k8s let's encrypt issuer and cert creation

2022-08-04 20:03:42 -04:00
parent 7410984c5e
commit 8c752b2b70
10 changed files with 171 additions and 11 deletions
--- a/ansible-5/roles/k3s/tasks/install.python_modules.yml
+++ b/ansible-5/roles/k3s/tasks/install.python_modules.yml
@@ -0,0 +1,17 @@
+---
+# install the required python3 modules with pip
+
+- name: Install required packages for pip
+  apt:
+    name: "{{ item }}"
+    update_cache: yes
+    cache_valid_time: 3600
+    state: latest
+  with_items:
+    - python3-pip
+
+- name: Install ansible kubernetes python packages
+  ansible.builtin.pip:
+    name:
+      - anisble
+      - kubernetes
--- a/ansible-5/roles/k3s/tasks/main.yml
+++ b/ansible-5/roles/k3s/tasks/main.yml
@@ -16,3 +16,5 @@

 - include_tasks: install_helm.yml

+#install required python modules
+- include_tasks: install.python_modules.yml
--- a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
+++ b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
@@ -9,6 +9,7 @@ $TTL 1D
 xai-corp.net.           IN NS   ns.xai-corp.net.
 xai-corp.net.           IN MX   0 mail.xai-corp.net.
 xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.4.11/32 mx ptr mx:mail.xai-corp.net ~all"
+xai-corp.net.           IN A    192.168.4.11
 ;mail                    IN A    192.168.4.12

 gateway                 IN A    192.168.4.4
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml
@@ -0,0 +1,20 @@
+---
+#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    email: r_morgan@sympatico.ca
+    server: https://acme-v02.api.letsencrypt.org/directory
+#    disableAccountKeyGeneration: true
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-production-issuer-account-key
+    # Add a single challenge solver, HTTP01
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml
@@ -0,0 +1,20 @@
+---
+#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: r_morgan@sympatico.ca
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+#    disableAccountKeyGeneration: true
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging-issuer-account-key
+    # Add a single challenge solver, HTTP01
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: xai-corp
+  namespace: default
+spec:
+  # Secret names are always required.
+  secretName: xai-corp-staging-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: xai-corp.net
+  dnsNames:
+    - xai-corp.net
+    - git.xai-corp.net
+    - tunedb.xai-corp.net
+    - www.xai-corp.net
+    - xaibox.xai-corp.net
+    - sql.xai-corp.net
+    - cik.xai-corp.net
+  acme:
+    config:
+      - http01:
+          ingressClass: traefik
+        domains:
+          - xai-corp.net
+#      - http01:
+#          ingress: certs-ingress
+#        domains:
+#          - hello.xai-corp.net
+#          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
+++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: xai-corp
+  namespace: default
+spec:
+  # Secret names are always required.
+  secretName: xai-corp-staging-tls
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: xai-corp.net
+  dnsNames:
+    - xai-corp.net
+    - www.xai-corp.net
+    - sql.xai-corp.net
+  acme:
+    config:
+      - http01:
+          ingressClass: traefik
+        domains:
+          - xai-corp.net
+#      - http01:
+#          ingress: certs-ingress
+#        domains:
+#          - hello.xai-corp.net
+#          - sql.xai-corp.net
--- a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml
+++ b/ansible-5/roles/prod.k3s/tasks/cert_manager.yml
@@ -0,0 +1,34 @@
+---
+# https://cert-manager.io/docs/installation/helm/#installing-with-helm
+- name: install cert-manager
+  kubernetes.core.helm:
+    kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
+    atomic: true
+    name: cert-manager
+    chart_ref: jetstack/cert-manager
+    release_namespace: cert-manager
+    create_namespace: true
+    release_values:
+      installCRDs: true
+  become: true
+
+# create issuer
+- name: create let's encrypt issuers
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: present
+    definition: "{{ lookup('file', item) | from_yaml }}"
+  become: true
+  loop:
+    - 'cert-manager/acme.issuer.stg.yaml'
+    - 'cert-manager/acme.issuer.prod.yaml'
+
+- name: create let's encrypt certificates
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: present
+    definition: "{{ lookup('file', item) | from_yaml }}"
+  become: true
+  loop:
+    - 'cert-manager/certificate.xai-corp.stg.yaml'
+    - 'cert-manager/certificate.xai-corp.prod.yaml'
--- a/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml
+++ b/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Create glusterfs fstab entries
+  ansible.posix.mount:
+    path: "{{item.path}}"
+    src: "gluster:/{{item.name}}"
+    fstype: "glusterfs"
+    boot: false
+    opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0"
+    state: "{{item.state}}"
+  with_items: "{{fstab.gluster}}"
+  become: true
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -2,19 +2,13 @@
 # provisioning services in k3s cluster

 # mount gluster
- name: Create glusterfs fstab entries
-  ansible.posix.mount:
-    path: "{{item.path}}"
-    src: "gluster:/{{item.name}}"
-    fstype: "glusterfs"
-    boot: false
-    opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0"
-    state: "{{item.state}}"
-  with_items: "{{fstab.gluster}}"
-  become: true
+#- include_tasks: gluster.fstab.yml

 # add helm repositories
- include_tasks: add_repos.yml
+#- include_tasks: add_repos.yml
+
+
+- include_tasks: cert_manager.yml

 # https://artifacthub.io/packages/helm/twuni/docker-registry
 #- name: Deploy latest version of docker-registry in dev-tools namespace