From 444ed560eba8692d262ab18de85b547d396695af Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 10 Apr 2022 14:36:22 +0200 Subject: [PATCH] Update role --- defaults/main.yml | 2 +- tasks/main.yml | 91 ++++++++++++++++----------------- templates/api-key-secret.yml.j2 | 2 +- templates/clusterissuer.yml.j2 | 39 ++++++++++---- 4 files changed, 74 insertions(+), 60 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 79a74a7..6cbb7c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,6 @@ my_context: local ingress_domain: "local" cert_manager_namespace: "cert-manager" -certmanager_csi: true certmanager_version: "1.8.0" +certmanager_csi: true certmanager_csi_version: "0.2.0" diff --git a/tasks/main.yml b/tasks/main.yml index 2185d21..436e5d0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,55 +15,13 @@ release_namespace: "{{ cert_manager_namespace }}" values: installCRDs: true - global: - podSecurityPolicy: - enabled: true - useAppArmor: false +# global: +# podSecurityPolicy: +# enabled: true +# useAppArmor: false extraArgs: - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - - name: Create Secret object for API Key authentification - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}" - when: - - cert_manager_issuer is defined - with_items: - - "{{ cert_manager_issuer }}" - -# Tempo ici - - - name: Define SelfSigned ClusterIssuer - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" -# namespace: "cert-manager" - definition: - apiVersion: cert-manager.io/v1 - kind: ClusterIssuer - metadata: - name: selfsigned - spec: - selfSigned: {} - - - name: Defined ClusterIssuers - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" -# debug: -# msg: "{{ lookup('template', item) | from_yaml }}" - with_items: - - clusterissuer.yml.j2 - when: -# - false - - cert_manager_issuer is defined - # https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh - name: Install OVH webhook block: @@ -145,6 +103,45 @@ - cert_manager_issuer is defined - cert_manager_issuer.[].provider == "step" + - name: Add ClusterIssuers + block: + - name: Create Secret object for API Key authentification + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}" + +# Tempo ici + +# - name: Define SelfSigned ClusterIssuer +# kubernetes.core.k8s: +# state: present +# context: "{{ my_context }}" +## namespace: "{{ cert_manager_namespace }}" +# definition: +# apiVersion: cert-manager.io/v1 +# kind: ClusterIssuer +# metadata: +# name: selfsigned +# spec: +# selfSigned: {} + + - name: Defined ClusterIssuers + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}" +# debug: +# msg: "{{ lookup('template', item) | from_yaml }}" + + with_items: + - "{{ cert_manager_issuer }}" + when: + - cert_manager_issuer is defined tags: cert-manager @@ -157,7 +154,7 @@ chart_ref: jetstack/cert-manager-csi-driver chart_version: "{{ certmanager_csi_version }}" create_namespace: yes - release_namespace: "cert-manager" + release_namespace: "{{ cert_manager_namespace }}" when: - certmanager_csi|bool tags: diff --git a/templates/api-key-secret.yml.j2 b/templates/api-key-secret.yml.j2 index 87799b2..5af3008 100644 --- a/templates/api-key-secret.yml.j2 +++ b/templates/api-key-secret.yml.j2 @@ -6,7 +6,7 @@ metadata: type: Opaque data: {% if item.provider == "cloudflare" %} - api-key: "{{ item.api_key | b64encode }}" + api-key: "{{ item.cloudflare_api_key | b64encode }}" {% elif item.provider == "route53" %} secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}" {% elif item.provider == "ovh" %} diff --git a/templates/clusterissuer.yml.j2 b/templates/clusterissuer.yml.j2 index d077982..0d7cf37 100644 --- a/templates/clusterissuer.yml.j2 +++ b/templates/clusterissuer.yml.j2 @@ -2,28 +2,39 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: letsencrypt-prod + name: {{ item.name }} spec: +{% if acme_provider is defined %} acme: +{% if acme_provider == "letsencrypt" %} email: "{{ cert_manager_acme_email }}" server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: - name: letsencrypt-prod-account-key + name: {{ item.name }}-account-key +{% elif acme_provider == "zerossl" %} + server: https://acme.zerossl.com/v2/DV90 + externalAccountBinding: + keyID: YOUR_EAB_KID + keySecretRef: + name: zero-sll-eabsecret + key: secret + keyAlgorithm: HS256 + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: {{ item.name }}-prod +{% endif %} solvers: -{% for i in cert_manager_issuer %} - - selector: - dnsZones: - - "{{ i.domain }}" - {{ i.solver }}: +{% for i in item %} + - {{ i.solver }}: {% if i.solver == "dns01" %} -{% if i.provider == "cloudflare" %} +{% if i.dns_provider == "cloudflare" %} cloudflare: - email: "{{ i.email }}" + email: "{{ i.cloudflare_email }}" apiKeySecretRef: name: cloudflare-api-key key: api-key -{% elif i.provider == "route53" %} +{% elif i.dns_provider == "route53" %} route53: region: us-west-3 hostedZoneID: {{ route53_hostzoneid_exemplecom }} @@ -31,7 +42,7 @@ spec: secretAccessKeySecretRef: name: route53-api-key key: secret-access-key -{% elif i.provider == "ovh" %} +{% elif i.dns_provider == "ovh" %} webhook: groupName: '{{ i.consumerKey }}' solverName: ovh @@ -47,4 +58,10 @@ spec: ingress: class: traefik {% endif %} + selector: + dnsZones: + - "{{ i.domain }}" {% endfor %} +{% else %} + selfSigned: {} +{% endif %}