cert issuer and ingress controller

2022-12-09 21:26:01 +13:00
parent b352a796e0
commit a86cb26010
42 changed files with 38535 additions and 56 deletions
--- a/ansible/roles/k8s_cert_manager/defaults/main.yaml
+++ b/ansible/roles/k8s_cert_manager/defaults/main.yaml
@ -1,2 +1,16 @@
 ---
-cert_manager_version: v1.10.1
+cert_manager_version: v1.10.1
+cert_manager_dns_address: 10.96.244.86
+cert_manager_dns_port: 53
+cert_manager_tsig_name: rndc
+cert_manager_tsig_algo: HMACSHA256
+cert_manager_tsig_keyname: rndc
+cert_manager_acme_providers: 
+  - provider: lets-encrypt
+    environment: staging
+    url: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: lets-encrypt@balsillie.email
+  - provider: lets-encrypt
+    environment: production
+    url: https://acme-v02.api.letsencrypt.org/directory
+    email: lets-encrypt@balsillie.email
--- a/ansible/roles/k8s_cert_manager/files/cert-manager-issuer-acme-lets-encrypt-production.yaml
+++ b/ansible/roles/k8s_cert_manager/files/cert-manager-issuer-acme-lets-encrypt-production.yaml
@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme-lets-encrypt-production
+spec:
+  acme:
+    email: lets-encrypt@balsillie.email
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cert-manager-secret-acme-lets-encrypt-production
+    solvers:
+      - dns01:
+          rfc2136:
+            nameserver: 10.96.244.86:53
+            tsigKeyName: rndc
+            tsigAlgorithm: HMACSHA256
+            tsigSecretSecretRef:
+              name: cert-manager-secret-tsig
+              key: rndc
--- a/ansible/roles/k8s_cert_manager/files/cert-manager-issuer-acme-lets-encrypt-staging.yaml
+++ b/ansible/roles/k8s_cert_manager/files/cert-manager-issuer-acme-lets-encrypt-staging.yaml
@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme-lets-encrypt-staging
+spec:
+  acme:
+    email: lets-encrypt@balsillie.email
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cert-manager-secret-acme-lets-encrypt-staging
+    solvers:
+      - dns01:
+          rfc2136:
+            nameserver: 10.96.244.86:53
+            tsigKeyName: rndc
+            tsigAlgorithm: HMACSHA256
+            tsigSecretSecretRef:
+              name: cert-manager-secret-tsig
+              key: rndc
--- a/ansible/roles/k8s_cert_manager/tasks/main.yaml
+++ b/ansible/roles/k8s_cert_manager/tasks/main.yaml
@ -1,12 +1,36 @@
 ---
- name: download the cert manager manifest
-  ansible.builtin.uri:
-    url: https://github.com/cert-manager/cert-manager/releases/download/{{ cert_manager_version }}/cert-manager.yaml
-    dest: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
-    creates: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
-    mode: 0664
+# - name: download the cert manager manifest
+#   ansible.builtin.uri:
+#     url: https://github.com/cert-manager/cert-manager/releases/download/{{ cert_manager_version }}/cert-manager.yaml
+#     dest: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
+#     creates: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
+#     mode: 0664

- name: install cert manager manifest to cluster
+# - name: install cert manager manifest to cluster
+#   kubernetes.core.k8s:
+#     state: present
+#     src: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
+
+- name: template out the cert manager secrets definition file
+  ansible.builtin.template:
+    src: cert-manager-secrets.yaml.j2
+    dest: "{{ ansible_search_path[0] }}/files/cert-manager-secrets.yaml"
+
+- name: apply cert manager secrets definition
  kubernetes.core.k8s:
    state: present
-    src: "{{ ansible_search_path[0] }}/files/cert_manager_{{ cert_manager_version }}.yaml"
+    src: "{{ ansible_search_path[0] }}/files/cert-manager-secrets.yaml"
+
+- name: template out the cert manager issuer definition files
+  ansible.builtin.template:
+    src: cert-manager-issuer-acme.yaml.j2
+    dest: "{{ ansible_search_path[0] }}/files/cert-manager-issuer-acme-{{ item.provider }}-{{ item.environment }}.yaml"
+  with_items:
+    "{{ cert_manager_acme_providers }}"
+
+- name: apply cert manager issuer definition files
+  kubernetes.core.k8s:
+    state: present
+    src: "{{ ansible_search_path[0] }}/files/cert-manager-issuer-acme-{{ item.provider }}-{{ item.environment }}.yaml"
+  with_items:
+    "{{ cert_manager_acme_providers }}"
--- a/ansible/roles/k8s_cert_manager/templates/cert-manager-issuer-acme.yaml.j2
+++ b/ansible/roles/k8s_cert_manager/templates/cert-manager-issuer-acme.yaml.j2
@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme-{{ item.provider }}-{{ item.environment }}
+spec:
+  acme:
+    email: {{ item.email }}
+    server: {{ item.url }}
+    privateKeySecretRef:
+      name: cert-manager-secret-acme-{{ item.provider }}-{{ item.environment }}
+    solvers:
+      - dns01:
+          rfc2136:
+            nameserver: {{ cert_manager_dns_address }}:{{ cert_manager_dns_port }}
+            tsigKeyName: {{ cert_manager_tsig_keyname }}
+            tsigAlgorithm: {{ cert_manager_tsig_algo }}
+            tsigSecretSecretRef:
+              name: cert-manager-secret-tsig
+              key: {{ cert_manager_tsig_keyname }}
--- a/ansible/roles/k8s_cert_manager/templates/cert-manager-secrets.yaml.j2
+++ b/ansible/roles/k8s_cert_manager/templates/cert-manager-secrets.yaml.j2
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-manager-secret-tsig
+  namespace: cert-manager
+type: Opaque
+stringData:
+  {{ cert_manager_tsig_keyname }}: {{ cert_manager_tsig_keyvalue }}