adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Use helm chart & generate secret and clusterissuer

Browse source
This commit is contained in:
Adrien Reslinger 2021-02-09 01:09:56 +01:00
parent 313ab00ee3
commit bf52c924b8
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
4 changed files with 100 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

7
defaults/main.yml
View file

@ -1,9 +1,6 @@
my_context: local my_context: local
ingress_domain: "local" ingress_domain: "local"
#ingress_whitelist: cert_manager_namespace: "cert-manager"
# - 10.96.0.0/12
# - 10.244.0.0/16
# - 192.168.140.0/24
certmanager_csi: true certmanager_csi: true
certmanager_version: "1.0" certmanager_version: "1.1"

87
tasks/main.yml
View file

@ -1,58 +1,51 @@
- name: Cert Manager setup - name: Cert Manager setup
block: block:
- name: namespace - name: Defined jetstack repository
k8s: community.kubernetes.helm_repository:
name: jetstack
repo_url: "https://charts.jetstack.io"
- name: Deploy latest version of Cert-Manager
community.kubernetes.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
name: cert-manager
chart_ref: jetstack/cert-manager
create_namespace: yes
release_namespace: "{{ cert_manager_namespace }}"
values:
installCRDs: true
global:
podSecurityPolicy:
enabled: true
useAppArmor: false
- name: Create Secret object for API Key authentification
k8s:
state: present state: present
name: cert-manager
api_version: v1
kind: Namespace
- name: Get Deployment information object
k8s_info:
context: "{{ my_context }}" context: "{{ my_context }}"
api_version: v1 apply: true
kind: Deployment namespace: "{{ cert_manager_namespace }}"
name: cert-manager resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}"
namespace: cert-manager
field_selectors:
- spec.template.spec.containers.image
register: certmanager_actual_resources
- name: Retreive actual cert-manager version
shell: >
echo "{{ certmanager_actual_resources.resources }}" |
sed -e "s/.*cert-manager-controller:v\([.0-9]*\).*/\1/" -e 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1/' |
uniq
register: certmanager_actual_version
- name: Use a short variable name
set_fact:
certmanager_actual_version: "{{ certmanager_actual_version.stdout }}"
certmanager_upgraded: false
- name: Include upgrade task
include_tasks: "upgrade.yml"
when: when:
- not certmanager_actual_version == "[]" - cert_manager_issuer is defined
- not certmanager_version == certmanager_actual_version
- name: Include vars for version {{ certmanager_version }}
include_vars: "files_list_{{ certmanager_version }}.yml"
- name: Install Cert Manager files version {{ certmanager_version }}
k8s:
state: "present"
context: "{{ my_context }}"
# merge_type: ['strategic-merge', 'merge']
apply: yes
force: yes
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items: with_items:
- "{{ lookup('vars', 'certmanager_' + certmanager_version + '_list') }}" - "{{ cert_manager_issuer }}"
- name: Defined ClusterIssuers
k8s:
state: present
context: "{{ my_context }}"
apply: true
namespace: "{{ cert_manager_namespace }}"
resource_definition: "{{ lookup('template', item) | from_yaml }}"
# debug:
# msg: "{{ lookup('template', item) | from_yaml }}"
with_items:
- clusterissuer.yml.j2
when: when:
- not certmanager_upgraded|bool # - false
- cert_manager_issuer is defined
tags: cert-manager tags: cert-manager

14
templates/api-key-secret.yml.j2 Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Secret
metadata:
name: "{{ item.provider }}-api-key"
type: Opaque
data:
{% if item.provider == "cloudflare" %}
api-key: "{{ item.api_key | b64encode }}"
{% elif item.provider == "route53" %}
secret-access-key: "{{ lookup('hashi_vault', 'secret=clusters/route53:secret-access-key') | b64encode }}"
{% elif item.provider == "ovh" %}
applicationSecret='4YHU8g4zsg7Id'
{% endif %}

44
templates/clusterissuer.yml.j2 Normal file
View file

@ -0,0 +1,44 @@
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: "{{ cert_manager_acme_email }}"
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
{% for i in cert_manager_issuer %}
- selector:
dnsZones:
- "{{ i.domain }}"
{{ i.solver }}:
{% if i.provider == "cloudflare" %}
cloudflare:
email: "{{ i.email }}"
apiKeySecretRef:
name: cloudflare-api-key
key: api-key
{% elif i.provider == "route53" %}
route53:
region: us-west-3
hostedZoneID: {{ route53_hostzoneid_exemplecom }}
accessKeyID: {{ route53_access_key }}
secretAccessKeySecretRef:
name: route53-api-key
key: secret-access-key
{% elif i.provider == "ovh" %}
webhook:
groupName: 'acme.example.io'
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: 'qdhYTYsd546Ssg5'
applicationSecretRef:
name: ovh-api-key
key: applicationSecret
consumerKey: 'vjdshGFDGShjusqqee4543dsjfndsjgf'
{% endif %}
{% endfor %}