- name: Create issuer
46 kubernetes.core.k8s:
47 state: present
48 definition:
49 apiVersion: cert-manager.io/v1
50 kind: Issuer
51 metadata:
52 name: openstack
53 namespace: openstack
54 spec: "{{ cert_manager_issuer }}"
okozachenko05a72ed2022-04-12 23:01:43 +1000[diff] [blame]55
okozachenko674f9b72022-04-19 01:28:33 +1000[diff] [blame]56- name: Bootstrap self-signed PKI
57 block:
58 - name: Create self-signed issuer
59 kubernetes.core.k8s:
60 state: present
61 definition:
62 apiVersion: cert-manager.io/v1
okozachenko05a72ed2022-04-12 23:01:43 +1000[diff] [blame]63 kind: ClusterIssuer
okozachenko674f9b72022-04-19 01:28:33 +1000[diff] [blame]64 metadata:
65 name: selfsigned-issuer
66 spec:
67 selfSigned: {}
68
69 - name: Bootstrap a custom root certificate for a private PKI
70 kubernetes.core.k8s:
71 state: present
72 definition:
73 apiVersion: cert-manager.io/v1
74 kind: Certificate
75 metadata:
76 name: selfsigned-ca
77 namespace: openstack
78 spec:
79 isCA: true
80 commonName: selfsigned-ca
81 secretName: root-secret
82 duration: 86400h # 3600d
83 renewBefore: 360h # 15d
84 privateKey:
85 algorithm: ECDSA
86 size: 256
87 issuerRef:
88 name: selfsigned-issuer
89 kind: ClusterIssuer
90 group: cert-manager.io
91
92 - name: Wait till the root secret is created
93 kubernetes.core.k8s_info:
94 api_version: v1
95 kind: Secret
96 wait: true
97 name: root-secret
98 namespace: openstack
99 wait_sleep: 10
100 wait_timeout: 300
101 register: _openstack_helm_root_secret
102
103 - name: Copy CA certificate on host
104 ansible.builtin.copy:
105 content: "{{ _openstack_helm_root_secret.resources[0].data['tls.crt'] | b64decode }}"
106 dest: "/usr/local/share/ca-certificates/self-signed-osh-ca.crt"
107 mode: "0644"
108
109 - name: Update ca certificates on host
110 ansible.builtin.command:
111 cmd: update-ca-certificates
112 changed_when: false
113 when:
114 - cert_manager_issuer.ca.secretName is defined
115 - cert_manager_issuer.ca.secretName == "root-secret"