ansible-role-k8s-cert-manager/templates/clusterissuer.yml.j2

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: {{ item.name }}
spec:
{% if item.acme_provider is defined %}
  acme:
{% if item.acme_provider == "letsencrypt" %}
    email: "{{ item.email }}"
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: {{ item.name }}-account-key
{% elif item.acme_provider == "buypass"%}
    email: "{{ item.email }}"
    server: https://api.buypass.com/acme/directory
    privateKeySecretRef:
      name: {{ item.name }}-account-key
{% elif item.acme_provider == "zerossl" %}
    email: "{{ item.email }}"
    server: https://acme.zerossl.com/v2/DV90
    externalAccountBinding:
      keyID: {{ item.zerossl_eab_key_id }}
      keySecretRef:
        name: zero-sll-eabsecret
        key: secret
      keyAlgorithm: HS256
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: {{ item.name }}-account-key
{% endif %}

    solvers:
{% for i in item.solvers %}
    - {{ i.solver }}:
{% if i.solver == "dns01" %}
{% if i.dns_provider == "cloudflare" %}
        cloudflare:
          email: "{{ i.cloudflare_email }}"
          apiKeySecretRef:
            name: cloudflare-api-key
            key: api-key
{% elif i.dns_provider == "route53" %}
        route53:
            region: us-west-3
            hostedZoneID: {{ route53_hostzoneid_exemplecom }}
            accessKeyID: {{ route53_access_key }}
            secretAccessKeySecretRef:
              name: route53-api-key
              key: secret-access-key
{% elif i.dns_provider == "ovh" %}
        webhook:
          groupName: '{{ i.consumerKey }}'
          solverName: ovh
          config:
            endpoint: ovh-eu
            applicationKey: '{{ i.applicationKey }}'
            applicationSecretRef:
              name: ovh-api-key
              key: applicationSecret
            consumerKey: '{{ i.consumerKey }}'
{% endif %}
{% elif i.solver == "http01" %}
        ingress:
          class: traefik
{% endif %}
{% if i.domains is defined %}
      selector:
        dnsZones:
{% for j in i.domains %}
          - "{{ j }}"
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
  selfSigned: {}
{% endif %}