Work on OVH provider

2021-03-16 20:49:19 +01:00 · 2021-03-16 20:49:19 +01:00 · 2451ae0d2f
commit 2451ae0d2f
parent 895fbff2fe
5 changed files with 48 additions and 4 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -57,15 +57,35 @@
        dest: tmp/cert-manager-webhook-ovh

    - name: Deploy OVH webhook chart from local path
+      run_once: true
      community.kubernetes.helm:
        state: present
        context: "{{ my_context }}"
        name: cert-manager-webhook-ovh
        chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
        release_namespace: "{{ cert_manager_namespace }}"
+        values:
+#          groupName: '{{ cert_manager_issuer | selectattr('provider', 'match', 'ovh') | first }}'
+          groupName: '{{ cert_manager_issuer | json_query(\"[?provider=='ovh']\") | first }}'
+#      with_items:
+#        - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
+#      when:
+#        - item.provider == "ovh"
+
+    - name: OVH WebHook dependency
+      k8s:
+        state: present
+        context: "{{ my_context }}"
+        apply: true
+        namespace: "{{ cert_manager_namespace }}"
+        resource_definition: "{{ lookup('template', item) | from_yaml }}"
+      with_items:
+        - cert-manager-webhook-ovh-Role.yml.j2
+        - cert-manager-webhook-ovh-RoleBinding.yml.j2

    when:
      - false
+      - cert_manager_issuer is defined
      - cert_manager_issuer.[].provider == "ovh"

  tags: cert-manager
--- a/templates/api-key-secret.yml.j2
+++ b/templates/api-key-secret.yml.j2
@ -10,5 +10,5 @@ data:
 {% elif item.provider == "route53" %}
  secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
 {% elif item.provider == "ovh" %}
-  applicationSecret='4YHU8g4zsg7Id'
+  applicationSecret='{{ cert_manager_issuer.applicationSecret | b64encode }}'
 {% endif %}
--- a/templates/cert-manager-webhook-ovh-Role.yml.j2
+++ b/templates/cert-manager-webhook-ovh-Role.yml.j2
@ -0,0 +1,10 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["ovh-api-key"]
+  verbs: ["get", "watch"]
--- a/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2
+++ b/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2
@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-ovh:secret-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook-ovh
--- a/templates/clusterissuer.yml.j2
+++ b/templates/clusterissuer.yml.j2
@ -1,3 +1,4 @@
+---
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
@ -31,14 +32,14 @@ spec:
              key: secret-access-key
 {% elif i.provider == "ovh" %}
        webhook:
-          groupName: 'acme.example.io'
+          groupName: '{{ i.consumerKey }}'
          solverName: ovh
          config:
            endpoint: ovh-eu
-            applicationKey: 'qdhYTYsd546Ssg5'
+            applicationKey: '{{ i.applicationKey }}'
            applicationSecretRef:
              name: ovh-api-key
              key: applicationSecret
-            consumerKey: 'vjdshGFDGShjusqqee4543dsjfndsjgf'
+            consumerKey: '{{ i.consumerKey }}'
 {% endif %}
 {% endfor %}