2021-01-09 17:54:42 +00:00
|
|
|
- set_fact:
|
2024-05-25 15:12:30 +00:00
|
|
|
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values | default({}), recursive=true) }}"
|
2021-01-09 17:54:42 +00:00
|
|
|
|
|
|
|
|
- name: Deploy Cert-manager {{ cert_manager_version }}
|
2022-07-12 13:48:14 +00:00
|
|
|
kubernetes.core.helm:
|
2021-01-09 17:54:42 +00:00
|
|
|
create_namespace: true
|
|
|
|
|
release_namespace: "{{ cert_manager_namespace | default('cert-manager') }}"
|
|
|
|
|
release_name: "{{ cert_manager_name | default('cert-manager') }}"
|
2023-06-10 03:20:10 +00:00
|
|
|
chart_ref: "{{ cert_manager_chart_ref }}"
|
2021-01-09 17:54:42 +00:00
|
|
|
chart_version: "{{ cert_manager_version }}"
|
|
|
|
|
release_values: "{{ cert_manager_combined_values | from_yaml | default(omit) }}"
|
|
|
|
|
wait: true
|
|
|
|
|
|
|
|
|
|
- name: Create secret for DNS RFC2136 (NSUPDATE)
|
|
|
|
|
k8s:
|
|
|
|
|
state: present
|
|
|
|
|
definition:
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
data:
|
|
|
|
|
tsig-secret-key: "{{ cert_manager_base64_tsig_key }}"
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: tsig-secret
|
|
|
|
|
namespace: cert-manager
|
|
|
|
|
type: Opaque
|
|
|
|
|
|
|
|
|
|
- name: Create Production ClusterIssuer for Let's Encrypt
|
|
|
|
|
k8s:
|
|
|
|
|
state: present
|
|
|
|
|
definition:
|
2021-08-30 15:57:17 +00:00
|
|
|
apiVersion: cert-manager.io/v1
|
2021-01-09 17:54:42 +00:00
|
|
|
kind: ClusterIssuer
|
|
|
|
|
metadata:
|
|
|
|
|
name: letsencrypt-prod
|
|
|
|
|
spec:
|
|
|
|
|
acme:
|
|
|
|
|
# The ACME server URL
|
|
|
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
|
|
|
# Email address used for ACME registration
|
2023-06-10 23:50:22 +00:00
|
|
|
email: "{{ cert_manager_lets_encrypt_mailbox }}"
|
2021-01-09 17:54:42 +00:00
|
|
|
# Name of a secret used to store the ACME account private key
|
|
|
|
|
privateKeySecretRef:
|
|
|
|
|
name: letsencrypt-prod
|
|
|
|
|
# Enable the HTTP-01 challenge provider
|
|
|
|
|
solvers:
|
|
|
|
|
#- http01:
|
|
|
|
|
# ingress:
|
|
|
|
|
# class: nginx
|
|
|
|
|
- dns01:
|
|
|
|
|
rfc2136:
|
|
|
|
|
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
|
|
|
|
tsigAlgorithm: HMACSHA512
|
|
|
|
|
tsigKeyName: k8s
|
|
|
|
|
tsigSecretSecretRef:
|
|
|
|
|
key: tsig-secret-key
|
|
|
|
|
name: tsig-secret
|
|
|
|
|
|
|
|
|
|
- name: Create Staging ClusterIssuer for Let's Encrypt
|
|
|
|
|
k8s:
|
|
|
|
|
state: present
|
|
|
|
|
definition:
|
2021-08-30 15:57:17 +00:00
|
|
|
apiVersion: cert-manager.io/v1
|
2021-01-09 17:54:42 +00:00
|
|
|
kind: ClusterIssuer
|
|
|
|
|
metadata:
|
|
|
|
|
name: letsencrypt-staging
|
|
|
|
|
spec:
|
|
|
|
|
acme:
|
|
|
|
|
# The ACME server URL
|
|
|
|
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
|
|
|
# Email address used for ACME registration
|
2023-06-10 23:50:22 +00:00
|
|
|
email: "{{ cert_manager_lets_encrypt_mailbox }}"
|
2021-01-09 17:54:42 +00:00
|
|
|
# Name of a secret used to store the ACME account private key
|
|
|
|
|
privateKeySecretRef:
|
|
|
|
|
name: letsencrypt-staging
|
|
|
|
|
# Enable the HTTP-01 challenge provider
|
|
|
|
|
solvers:
|
|
|
|
|
#- http01:
|
|
|
|
|
# ingress:
|
|
|
|
|
# class: nginx
|
|
|
|
|
- dns01:
|
|
|
|
|
rfc2136:
|
|
|
|
|
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
|
|
|
|
|
tsigAlgorithm: HMACSHA512
|
|
|
|
|
tsigKeyName: k8s
|
|
|
|
|
tsigSecretSecretRef:
|
|
|
|
|
key: tsig-secret-key
|
|
|
|
|
name: tsig-secret
|
|
|
|
|
|
