adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add buuypass & zerossl providers

Browse source
This commit is contained in:
Adrien Reslinger 2024-10-08 23:57:28 +02:00
parent 8b19bad103
commit a12f5ea60e
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
4 changed files with 61 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

48
tasks/main.yml
View file

@ -1,5 +1,14 @@
- name: Cert Manager setup - name: Cert Manager setup
block: block:
- name: Deploy Cert-Manager CRD
kubernetes.core.k8s:
state: "present"
context: "{{ my_context }}"
namespace: "{{ cert_manager_namespace }}"
apply: yes
definition:
"{{ lookup('url', 'https://github.com/cert-manager/cert-manager/releases/download/v' + certmanager_version + '/cert-manager.crds.yaml', split_lines=False) | from_yaml_all }}"
- name: Defined jetstack repository - name: Defined jetstack repository
kubernetes.core.helm_repository: kubernetes.core.helm_repository:
name: jetstack name: jetstack
@ -14,7 +23,7 @@
create_namespace: true create_namespace: true
release_namespace: "{{ cert_manager_namespace }}" release_namespace: "{{ cert_manager_namespace }}"
values: values:
installCRDs: true installCRDs: false
# global: # global:
# podSecurityPolicy: # podSecurityPolicy:
# enabled: true # enabled: true
@ -23,6 +32,7 @@
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh # https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh
# https://github.com/aureq/cert-manager-webhook-ovh ?
- name: Install OVH webhook - name: Install OVH webhook
block: block:
- name: Git clone stable repo on HEAD - name: Git clone stable repo on HEAD
@ -30,6 +40,7 @@
repo: "https://github.com/baarde/cert-manager-webhook-ovh.git" repo: "https://github.com/baarde/cert-manager-webhook-ovh.git"
dest: tmp/cert-manager-webhook-ovh dest: tmp/cert-manager-webhook-ovh
# groupname devrait avoir une valeur type {{ item.solvers.consumerKey }}
- name: Deploy OVH webhook chart from local path - name: Deploy OVH webhook chart from local path
run_once: true run_once: true
kubernetes.core.helm: kubernetes.core.helm:
@ -39,28 +50,25 @@
chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
release_namespace: "{{ cert_manager_namespace }}" release_namespace: "{{ cert_manager_namespace }}"
values: values:
# groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}' # groupName: '{{ cert_manager_issuer | selectattr("dns_provider", "match", "ovh") | first }}'
groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}' groupName: '{{ cert_manager_issuer | json_query(\"[?dns_provider=="ovh"]\") | first }}'
# with_items: # with_items:
# - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}" # - "{{ cert_manager_issuer | selectattr('ovh', 'in', dns_provider) }}"
# when: # when:
# - item.provider == "ovh" # - item.provider == "ovh"
- name: OVH WebHook dependency - name: OVH WebHook RBAC
kubernetes.core.k8s: kubernetes.core.k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
apply: true apply: true
namespace: "{{ cert_manager_namespace }}" namespace: "{{ cert_manager_namespace }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}" resource_definition: "{{ lookup('template', 'cert-manager-webhook-ovh-rbac.yml.j2') | from_yaml_all }}"
with_items:
- cert-manager-webhook-ovh-Role.yml.j2
- cert-manager-webhook-ovh-RoleBinding.yml.j2
when: when:
- false - false
- cert_manager_issuer is defined - cert_manager_issuer is defined
- cert_manager_issuer.[].provider == "ovh" - cert_manager_issuer.[].dns_provider == "ovh"
# https://smallstep.com/ # https://smallstep.com/
# https://github.com/smallstep/step-issuer # https://github.com/smallstep/step-issuer
@ -105,6 +113,26 @@
- name: Add ClusterIssuers - name: Add ClusterIssuers
block: block:
- name: Create Secret object for ZeroSSL API Key authentification
kubernetes.core.k8s:
state: present
context: "{{ my_context }}"
apply: true
namespace: "{{ cert_manager_namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: zero-ssl-eabsecret
data:
secret: "{{ item.zerossl_eab_hmac_key | b64encode }}"
with_items:
- "{{ cert_manager_issuer }}"
# - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}"
when:
- item.acme_provider is defined
- item.acme_provider == "zerossl"
- name: Create Secret object for API Key authentification - name: Create Secret object for API Key authentification
kubernetes.core.k8s: kubernetes.core.k8s:
state: present state: present

10
templates/cert-manager-webhook-ovh-Role.yml.j2
View file

@ -1,10 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-api-key"]
verbs: ["get", "watch"]

10
templates/cert-manager-webhook-ovh-RoleBinding.yml.j2 → templates/cert-manager-webhook-ovh-rbac.yml.j2
View file

@ -1,5 +1,15 @@
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-api-key"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager-webhook-ovh:secret-reader name: cert-manager-webhook-ovh:secret-reader

18
templates/clusterissuer.yml.j2
View file

@ -7,21 +7,27 @@ spec:
{% if item.acme_provider is defined %} {% if item.acme_provider is defined %}
acme: acme:
{% if item.acme_provider == "letsencrypt" %} {% if item.acme_provider == "letsencrypt" %}
email: "{{ cert_manager_acme_email }}" email: "{{ item.email }}"
server: https://acme-v02.api.letsencrypt.org/directory server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef: privateKeySecretRef:
name: {{ item.name }}-account-key name: {{ item.name }}-account-key
{% elif item.acme_provider == "buypass"%}
email: "{{ item.email }}"
server: https://api.buypass.com/acme/directory
privateKeySecretRef:
name: {{ item.name }}-account-key
{% elif item.acme_provider == "zerossl" %} {% elif item.acme_provider == "zerossl" %}
email: "{{ item.email }}"
server: https://acme.zerossl.com/v2/DV90 server: https://acme.zerossl.com/v2/DV90
externalAccountBinding: externalAccountBinding:
keyID: YOUR_EAB_KID keyID: {{ item.zerossl_eab_key_id }}
keySecretRef: keySecretRef:
name: zero-sll-eabsecret name: zero-sll-eabsecret
key: secret key: secret
keyAlgorithm: HS256 keyAlgorithm: HS256
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: {{ item.name }}-prod name: {{ item.name }}-account-key
{% endif %} {% endif %}
solvers: solvers:
@ -58,10 +64,12 @@ spec:
ingress: ingress:
class: traefik class: traefik
{% endif %} {% endif %}
{% if i.domain is defined %} {% if i.domains is defined %}
selector: selector:
dnsZones: dnsZones:
- "{{ i.domain }}" {% for j in i.domains %}
- "{{ j }}"
{% endfor %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% else %} {% else %}