diff --git a/defaults/main.yml b/defaults/main.yml index 2b3024e..a6ae0b3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,6 @@ my_context: local ingress_domain: "local" cert_manager_namespace: "cert-manager" -certmanager_version: "1.8.2" +certmanager_version: "1.9.0" certmanager_csi: true certmanager_csi_version: "0.3.0" diff --git a/meta/main.yml b/meta/main.yml index 7ee7f2e..feb6f81 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,6 +6,6 @@ galaxy_info: galaxy_tags: [] license: GPL2 platforms: - - name: kubernetes - version: - - all + - name: kubernetes + version: + - all diff --git a/tasks/main.yml b/tasks/main.yml index 411c322..6e2a220 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,142 +1,142 @@ - name: Cert Manager setup block: - - name: Defined jetstack repository - kubernetes.core.helm_repository: - name: jetstack - repo_url: "https://charts.jetstack.io" + - name: Defined jetstack repository + kubernetes.core.helm_repository: + name: jetstack + repo_url: "https://charts.jetstack.io" - - name: Deploy latest version of Cert-Manager - kubernetes.core.helm: - context: "{{ my_context }}" - name: cert-manager - chart_ref: jetstack/cert-manager - chart_version: "{{ certmanager_version }}" - create_namespace: yes - release_namespace: "{{ cert_manager_namespace }}" - values: - installCRDs: true -# global: -# podSecurityPolicy: -# enabled: true -# useAppArmor: false - extraArgs: - - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - -# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh - - name: Install OVH webhook - block: - - name: Git clone stable repo on HEAD - ansible.builtin.git: - repo: "https://github.com/baarde/cert-manager-webhook-ovh.git" - dest: tmp/cert-manager-webhook-ovh - - - name: Deploy OVH webhook chart from local path - run_once: true + - name: Deploy latest version of Cert-Manager kubernetes.core.helm: - state: present context: "{{ my_context }}" - name: cert-manager-webhook-ovh - chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh + name: cert-manager + chart_ref: jetstack/cert-manager + chart_version: "{{ certmanager_version }}" + create_namespace: true release_namespace: "{{ cert_manager_namespace }}" values: -# groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}' - groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}' -# with_items: -# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}" -# when: -# - item.provider == "ovh" + installCRDs: true +# global: +# podSecurityPolicy: +# enabled: true +# useAppArmor: false + extraArgs: + - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - - name: OVH WebHook dependency - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - cert-manager-webhook-ovh-Role.yml.j2 - - cert-manager-webhook-ovh-RoleBinding.yml.j2 +# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh + - name: Install OVH webhook + block: + - name: Git clone stable repo on HEAD + ansible.builtin.git: + repo: "https://github.com/baarde/cert-manager-webhook-ovh.git" + dest: tmp/cert-manager-webhook-ovh - when: - - false - - cert_manager_issuer is defined - - cert_manager_issuer.[].provider == "ovh" + - name: Deploy OVH webhook chart from local path + run_once: true + kubernetes.core.helm: + state: present + context: "{{ my_context }}" + name: cert-manager-webhook-ovh + chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh + release_namespace: "{{ cert_manager_namespace }}" + values: +# groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}' + groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}' +# with_items: +# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}" +# when: +# - item.provider == "ovh" + + - name: OVH WebHook dependency + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + resource_definition: "{{ lookup('template', item) | from_yaml }}" + with_items: + - cert-manager-webhook-ovh-Role.yml.j2 + - cert-manager-webhook-ovh-RoleBinding.yml.j2 + + when: + - false + - cert_manager_issuer is defined + - cert_manager_issuer.[].provider == "ovh" # https://smallstep.com/ # https://github.com/smallstep/step-issuer - - name: Install Step webhook - block: -# - name: SmallStep PVC -# kubernetes.core.k8s: -# state: present -# context: "{{ my_context }}" -# namespace: "cert-manager" -# resource_definition: "{{ lookup('template', 'smallstep-pvc.yml.j2') | from_yaml }}" - - name: Defined smallstep repository - kubernetes.core.helm_repository: - name: smallstep - repo_url: "https://smallstep.github.io/helm-charts/" - # https://github.com/smallstep/step-issuer - - name: Deploy step-certificates chart - kubernetes.core.helm: - state: present - name: step-certificates - context: "{{ my_context }}" - chart_ref: smallstep/step-certificates - release_namespace: "{{ cert_manager_namespace }}" -# values: -# ca: -# provisioner: -# name: "admin" -# db: -# existingClaim: smallstep - # https://github.com/smallstep/helm-charts/tree/master/step-issuer - - name: Deploy step-certificates chart - kubernetes.core.helm: - state: present - name: step-issuer - context: "{{ my_context }}" - chart_ref: smallstep/step-issuer - release_namespace: "{{ cert_manager_namespace }}" - when: - - false - - cert_manager_issuer is defined - - cert_manager_issuer.[].provider == "step" - - - name: Add ClusterIssuers - block: - - name: Create Secret object for API Key authentification - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml_all }}" - with_items: - - "{{ cert_manager_issuer }}" - #- "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}" + - name: Install Step webhook + block: +# - name: SmallStep PVC +# kubernetes.core.k8s: +# state: present +# context: "{{ my_context }}" +# namespace: "cert-manager" +# resource_definition: "{{ lookup('template', 'smallstep-pvc.yml.j2') | from_yaml }}" + - name: Defined smallstep repository + kubernetes.core.helm_repository: + name: smallstep + repo_url: "https://smallstep.github.io/helm-charts/" + # https://github.com/smallstep/step-issuer + - name: Deploy step-certificates chart + kubernetes.core.helm: + state: present + name: step-certificates + context: "{{ my_context }}" + chart_ref: smallstep/step-certificates + release_namespace: "{{ cert_manager_namespace }}" +# values: +# ca: +# provisioner: +# name: "admin" +# db: +# existingClaim: smallstep + # https://github.com/smallstep/helm-charts/tree/master/step-issuer + - name: Deploy step-certificates chart + kubernetes.core.helm: + state: present + name: step-issuer + context: "{{ my_context }}" + chart_ref: smallstep/step-issuer + release_namespace: "{{ cert_manager_namespace }}" when: - - item.acme_provider is defined - - item.solvers is defined - #- item.solvers.[].solver == "dns01" - #- item.solvers.[].dns_provider is defined + - false + - cert_manager_issuer is defined + - cert_manager_issuer.[].provider == "step" + + - name: Add ClusterIssuers + block: + - name: Create Secret object for API Key authentification + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml_all }}" + with_items: + - "{{ cert_manager_issuer }}" + # - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}" + when: + - item.acme_provider is defined + - item.solvers is defined + # - item.solvers.[].solver == "dns01" + # - item.solvers.[].dns_provider is defined # Tempo ici - - name: Defined ClusterIssuers - kubernetes.core.k8s: - state: present - context: "{{ my_context }}" - apply: true - namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}" -# debug: -# msg: "{{ lookup('template', item) | from_yaml }}" - with_items: - - "{{ cert_manager_issuer }}" + - name: Defined ClusterIssuers + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}" + # debug: + # msg: "{{ lookup('template', item) | from_yaml }}" + with_items: + - "{{ cert_manager_issuer }}" - when: - - cert_manager_issuer is defined + when: + - cert_manager_issuer is defined tags: cert-manager @@ -148,7 +148,7 @@ name: cert-manager-csi-driver chart_ref: jetstack/cert-manager-csi-driver chart_version: "{{ certmanager_csi_version }}" - create_namespace: yes + create_namespace: true release_namespace: "{{ cert_manager_namespace }}" when: - certmanager_csi|bool