ansible/roles/cert-manager/tasks/main.yaml

89 lines
2.9 KiB
YAML

- set_fact:
cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}"
- name: Deploy Cert-manager {{ cert_manager_version }}
community.kubernetes.helm:
create_namespace: true
release_namespace: "{{ cert_manager_namespace | default('cert-manager') }}"
release_name: "{{ cert_manager_name | default('cert-manager') }}"
chart_ref: "{{ cert_manager_chart | default('jetstack/cert-manager') }}"
chart_version: "{{ cert_manager_version }}"
release_values: "{{ cert_manager_combined_values | from_yaml | default(omit) }}"
wait: true
- name: Create secret for DNS RFC2136 (NSUPDATE)
k8s:
state: present
definition:
apiVersion: v1
data:
tsig-secret-key: "{{ cert_manager_base64_tsig_key }}"
kind: Secret
metadata:
name: tsig-secret
namespace: cert-manager
type: Opaque
- name: Create Production ClusterIssuer for Let's Encrypt
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{ lets_encrypt_mailbox }}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
#- http01:
# ingress:
# class: nginx
- dns01:
rfc2136:
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
tsigAlgorithm: HMACSHA512
tsigKeyName: k8s
tsigSecretSecretRef:
key: tsig-secret-key
name: tsig-secret
- name: Create Staging ClusterIssuer for Let's Encrypt
k8s:
state: present
definition:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: "{{ lets_encrypt_mailbox }}"
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
#- http01:
# ingress:
# class: nginx
- dns01:
rfc2136:
nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
tsigAlgorithm: HMACSHA512
tsigKeyName: k8s
tsigSecretSecretRef:
key: tsig-secret-key
name: tsig-secret