feat: trust private acme CA (vexxhost#1216)

Related: vexxhost#1185 We disscused with @mpiscaer on Slack about the reason why this happens and found that such a configuration was not foreseen. Mounting whole directory like here: https://github.com/vexxhost/ansible-collection-kubernetes/blob/main/roles/cert_manager/vars/main.yml#L21 is a bad idea because on EL distros this host path doesn't exist. Reviewed-by: Mohammed Naser <mnaser@vexxhost.com> Reviewed-by: Michiel Piscaer <michiel@piscaer.com> Reviewed-by: Tadas Sutkaitis
mpiscaer · May 20, 2024 · abb1775 · abb1775
1 parent 0d721d1
commit abb1775
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
@@ -15,6 +15,8 @@
 cluster_issuer_name: "{{ atmosphere_ingress_cluster_issuer }}"
 cluster_issuer_type: acme
 
+cluster_issuer_acme_private_ca: false
+
 cluster_issuer_acme_server: https://acme-v02.api.letsencrypt.org/directory
 # cluster_issuer_acme_email:
 cluster_issuer_acme_private_key_secret_name: cert-manager-issuer-account-key

diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2
@@ -3,7 +3,10 @@ alias osc='nerdctl run --rm --network host \
       --volume /etc/openstack:/etc/openstack:ro \
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
       --volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
-      in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/etc/pki/ca-trust/source/anchors/atmosphere.crt:ro' }} \
+      in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+      --volume {{ '/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro' if ansible_facts['os_family']
+      in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:/etc/ssl/certs/ca-certificates.crt:ro' }} \
 {% endif %}
       --env-file <(env | grep OS_) \
       {{ atmosphere_images['openstack_cli'] }}'

diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2
@@ -12,5 +12,7 @@ export OS_PROJECT_DOMAIN_NAME=Default
 export OS_PROJECT_NAME=admin
 
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
-export OS_CACERT={{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt
+export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
 {% endif %}
diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2
@@ -9,5 +9,7 @@ clouds:
       project_domain_name: Default
     region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
-    cacert: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+    cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+    cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% endif %}