diff --git a/tasks/main.yml b/tasks/main.yml index 6e2a220..746e16d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,14 @@ - name: Cert Manager setup block: + - name: Deploy Cert-Manager CRD + kubernetes.core.k8s: + state: "present" + context: "{{ my_context }}" + namespace: "{{ cert_manager_namespace }}" + apply: yes + definition: + "{{ lookup('url', 'https://github.com/cert-manager/cert-manager/releases/download/v' + certmanager_version + '/cert-manager.crds.yaml', split_lines=False) | from_yaml_all }}" + - name: Defined jetstack repository kubernetes.core.helm_repository: name: jetstack @@ -14,7 +23,7 @@ create_namespace: true release_namespace: "{{ cert_manager_namespace }}" values: - installCRDs: true + installCRDs: false # global: # podSecurityPolicy: # enabled: true @@ -23,6 +32,7 @@ - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 # https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh +# https://github.com/aureq/cert-manager-webhook-ovh ? - name: Install OVH webhook block: - name: Git clone stable repo on HEAD @@ -30,6 +40,7 @@ repo: "https://github.com/baarde/cert-manager-webhook-ovh.git" dest: tmp/cert-manager-webhook-ovh + # groupname devrait avoir une valeur type {{ item.solvers.consumerKey }} - name: Deploy OVH webhook chart from local path run_once: true kubernetes.core.helm: @@ -39,28 +50,25 @@ chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh release_namespace: "{{ cert_manager_namespace }}" values: -# groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}' - groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}' +# groupName: '{{ cert_manager_issuer | selectattr("dns_provider", "match", "ovh") | first }}' + groupName: '{{ cert_manager_issuer | json_query(\"[?dns_provider=="ovh"]\") | first }}' # with_items: -# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}" +# - "{{ cert_manager_issuer | selectattr('ovh', 'in', dns_provider) }}" # when: # - item.provider == "ovh" - - name: OVH WebHook dependency + - name: OVH WebHook RBAC kubernetes.core.k8s: state: present context: "{{ my_context }}" apply: true namespace: "{{ cert_manager_namespace }}" - resource_definition: "{{ lookup('template', item) | from_yaml }}" - with_items: - - cert-manager-webhook-ovh-Role.yml.j2 - - cert-manager-webhook-ovh-RoleBinding.yml.j2 + resource_definition: "{{ lookup('template', 'cert-manager-webhook-ovh-rbac.yml.j2') | from_yaml_all }}" when: - false - cert_manager_issuer is defined - - cert_manager_issuer.[].provider == "ovh" + - cert_manager_issuer.[].dns_provider == "ovh" # https://smallstep.com/ # https://github.com/smallstep/step-issuer @@ -105,6 +113,26 @@ - name: Add ClusterIssuers block: + - name: Create Secret object for ZeroSSL API Key authentification + kubernetes.core.k8s: + state: present + context: "{{ my_context }}" + apply: true + namespace: "{{ cert_manager_namespace }}" + definition: + apiVersion: v1 + kind: Secret + metadata: + name: zero-ssl-eabsecret + data: + secret: "{{ item.zerossl_eab_hmac_key | b64encode }}" + with_items: + - "{{ cert_manager_issuer }}" + # - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}" + when: + - item.acme_provider is defined + - item.acme_provider == "zerossl" + - name: Create Secret object for API Key authentification kubernetes.core.k8s: state: present diff --git a/templates/cert-manager-webhook-ovh-Role.yml.j2 b/templates/cert-manager-webhook-ovh-Role.yml.j2 deleted file mode 100644 index 4c246be..0000000 --- a/templates/cert-manager-webhook-ovh-Role.yml.j2 +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-webhook-ovh:secret-reader -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["ovh-api-key"] - verbs: ["get", "watch"] diff --git a/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 b/templates/cert-manager-webhook-ovh-rbac.yml.j2 similarity index 58% rename from templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 rename to templates/cert-manager-webhook-ovh-rbac.yml.j2 index 5bc1c5a..521bd0a 100644 --- a/templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 +++ b/templates/cert-manager-webhook-ovh-rbac.yml.j2 @@ -1,5 +1,15 @@ --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager-webhook-ovh:secret-reader +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["ovh-api-key"] + verbs: ["get", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager-webhook-ovh:secret-reader diff --git a/templates/clusterissuer.yml.j2 b/templates/clusterissuer.yml.j2 index 561021a..d3d7d00 100644 --- a/templates/clusterissuer.yml.j2 +++ b/templates/clusterissuer.yml.j2 @@ -7,21 +7,27 @@ spec: {% if item.acme_provider is defined %} acme: {% if item.acme_provider == "letsencrypt" %} - email: "{{ cert_manager_acme_email }}" + email: "{{ item.email }}" server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: {{ item.name }}-account-key +{% elif item.acme_provider == "buypass"%} + email: "{{ item.email }}" + server: https://api.buypass.com/acme/directory + privateKeySecretRef: + name: {{ item.name }}-account-key {% elif item.acme_provider == "zerossl" %} + email: "{{ item.email }}" server: https://acme.zerossl.com/v2/DV90 externalAccountBinding: - keyID: YOUR_EAB_KID + keyID: {{ item.zerossl_eab_key_id }} keySecretRef: name: zero-sll-eabsecret key: secret keyAlgorithm: HS256 # Name of a secret used to store the ACME account private key privateKeySecretRef: - name: {{ item.name }}-prod + name: {{ item.name }}-account-key {% endif %} solvers: @@ -58,10 +64,12 @@ spec: ingress: class: traefik {% endif %} -{% if i.domain is defined %} +{% if i.domains is defined %} selector: dnsZones: - - "{{ i.domain }}" +{% for j in i.domains %} + - "{{ j }}" +{% endfor %} {% endif %} {% endfor %} {% else %}