Update role

defaults/main.yml

@@ -2,6 +2,6 @@ my_context: local
 ingress_domain: "local"
 cert_manager_namespace: "cert-manager"
 
-certmanager_csi: true
 certmanager_version: "1.8.0"
+certmanager_csi: true
 certmanager_csi_version: "0.2.0"

tasks/main.yml

@@ -15,55 +15,13 @@
       release_namespace: "{{ cert_manager_namespace }}"
       values:
         installCRDs: true
-        global:
+#        global:
-          podSecurityPolicy:
+#          podSecurityPolicy:
-            enabled: true
+#            enabled: true
-            useAppArmor: false
+#            useAppArmor: false
         extraArgs:
           - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
 
-  - name: Create Secret object for API Key authentification
-    kubernetes.core.k8s:
-      state: present
-      context: "{{ my_context }}"
-      apply: true
-      namespace: "{{ cert_manager_namespace }}"
-      resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}"
-    when:
-      - cert_manager_issuer is defined
-    with_items:
-      - "{{ cert_manager_issuer }}"
-
-# Tempo ici
-
-  - name: Define SelfSigned ClusterIssuer
-    kubernetes.core.k8s:
-      state: present
-      context: "{{ my_context }}"
-#      namespace: "cert-manager"
-      definition:
-        apiVersion: cert-manager.io/v1
-        kind: ClusterIssuer
-        metadata:
-          name: selfsigned
-        spec:
-          selfSigned: {}
-
-  - name: Defined ClusterIssuers
-    kubernetes.core.k8s:
-      state: present
-      context: "{{ my_context }}"
-      apply: true
-      namespace: "{{ cert_manager_namespace }}"
-      resource_definition: "{{ lookup('template', item) | from_yaml }}"
-#    debug:
-#      msg: "{{ lookup('template', item) | from_yaml }}"
-    with_items:
-      - clusterissuer.yml.j2
-    when:
-#      - false
-      - cert_manager_issuer is defined
-
 # https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh
   - name: Install OVH webhook
     block:
@@ -145,6 +103,45 @@
       - cert_manager_issuer is defined
       - cert_manager_issuer.[].provider == "step"
 
+  - name: Add ClusterIssuers
+    block:
+    - name: Create Secret object for API Key authentification
+      kubernetes.core.k8s:
+        state: present
+        context: "{{ my_context }}"
+        apply: true
+        namespace: "{{ cert_manager_namespace }}"
+        resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}"
+
+# Tempo ici
+
+#    - name: Define SelfSigned ClusterIssuer
+#      kubernetes.core.k8s:
+#        state: present
+#        context: "{{ my_context }}"
+##        namespace: "{{ cert_manager_namespace }}"
+#        definition:
+#          apiVersion: cert-manager.io/v1
+#          kind: ClusterIssuer
+#          metadata:
+#            name: selfsigned
+#          spec:
+#            selfSigned: {}
+
+    - name: Defined ClusterIssuers
+      kubernetes.core.k8s:
+        state: present
+        context: "{{ my_context }}"
+        apply: true
+        namespace: "{{ cert_manager_namespace }}"
+        resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}"
+#      debug:
+#        msg: "{{ lookup('template', item) | from_yaml }}"
+
+    with_items:
+      - "{{ cert_manager_issuer }}"
+    when:
+      - cert_manager_issuer is defined
 
   tags: cert-manager
 
@@ -157,7 +154,7 @@
     chart_ref: jetstack/cert-manager-csi-driver
     chart_version: "{{ certmanager_csi_version }}"
     create_namespace: yes
-    release_namespace: "cert-manager"
+    release_namespace: "{{ cert_manager_namespace }}"
   when:
     - certmanager_csi|bool
   tags:

templates/api-key-secret.yml.j2

@@ -6,7 +6,7 @@ metadata:
 type: Opaque
 data:
 {% if item.provider == "cloudflare" %}
-  api-key: "{{ item.api_key | b64encode }}"
+  api-key: "{{ item.cloudflare_api_key | b64encode }}"
 {% elif item.provider == "route53" %}
   secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
 {% elif item.provider == "ovh" %}

templates/clusterissuer.yml.j2

@@ -2,28 +2,39 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: letsencrypt-prod
+  name: {{ item.name }}
 spec:
+{% if acme_provider is defined %}
   acme:
+{% if acme_provider == "letsencrypt" %}
     email: "{{ cert_manager_acme_email }}"
     server: https://acme-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
-      name: letsencrypt-prod-account-key
+      name: {{ item.name }}-account-key
+{% elif acme_provider == "zerossl" %}
+    server: https://acme.zerossl.com/v2/DV90
+    externalAccountBinding:
+      keyID: YOUR_EAB_KID
+      keySecretRef:
+        name: zero-sll-eabsecret
+        key: secret
+      keyAlgorithm: HS256
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ item.name }}-prod
+{% endif %}
 
     solvers:
-{% for i in cert_manager_issuer %}
+{% for i in item %}
-    - selector:
+    - {{ i.solver }}:
-        dnsZones:
-          - "{{ i.domain }}"
-      {{ i.solver }}:
 {% if i.solver == "dns01" %}
-{% if i.provider == "cloudflare" %}
+{% if i.dns_provider == "cloudflare" %}
         cloudflare:
-          email: "{{ i.email }}"
+          email: "{{ i.cloudflare_email }}"
           apiKeySecretRef:
             name: cloudflare-api-key
             key: api-key
-{% elif i.provider == "route53" %}
+{% elif i.dns_provider == "route53" %}
         route53:
             region: us-west-3
             hostedZoneID: {{ route53_hostzoneid_exemplecom }}
@@ -31,7 +42,7 @@ spec:
             secretAccessKeySecretRef:
               name: route53-api-key
               key: secret-access-key
-{% elif i.provider == "ovh" %}
+{% elif i.dns_provider == "ovh" %}
         webhook:
           groupName: '{{ i.consumerKey }}'
           solverName: ovh
@@ -47,4 +58,10 @@ spec:
         ingress:
           class: traefik
 {% endif %}
+      selector:
+        dnsZones:
+          - "{{ i.domain }}"
 {% endfor %}
+{% else %}
+  selfSigned: {}
+{% endif %}