- set_fact: cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}" - name: Deploy Cert-manager {{ cert_manager_version }} community.kubernetes.helm: create_namespace: true release_namespace: "{{ cert_manager_namespace | default('cert-manager') }}" release_name: "{{ cert_manager_name | default('cert-manager') }}" chart_ref: "{{ cert_manager_chart | default('jetstack/cert-manager') }}" chart_version: "{{ cert_manager_version }}" release_values: "{{ cert_manager_combined_values | from_yaml | default(omit) }}" wait: true - name: Create secret for DNS RFC2136 (NSUPDATE) k8s: state: present definition: apiVersion: v1 data: tsig-secret-key: "{{ cert_manager_base64_tsig_key }}" kind: Secret metadata: name: tsig-secret namespace: cert-manager type: Opaque - name: Create Production ClusterIssuer for Let's Encrypt k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: "{{ lets_encrypt_mailbox }}" # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: #- http01: # ingress: # class: nginx - dns01: rfc2136: nameserver: "{{ external_dns_ip | default(dns_ip) }}:53" tsigAlgorithm: HMACSHA512 tsigKeyName: k8s tsigSecretSecretRef: key: tsig-secret-key name: tsig-secret - name: Create Staging ClusterIssuer for Let's Encrypt k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: # The ACME server URL server: https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: "{{ lets_encrypt_mailbox }}" # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-staging # Enable the HTTP-01 challenge provider solvers: #- http01: # ingress: # class: nginx - dns01: rfc2136: nameserver: "{{ external_dns_ip | default(dns_ip) }}:53" tsigAlgorithm: HMACSHA512 tsigKeyName: k8s tsigSecretSecretRef: key: tsig-secret-key name: tsig-secret