adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Work on OVH provider
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-03-16 20:49:19 +01:00
parent 895fbff2fe
commit 2451ae0d2f
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
5 changed files with 48 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

20
tasks/main.yml
View file

@ -57,15 +57,35 @@
dest: tmp/cert-manager-webhook-ovh dest: tmp/cert-manager-webhook-ovh
- name: Deploy OVH webhook chart from local path - name: Deploy OVH webhook chart from local path
run_once: true
community.kubernetes.helm: community.kubernetes.helm:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
name: cert-manager-webhook-ovh name: cert-manager-webhook-ovh
chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
release_namespace: "{{ cert_manager_namespace }}" release_namespace: "{{ cert_manager_namespace }}"
values:
# groupName: '{{ cert_manager_issuer | selectattr('provider', 'match', 'ovh') | first }}'
groupName: '{{ cert_manager_issuer | json_query(\"[?provider=='ovh']\") | first }}'
# with_items:
# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
# when:
# - item.provider == "ovh"
- name: OVH WebHook dependency
k8s:
state: present
context: "{{ my_context }}"
apply: true
namespace: "{{ cert_manager_namespace }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- cert-manager-webhook-ovh-Role.yml.j2
- cert-manager-webhook-ovh-RoleBinding.yml.j2
when: when:
- false - false
- cert_manager_issuer is defined
- cert_manager_issuer.[].provider == "ovh" - cert_manager_issuer.[].provider == "ovh"
tags: cert-manager tags: cert-manager

2
templates/api-key-secret.yml.j2
View file

@ -10,5 +10,5 @@ data:
{% elif item.provider == "route53" %} {% elif item.provider == "route53" %}
secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}" secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
{% elif item.provider == "ovh" %} {% elif item.provider == "ovh" %}
applicationSecret='4YHU8g4zsg7Id' applicationSecret='{{ cert_manager_issuer.applicationSecret | b64encode }}'
{% endif %} {% endif %}

10
templates/cert-manager-webhook-ovh-Role.yml.j2 Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-api-key"]
verbs: ["get", "watch"]

13
templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh

7
templates/clusterissuer.yml.j2
View file

@ -1,3 +1,4 @@
---
apiVersion: cert-manager.io/v1alpha2 apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
@ -31,14 +32,14 @@ spec:
key: secret-access-key key: secret-access-key
{% elif i.provider == "ovh" %} {% elif i.provider == "ovh" %}
webhook: webhook:
groupName: 'acme.example.io' groupName: '{{ i.consumerKey }}'
solverName: ovh solverName: ovh
config: config:
endpoint: ovh-eu endpoint: ovh-eu
applicationKey: 'qdhYTYsd546Ssg5' applicationKey: '{{ i.applicationKey }}'
applicationSecretRef: applicationSecretRef:
name: ovh-api-key name: ovh-api-key
key: applicationSecret key: applicationSecret
consumerKey: 'vjdshGFDGShjusqqee4543dsjfndsjgf' consumerKey: '{{ i.consumerKey }}'
{% endif %} {% endif %}
{% endfor %} {% endfor %}