k8s let's encrypt issuer and cert creation

2022-08-04 20:03:42 -04:00
parent 7410984c5e
commit 8c752b2b70
10 changed files with 171 additions and 11 deletions
--- a/ansible-5/roles/k3s/tasks/install.python_modules.yml
+++ b/ansible-5/roles/k3s/tasks/install.python_modules.yml
@@ -0,0 +1,17 @@
 ---
 # install the required python3 modules with pip
 - name: Install required packages for pip
  apt:
    name: "{{ item }}"
    update_cache: yes
    cache_valid_time: 3600
    state: latest
  with_items:
    - python3-pip
 - name: Install ansible kubernetes python packages
  ansible.builtin.pip:
    name:
      - anisble
      - kubernetes
--- a/ansible-5/roles/k3s/tasks/main.yml
+++ b/ansible-5/roles/k3s/tasks/main.yml
@@ -16,3 +16,5 @@
 - include_tasks: install_helm.yml
 #install required python modules
 - include_tasks: install.python_modules.yml
--- a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
+++ b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
@@ -9,6 +9,7 @@ $TTL 1D
 xai-corp.net.           IN NS   ns.xai-corp.net.
 xai-corp.net.           IN MX   0 mail.xai-corp.net.
 xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.4.11/32 mx ptr mx:mail.xai-corp.net ~all"
 xai-corp.net.           IN A    192.168.4.11
 ;mail                    IN A    192.168.4.12
 gateway                 IN A    192.168.4.4
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
@@ -0,0 +1,20 @@
 ---
 #https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-production
 spec:
  acme:
    email: r_morgan@sympatico.ca
    server: https://acme-v02.api.letsencrypt.org/directory
 #    disableAccountKeyGeneration: true
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-production-issuer-account-key
    # Add a single challenge solver, HTTP01
    solvers:
      - http01:
          ingress:
            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
@@ -0,0 +1,20 @@
 ---
 #https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-staging
 spec:
  acme:
    email: r_morgan@sympatico.ca
    server: https://acme-staging-v02.api.letsencrypt.org/directory
 #    disableAccountKeyGeneration: true
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging-issuer-account-key
    # Add a single challenge solver, HTTP01
    solvers:
      - http01:
          ingress:
            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
@@ -0,0 +1,32 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: xai-corp
  namespace: default
 spec:
  # Secret names are always required.
  secretName: xai-corp-staging-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: xai-corp.net
  dnsNames:
    - xai-corp.net
    - git.xai-corp.net
    - tunedb.xai-corp.net
    - www.xai-corp.net
    - xaibox.xai-corp.net
    - sql.xai-corp.net
    - cik.xai-corp.net
  acme:
    config:
      - http01:
          ingressClass: traefik
        domains:
          - xai-corp.net
 #      - http01:
 #          ingress: certs-ingress
 #        domains:
 #          - hello.xai-corp.net
 #          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -0,0 +1,28 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: xai-corp
  namespace: default
 spec:
  # Secret names are always required.
  secretName: xai-corp-staging-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: xai-corp.net
  dnsNames:
    - xai-corp.net
    - www.xai-corp.net
    - sql.xai-corp.net
  acme:
    config:
      - http01:
          ingressClass: traefik
        domains:
          - xai-corp.net
 #      - http01:
 #          ingress: certs-ingress
 #        domains:
 #          - hello.xai-corp.net
 #          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml
+++ b/ansible-5/roles/prod.k3s/tasks/cert_manager.yml
@@ -0,0 +1,34 @@
 ---
 # https://cert-manager.io/docs/installation/helm/#installing-with-helm
 - name: install cert-manager
  kubernetes.core.helm:
    kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
    atomic: true
    name: cert-manager
    chart_ref: jetstack/cert-manager
    release_namespace: cert-manager
    create_namespace: true
    release_values:
      installCRDs: true
  become: true
 # create issuer
 - name: create let's encrypt issuers
  kubernetes.core.k8s:
    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
    state: present
    definition: "{{ lookup('file', item) | from_yaml }}"
  become: true
  loop:
    - 'cert-manager/acme.issuer.stg.yaml'
    - 'cert-manager/acme.issuer.prod.yaml'
 - name: create let's encrypt certificates
  kubernetes.core.k8s:
    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
    state: present
    definition: "{{ lookup('file', item) | from_yaml }}"
  become: true
  loop:
    - 'cert-manager/certificate.xai-corp.stg.yaml'
    - 'cert-manager/certificate.xai-corp.prod.yaml'
--- a/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml
+++ b/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml
@@ -0,0 +1,12 @@
 ---
 - name: Create glusterfs fstab entries
  ansible.posix.mount:
    path: "{{item.path}}"
    src: "gluster:/{{item.name}}"
    fstype: "glusterfs"
    boot: false
    opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0"
    state: "{{item.state}}"
  with_items: "{{fstab.gluster}}"
  become: true
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -2,19 +2,13 @@
 # provisioning services in k3s cluster
 # mount gluster
- name: Create glusterfs fstab entries
+#- include_tasks: gluster.fstab.yml
  ansible.posix.mount:
    path: "{{item.path}}"
    src: "gluster:/{{item.name}}"
    fstype: "glusterfs"
    boot: false
    opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0"
    state: "{{item.state}}"
  with_items: "{{fstab.gluster}}"
  become: true
 # add helm repositories
- include_tasks: add_repos.yml
+#- include_tasks: add_repos.yml
 - include_tasks: cert_manager.yml
 # https://artifacthub.io/packages/helm/twuni/docker-registry
 #- name: Deploy latest version of docker-registry in dev-tools namespace