- set_fact:
    cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}"

- name: Deploy Cert-manager {{ cert_manager_version }}
  community.kubernetes.helm:
    create_namespace: true
    release_namespace: "{{ cert_manager_namespace | default('cert-manager') }}"
    release_name: "{{ cert_manager_name | default('cert-manager') }}"
    chart_ref: "{{ cert_manager_chart | default('jetstack/cert-manager') }}"
    chart_version: "{{ cert_manager_version }}"
    release_values: "{{ cert_manager_combined_values | from_yaml | default(omit) }}"
    wait: true

- name: Create secret for DNS RFC2136 (NSUPDATE)
  k8s:
    state: present
    definition:
      apiVersion: v1
      data:
        tsig-secret-key: "{{ cert_manager_base64_tsig_key }}"
      kind: Secret
      metadata:
        name: tsig-secret
        namespace: cert-manager
      type: Opaque

- name: Create Production ClusterIssuer for Let's Encrypt
  k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt-prod
      spec:
        acme:
          # The ACME server URL
          server: https://acme-v02.api.letsencrypt.org/directory
          # Email address used for ACME registration
          email: "{{ lets_encrypt_mailbox }}"
          # Name of a secret used to store the ACME account private key
          privateKeySecretRef:
            name: letsencrypt-prod
          # Enable the HTTP-01 challenge provider
          solvers:
          #- http01:
          #    ingress:
          #      class: nginx
          - dns01:
              rfc2136:
                nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
                tsigAlgorithm: HMACSHA512
                tsigKeyName: k8s
                tsigSecretSecretRef:
                  key: tsig-secret-key
                  name: tsig-secret

- name: Create Staging ClusterIssuer for Let's Encrypt
  k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt-staging
      spec:
        acme:
          # The ACME server URL
          server: https://acme-staging-v02.api.letsencrypt.org/directory
          # Email address used for ACME registration
          email: "{{ lets_encrypt_mailbox }}"
          # Name of a secret used to store the ACME account private key
          privateKeySecretRef:
            name: letsencrypt-staging
          # Enable the HTTP-01 challenge provider
          solvers:
          #- http01:
          #    ingress:
          #      class: nginx
          - dns01:
              rfc2136:
                nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
                tsigAlgorithm: HMACSHA512
                tsigKeyName: k8s
                tsigSecretSecretRef:
                  key: tsig-secret-key
                  name: tsig-secret