adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Reduce maintenance
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-03-25 00:13:33 +01:00
parent 2451ae0d2f
commit 427d3af40f
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
12 changed files with 10 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

13
bin/update_csi.sh
View file

@ -1,13 +0,0 @@
#!/bin/bash
wget https://github.com/jetstack/cert-manager-csi/raw/master/deploy/cert-manager-csi-driver.yaml
kubernetes-split-yaml cert-manager-csi-driver.yaml > generated.log
if [ -d files/csi ]; then
rm -fr files/csi
fi
mv generated files/csi
echo -e "---\ncertmanager_csi_list:" > vars/files_list_csi.yml
cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "csi/\2"|' >> vars/files_list_csi.yml
rm -f generated.log cert-manager-csi-driver.yaml

2
defaults/main.yml
View file

@ -3,4 +3,4 @@ ingress_domain: "local"
cert_manager_namespace: "cert-manager" cert_manager_namespace: "cert-manager"
certmanager_csi: true certmanager_csi: true
certmanager_version: "1.1" certmanager_version: "1.2"

8
files/csi/cert-manager-csi-ClusterRole.yaml
View file

@ -1,8 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-csi
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificaterequests"]
verbs: ["get", "create", "delete", "update"]

13
files/csi/cert-manager-csi-ClusterRoleBinding.yaml
View file

@ -1,13 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-csi
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-csi
subjects:
- apiGroup:
kind: ServiceAccount
name: cert-manager-csi
namespace: cert-manager

82
files/csi/cert-manager-csi-DaemonSet.yaml
View file

@ -1,82 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cert-manager-csi
namespace: cert-manager
spec:
selector:
matchLabels:
app: cert-manager-csi
template:
metadata:
labels:
app: cert-manager-csi
spec:
serviceAccount: cert-manager-csi
containers:
- name: node-driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "rm -rf /registration/cert-manager-csi /registration/cert-manager-csi-reg.sock"]
args:
- --v=5
- --csi-address=/plugin/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/cert-manager-csi/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: plugin-dir
mountPath: /plugin
- name: registration-dir
mountPath: /registration
- name: cert-manager-csi
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: gcr.io/jetstack-josh/cert-manager-csi:v0.1.0-alpha.1
imagePullPolicy: "IfNotPresent"
args :
- --node-id=$(NODE_ID)
- --endpoint=$(CSI_ENDPOINT)
- --data-root=/csi-data-dir
env:
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CSI_ENDPOINT
value: unix://plugin/csi.sock
volumeMounts:
- name: plugin-dir
mountPath: /plugin
- name: pods-mount-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: "Bidirectional"
- name: csi-data-dir
mountPath: /csi-data-dir
volumes:
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/cert-manager-csi
type: DirectoryOrCreate
- name: pods-mount-dir
hostPath:
path: /var/lib/kubelet/pods
type: Directory
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: registration-dir
- hostPath:
path: /tmp/cert-manager-csi
type: DirectoryOrCreate
name: csi-data-dir

5
files/csi/cert-manager-csi-ServiceAccount.yaml
View file

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-csi
namespace: cert-manager

8
files/csi/csi.cert-manager.io-CSIDriver.yaml
View file

@ -1,8 +0,0 @@
apiVersion: storage.k8s.io/v1beta1
kind: CSIDriver
metadata:
name: csi.cert-manager.io
spec:
podInfoOnMount: true
volumeLifecycleModes:
- Ephemeral

9
tasks/csi.yml
View file

@ -1,9 +1,6 @@
--- ---
- name: CSI Cert Manager Setup - name: CSI Cert Manager Setup
block: block:
- name: Include vars for CSI
include_vars: "files_list_csi.yml"
- name: Define state to present - name: Define state to present
set_fact: set_fact:
certmanager_csi_state: "present" certmanager_csi_state: "present"
@ -20,10 +17,10 @@
k8s: k8s:
state: "{{ certmanager_csi_state }}" state: "{{ certmanager_csi_state }}"
context: "{{ my_context }}" context: "{{ my_context }}"
merge_type: merge apply: true
resource_definition: "{{ lookup('file', item) | from_yaml }}" definition: "{{ item }}"
with_items: with_items:
- '{{ certmanager_csi_list }}' - "{{ lookup('url', certmanager_csi_driver_url, split_lines=False) | from_yaml_all | list }}"
tags: tags:
- cert-manager - cert-manager
- storage - storage

6
tasks/main.yml
View file

@ -33,6 +33,8 @@
with_items: with_items:
- "{{ cert_manager_issuer }}" - "{{ cert_manager_issuer }}"
# Tempo ici
- name: Defined ClusterIssuers - name: Defined ClusterIssuers
k8s: k8s:
state: present state: present
@ -65,8 +67,8 @@
chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
release_namespace: "{{ cert_manager_namespace }}" release_namespace: "{{ cert_manager_namespace }}"
values: values:
# groupName: '{{ cert_manager_issuer | selectattr('provider', 'match', 'ovh') | first }}' # groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}'
groupName: '{{ cert_manager_issuer | json_query(\"[?provider=='ovh']\") | first }}' groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}'
# with_items: # with_items:
# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}" # - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
# when: # when:

2
templates/api-key-secret.yml.j2
View file

@ -10,5 +10,5 @@ data:
{% elif item.provider == "route53" %} {% elif item.provider == "route53" %}
secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}" secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
{% elif item.provider == "ovh" %} {% elif item.provider == "ovh" %}
applicationSecret='{{ cert_manager_issuer.applicationSecret | b64encode }}' applicationSecret: "{{ item.applicationSecret | b64encode }}"
{% endif %} {% endif %}

7
vars/files_list_csi.yml
View file

@ -1,7 +0,0 @@
---
certmanager_csi_list:
- "csi/csi.cert-manager.io-CSIDriver.yaml"
- "csi/cert-manager-csi-ServiceAccount.yaml"
- "csi/cert-manager-csi-ClusterRole.yaml"
- "csi/cert-manager-csi-ClusterRoleBinding.yaml"
- "csi/cert-manager-csi-DaemonSet.yaml"

2
vars/main.yml
View file

@ -1,2 +1,2 @@
user: "{{ ansible_user_id }}" user: "{{ ansible_user_id }}"
certmanager_upgrade: false certmanager_csi_driver_url: "https://github.com/jetstack/cert-manager-csi/raw/master/deploy/cert-manager-csi-driver.yaml"