Use helm chart & generate secret and clusterissuer

defaults/main.yml

@@ -1,9 +1,6 @@
 my_context: local
 ingress_domain: "local"
-#ingress_whitelist:
-#  - 10.96.0.0/12
-#  - 10.244.0.0/16
-#  - 192.168.140.0/24
+cert_manager_namespace: "cert-manager"
 
 certmanager_csi: true
-certmanager_version: "1.0"
+certmanager_version: "1.1"

tasks/main.yml

@@ -1,58 +1,51 @@
 - name: Cert Manager setup
   block:
-  - name: namespace
-    k8s:
+  - name: Defined jetstack repository
+    community.kubernetes.helm_repository:
+      name: jetstack
+      repo_url: "https://charts.jetstack.io"
+
+  - name: Deploy latest version of Cert-Manager
+    community.kubernetes.helm:
       context: "{{ my_context }}"
+      name: cert-manager
+      chart_ref: jetstack/cert-manager
+      create_namespace: yes
+      release_namespace: "{{ cert_manager_namespace }}"
+      values:
+        installCRDs: true
+        global:
+          podSecurityPolicy:
+            enabled: true
+            useAppArmor: false
+
+  - name: Create Secret object for API Key authentification
+    k8s:
       state: present
-      name: cert-manager
-      api_version: v1
-      kind: Namespace
-
-  - name: Get Deployment information object
-    k8s_info:
       context: "{{ my_context }}"
-      api_version: v1
-      kind: Deployment
-      name: cert-manager
-      namespace: cert-manager
-      field_selectors:
-        - spec.template.spec.containers.image
-    register: certmanager_actual_resources
-
-  - name: Retreive actual cert-manager version
-    shell: >
-      echo "{{ certmanager_actual_resources.resources }}" |
-      sed -e "s/.*cert-manager-controller:v\([.0-9]*\).*/\1/" -e 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1/' |
-      uniq
-    register: certmanager_actual_version
-
-  - name: Use a short variable name
-    set_fact:
-      certmanager_actual_version: "{{ certmanager_actual_version.stdout }}"
-      certmanager_upgraded: false
-
-  - name: Include upgrade task
-    include_tasks: "upgrade.yml"
+      apply: true
+      namespace: "{{ cert_manager_namespace }}"
+      resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}"
     when:
-      - not certmanager_actual_version == "[]"
-      - not certmanager_version == certmanager_actual_version
-
-
-  - name: Include vars for version {{ certmanager_version }}
-    include_vars: "files_list_{{ certmanager_version }}.yml"
-
-  - name: Install Cert Manager files version {{ certmanager_version }}
-    k8s:
-      state: "present"
-      context: "{{ my_context }}"
-#      merge_type: ['strategic-merge', 'merge']
-      apply: yes
-      force: yes
-      resource_definition: "{{ lookup('template', item) | from_yaml }}"
+      - cert_manager_issuer is defined
     with_items:
-      - "{{ lookup('vars', 'certmanager_' + certmanager_version + '_list') }}"
+      - "{{ cert_manager_issuer }}"
+
+  - name: Defined ClusterIssuers
+    k8s:
+      state: present
+      context: "{{ my_context }}"
+      apply: true
+      namespace: "{{ cert_manager_namespace }}"
+      resource_definition: "{{ lookup('template', item) | from_yaml }}"
+#    debug:
+#      msg: "{{ lookup('template', item) | from_yaml }}"
+    with_items:
+      - clusterissuer.yml.j2
     when:
-      - not certmanager_upgraded|bool
+#      - false
+      - cert_manager_issuer is defined
+
   tags: cert-manager
 
 

templates/api-key-secret.yml.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ item.provider }}-api-key"
+type: Opaque
+data:
+{% if item.provider == "cloudflare" %}
+  api-key: "{{ item.api_key | b64encode }}"
+{% elif item.provider == "route53" %}
+  secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
+{% elif item.provider == "ovh" %}
+  applicationSecret='4YHU8g4zsg7Id'
+{% endif %}

templates/clusterissuer.yml.j2

@@ -0,0 +1,44 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: "{{ cert_manager_acme_email }}"
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+
+    solvers:
+{% for i in cert_manager_issuer %}
+    - selector:
+        dnsZones:
+          - "{{ i.domain }}"
+      {{ i.solver }}:
+{% if i.provider == "cloudflare" %}
+        cloudflare:
+          email: "{{ i.email }}"
+          apiKeySecretRef:
+            name: cloudflare-api-key
+            key: api-key
+{% elif i.provider == "route53" %}
+        route53:
+            region: us-west-3
+            hostedZoneID: {{ route53_hostzoneid_exemplecom }}
+            accessKeyID: {{ route53_access_key }}
+            secretAccessKeySecretRef:
+              name: route53-api-key
+              key: secret-access-key
+{% elif i.provider == "ovh" %}
+        webhook:
+          groupName: 'acme.example.io'
+          solverName: ovh
+          config:
+            endpoint: ovh-eu
+            applicationKey: 'qdhYTYsd546Ssg5'
+            applicationSecretRef:
+              name: ovh-api-key
+              key: applicationSecret
+            consumerKey: 'vjdshGFDGShjusqqee4543dsjfndsjgf'
+{% endif %}
+{% endfor %}