roles/certificates/tasks/main.yml

# Copyright (c) 2022 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Bootstrap PKI
  when:
    - atmosphere_issuer_config.type is defined
    - atmosphere_issuer_config.type in ("self-signed", "ca")
  block:
    - name: Wait till the secret is created
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Secret
        name: "{{ (atmosphere_issuer_config.type == 'self-signed') | ternary('cert-manager-selfsigned-ca', 'cert-manager-issuer-ca') }}"
        namespace: cert-manager
        wait: true
        wait_sleep: 1
        wait_timeout: 300
      register: _openstack_helm_root_secret

    - name: Copy CA certificate on host
      ansible.builtin.copy:
        content: "{{ _openstack_helm_root_secret.resources[0].data['tls.crt'] | b64decode }}"
        dest: "/usr/local/share/ca-certificates/self-signed-osh-ca.crt"
        mode: "0644"

    - name: Update CA certificates on host
      ansible.builtin.command:
        cmd: update-ca-certificates
      changed_when: false