diff options
Diffstat (limited to 'roles/ca')
| -rw-r--r-- | roles/ca/files/ca.yaml | 32 | ||||
| -rw-r--r-- | roles/ca/files/lets-encrypt-dev.yaml | 18 | ||||
| -rw-r--r-- | roles/ca/files/lets-encrypt-prod.yaml | 18 | ||||
| -rw-r--r-- | roles/ca/tasks/main.yaml | 32 |
4 files changed, 100 insertions, 0 deletions
diff --git a/roles/ca/files/ca.yaml b/roles/ca/files/ca.yaml new file mode 100644 index 0000000..a77b415 --- /dev/null +++ b/roles/ca/files/ca.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca + namespace: cert-manager +spec: + isCA: true + commonName: selfsigned-ca + secretName: root-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: ca-issuer +spec: + ca: + secretName: root-secret diff --git a/roles/ca/files/lets-encrypt-dev.yaml b/roles/ca/files/lets-encrypt-dev.yaml new file mode 100644 index 0000000..e84120d --- /dev/null +++ b/roles/ca/files/lets-encrypt-dev.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: [email protected] + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + ingressClassName: traefik diff --git a/roles/ca/files/lets-encrypt-prod.yaml b/roles/ca/files/lets-encrypt-prod.yaml new file mode 100644 index 0000000..fb9b541 --- /dev/null +++ b/roles/ca/files/lets-encrypt-prod.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: [email protected] + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + ingressClassName: traefik diff --git a/roles/ca/tasks/main.yaml b/roles/ca/tasks/main.yaml new file mode 100644 index 0000000..36b17e1 --- /dev/null +++ b/roles/ca/tasks/main.yaml @@ -0,0 +1,32 @@ +- name: Setup Cert-manager chart + kubernetes.core.helm_repository: + name: jetstack + repo_url: "https://charts.jetstack.io" + +- name: Deploy Cert manager + kubernetes.core.helm: + name: cert-manager + chart_ref: jetstack/cert-manager + release_namespace: cert-manager + create_namespace: true + set_values: + - value: installCRDs=true + value_type: string + +- name: Create CA + kubernetes.core.k8s: + state: "{%- if servers.ca.enabled -%} present {%- else -%} absent {%- endif -%}" + src: "{{ lookup('env', 'PWD') }}/roles/ca/files/ca.yaml" + namespace: cert-manager + +- name: Add Lets Encrypt Dev + kubernetes.core.k8s: + state: "{%- if roles/ca.ca.enabled -%} present {%- else -%} absent {%- endif -%}" + src: "{{ lookup('env', 'PWD') }}/roles/ca/files/lets-encrypt-dev.yaml" + namespace: cert-manager + +- name: Add Lets Encrypt Dev + kubernetes.core.k8s: + state: "{%- if roles/ca.ca.enabled -%} present {%- else -%} absent {%- endif -%}" + src: "{{ lookup('env', 'PWD') }}/roles/ca/files/lets-encrypt-prod.yaml" + namespace: cert-manager |