185 lines
6.8 KiB
YAML
185 lines
6.8 KiB
YAML
- name: Cert Manager setup
|
|
block:
|
|
- name: Deploy Cert-Manager CRD
|
|
kubernetes.core.k8s:
|
|
state: "present"
|
|
context: "{{ my_context }}"
|
|
namespace: "{{ cert_manager_namespace }}"
|
|
apply: yes
|
|
definition:
|
|
"{{ lookup('url', 'https://github.com/cert-manager/cert-manager/releases/download/v' + certmanager_version + '/cert-manager.crds.yaml', split_lines=False) | from_yaml_all }}"
|
|
|
|
- name: Defined jetstack repository
|
|
kubernetes.core.helm_repository:
|
|
name: jetstack
|
|
repo_url: "https://charts.jetstack.io"
|
|
|
|
- name: Deploy latest version of Cert-Manager
|
|
kubernetes.core.helm:
|
|
context: "{{ my_context }}"
|
|
name: cert-manager
|
|
chart_ref: jetstack/cert-manager
|
|
chart_version: "{{ certmanager_version }}"
|
|
create_namespace: true
|
|
release_namespace: "{{ cert_manager_namespace }}"
|
|
values:
|
|
installCRDs: false
|
|
# global:
|
|
# podSecurityPolicy:
|
|
# enabled: true
|
|
# useAppArmor: false
|
|
extraArgs:
|
|
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
|
|
|
|
# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh
|
|
# https://github.com/aureq/cert-manager-webhook-ovh ?
|
|
- name: Install OVH webhook
|
|
block:
|
|
- name: Git clone stable repo on HEAD
|
|
ansible.builtin.git:
|
|
repo: "https://github.com/baarde/cert-manager-webhook-ovh.git"
|
|
dest: tmp/cert-manager-webhook-ovh
|
|
|
|
# groupname devrait avoir une valeur type {{ item.solvers.consumerKey }}
|
|
- name: Deploy OVH webhook chart from local path
|
|
run_once: true
|
|
kubernetes.core.helm:
|
|
state: present
|
|
context: "{{ my_context }}"
|
|
name: cert-manager-webhook-ovh
|
|
chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
|
|
release_namespace: "{{ cert_manager_namespace }}"
|
|
values:
|
|
# groupName: '{{ cert_manager_issuer | selectattr("dns_provider", "match", "ovh") | first }}'
|
|
groupName: '{{ cert_manager_issuer | json_query(\"[?dns_provider=="ovh"]\") | first }}'
|
|
# with_items:
|
|
# - "{{ cert_manager_issuer | selectattr('ovh', 'in', dns_provider) }}"
|
|
# when:
|
|
# - item.provider == "ovh"
|
|
|
|
- name: OVH WebHook RBAC
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
context: "{{ my_context }}"
|
|
apply: true
|
|
namespace: "{{ cert_manager_namespace }}"
|
|
resource_definition: "{{ lookup('template', 'cert-manager-webhook-ovh-rbac.yml.j2') | from_yaml_all }}"
|
|
|
|
when:
|
|
- false
|
|
- cert_manager_issuer is defined
|
|
- cert_manager_issuer.[].dns_provider == "ovh"
|
|
|
|
# https://smallstep.com/
|
|
# https://github.com/smallstep/step-issuer
|
|
- name: Install Step webhook
|
|
block:
|
|
# - name: SmallStep PVC
|
|
# kubernetes.core.k8s:
|
|
# state: present
|
|
# context: "{{ my_context }}"
|
|
# namespace: "cert-manager"
|
|
# resource_definition: "{{ lookup('template', 'smallstep-pvc.yml.j2') | from_yaml }}"
|
|
- name: Defined smallstep repository
|
|
kubernetes.core.helm_repository:
|
|
name: smallstep
|
|
repo_url: "https://smallstep.github.io/helm-charts/"
|
|
# https://github.com/smallstep/step-issuer
|
|
- name: Deploy step-certificates chart
|
|
kubernetes.core.helm:
|
|
state: present
|
|
name: step-certificates
|
|
context: "{{ my_context }}"
|
|
chart_ref: smallstep/step-certificates
|
|
release_namespace: "{{ cert_manager_namespace }}"
|
|
# values:
|
|
# ca:
|
|
# provisioner:
|
|
# name: "admin"
|
|
# db:
|
|
# existingClaim: smallstep
|
|
# https://github.com/smallstep/helm-charts/tree/master/step-issuer
|
|
- name: Deploy step-certificates chart
|
|
kubernetes.core.helm:
|
|
state: present
|
|
name: step-issuer
|
|
context: "{{ my_context }}"
|
|
chart_ref: smallstep/step-issuer
|
|
release_namespace: "{{ cert_manager_namespace }}"
|
|
when:
|
|
- false
|
|
- cert_manager_issuer is defined
|
|
- cert_manager_issuer.[].provider == "step"
|
|
|
|
- name: Add ClusterIssuers
|
|
block:
|
|
- name: Create Secret object for ZeroSSL API Key authentification
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
context: "{{ my_context }}"
|
|
apply: true
|
|
namespace: "{{ cert_manager_namespace }}"
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: zero-ssl-eabsecret
|
|
data:
|
|
secret: "{{ item.zerossl_eab_hmac_key | b64encode }}"
|
|
with_items:
|
|
- "{{ cert_manager_issuer }}"
|
|
# - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}"
|
|
when:
|
|
- item.acme_provider is defined
|
|
- item.acme_provider == "zerossl"
|
|
|
|
- name: Create Secret object for API Key authentification
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
context: "{{ my_context }}"
|
|
apply: true
|
|
namespace: "{{ cert_manager_namespace }}"
|
|
resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml_all }}"
|
|
with_items:
|
|
- "{{ cert_manager_issuer }}"
|
|
# - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}"
|
|
when:
|
|
- item.acme_provider is defined
|
|
- item.solvers is defined
|
|
# - item.solvers.[].solver == "dns01"
|
|
# - item.solvers.[].dns_provider is defined
|
|
|
|
# Tempo ici
|
|
|
|
- name: Defined ClusterIssuers
|
|
kubernetes.core.k8s:
|
|
state: present
|
|
context: "{{ my_context }}"
|
|
apply: true
|
|
namespace: "{{ cert_manager_namespace }}"
|
|
resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}"
|
|
# debug:
|
|
# msg: "{{ lookup('template', item) | from_yaml }}"
|
|
with_items:
|
|
- "{{ cert_manager_issuer }}"
|
|
|
|
when:
|
|
- cert_manager_issuer is defined
|
|
|
|
tags: cert-manager
|
|
|
|
|
|
# https://github.com/cert-manager/csi-driver/tree/main/deploy/charts/csi-driver
|
|
- name: install / uninstall Cert-Manager CSI Kubernetes drivers
|
|
kubernetes.core.helm:
|
|
context: "{{ my_context }}"
|
|
name: cert-manager-csi-driver
|
|
chart_ref: jetstack/cert-manager-csi-driver
|
|
chart_version: "{{ certmanager_csi_version }}"
|
|
create_namespace: true
|
|
release_namespace: "{{ cert_manager_namespace }}"
|
|
when:
|
|
- certmanager_csi|bool
|
|
tags:
|
|
- cert-manager
|
|
- storage
|