freeipa certificate issuer

.github/workflows/molecule.yml

@@ -21,10 +21,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v3
         with:
-          path: tcharl.freeipa_server
+          path: tcharl.kube_certmanager
       - name: install prereq
         run: |
-          cd tcharl.freeipa_server
+          cd tcharl.kube_certmanager
           ansible-galaxy role install -r requirements-standalone.yml
           ansible-galaxy collection install -r requirements-collections.yml
   lint:

.travis.yml

@@ -35,7 +35,7 @@ install:
 
 script:
   - mv ../kube_certmanager ../tcharl.kube_cert_manager
-  - travis_wait 50 tox -e test-exec -- --scenario-name kvm
+  - travis_wait 70 tox -e test-exec -- --scenario-name kvm
 branches:
   only:
-    - master
+    - master

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+kube_firewall_zone: 'public'
+cert_manager_chart_version: 'v1.12.1'

files/cert-manager-values.yml

@@ -0,0 +1,13 @@
+installCRDs: true
+webhook:
+  hostNetwork: true
+  securePort: 10260
+volumeMounts:
+  - name: ca-bundle
+    mountPath: /etc/pki/tls/certs/ca-bundle.crt
+    subPath: ca-bundle.crt
+    readOnly: false
+volumes:
+  - name: ca-bundle
+    configMap:
+      name: ca-bundle

molecule/default/converge.yml

@@ -1,13 +1,19 @@
 ---
 - name: Converge master
-  hosts: master.osgiliath.test
+  hosts:
+    - ipaservers
+    - kube_master
   vars:
     secure_logs: False
     # preferred_nic: "eth1"
     kube_firewall_zone: 'public'
+    master_preferred_nic: "eth1"
     preferred_nic: "eth1"
     reset_kube: True
     standalone_role: False
+    company_domain: osgiliath.test
+    company_realm_password: '123ADMin'
+    company_ad_password: '123ADmPass'
     nfs_mountpoints: # Mountpoints should be configured by the tcharl.ansible_volume (nfs mounts) on the server and client side to be mounted on each node before kubernetes comes in
       - host: master.osgiliath.test
         mountpoints:

molecule/default/molecule.yml

@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -15,8 +13,8 @@ platforms:
   - name: master.osgiliath.test
     box: ${TESTBOX:-fedora/38-cloud-base}
     provider_options:
-      cpus: 4
-      memory: 5120
+      cpus: 2
+      memory: 2048
     interfaces:
       - type: dhcp
         # ip: "192.168.56.5"
@@ -25,14 +23,28 @@ platforms:
         virtualbox__intnet: "internalnetwork"
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-fedora/38-cloud-base}
+    provider_options:
+      cpus: 2
+      memory: 2048
+    interfaces:
+      - type: dhcp
+        # ip: "192.168.56.5"
+        auto_config: true
+        network_name: private_network
+        virtualbox__intnet: "internalnetwork"
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-fedora/38-cloud-base}
     provider_options:
       cpus: 2
-      memory: 5120
+      memory: 2048
     groups:
       - kube_node
+      - ipaclients
     interfaces:
       - type: dhcp
         # ip: "192.168.56.5"
@@ -71,4 +83,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy

molecule/default/prepare.yml

@@ -2,15 +2,17 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.kube_certmanager
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'

molecule/default/tests/test_master.py

@@ -10,3 +10,40 @@ def test_cert_manager_pods_running(host):
     with host.sudo():
         cmd = host.run(command)
         assert int(cmd.stdout) > 0
+
+
+# def test_cert_manager_user_exists(host):
+#    command = r"""set -o pipefail && echo '123ADMin'| \
+#    kinit admin > /dev/null && \
+#    ipa user-find cert-manager-sa | \
+#    grep -c 'First name: Cert'"""
+#    cmd = host.run(command)
+#    assert '1' in cmd.stdout
+
+
+# def test_freeipa_issuer_pods_running(host):
+#    command = r"""
+#    kubectl get pods -n freeipa-issuer-system | \
+#    grep Running | \
+#    wc -l"""
+#    with host.sudo():
+#        cmd = host.run(command)
+#        assert int(cmd.stdout) > 0
+
+def test_certmanager_config_cabundle(host):
+    command = r"""
+    kubectl get cm ca-bundle -n cert-manager | \
+    wc -l"""
+    with host.sudo():
+        cmd = host.run(command)
+        assert int(cmd.stdout) > 0
+
+
+def test_certmanager_config_cabundle_content_ca(host):
+    command = r"""
+    kubectl get cm ca-bundle -n cert-manager -o yaml | \
+    grep 'BEGIN CERTIFICATE' | \
+    wc -l"""
+    with host.sudo():
+        cmd = host.run(command)
+        assert int(cmd.stdout) > 0

molecule/kvm/converge.yml

@@ -1,12 +1,19 @@
 ---
 - name: Converge master
-  hosts: master.osgiliath.test
+  hosts:
+    - ipaservers
+    - kube_master
   vars:
     secure_logs: False
+    preferred_nic: "eth1"
+    master_preferred_nic: "eth1"
+    idm_preferred_nic: "eth1"
     kube_firewall_zone: 'public'
     standalone_role: False
     reset_kube: True
-    preferred_nic: "eth1"
+    company_domain: osgiliath.test
+    company_realm_password: '123ADMin'
+    company_ad_password: '123ADmPass'
     nfs_mountpoints: # Mountpoints should be configured by the tcharl.ansible_volume (nfs mounts) on the server and client side to be mounted on each node before kubernetes comes in
       - host: master.osgiliath.test
         mountpoints:

molecule/kvm/molecule.yml

@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -17,28 +15,45 @@ platforms:
     provider_options:
       driver: "kvm"
       cpus: 2
-      memory: 5120
+      memory: 3000
       qemu_use_session: false
     interfaces:
       - auto_config: true
         network_name: private_network
-        ip: "192.168.50.4"
+        type: dhcp
+#        ip: "192.168.50.4"
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-fedora/38-cloud-base}
+    provider_options:
+      driver: "kvm"
+      cpus: 2
+      memory: 3000
+      qemu_use_session: false
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: dhcp
+#        ip: "192.168.50.6"
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-fedora/38-cloud-base}
     provider_options:
       driver: "kvm"
       cpus: 2
-      memory: 5120
+      memory: 3000
       qemu_use_session: false
     interfaces:
       - auto_config: true
         network_name: private_network
-        ip: "192.168.50.5"
+        type: dhcp
+#        ip: "192.168.50.5"
     groups:
       - kube_node
+      - ipaclients
 provisioner:
   name: ansible
 #  config_options:
@@ -67,4 +82,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy

molecule/kvm/prepare.yml

@@ -2,17 +2,18 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.kube_certmanager
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'
         standalone_role: True
-        kubernetes_allow_pods_on_master: Yes

molecule/parallels/converge.yml

@@ -1,11 +1,20 @@
 ---
 - name: Converge master
-  hosts: master.osgiliath.test
+  hosts:
+    - ipaservers
+    - kube_master
   vars:
+    secure_logs: False
+    preferred_nic: "eth1"
+    idm_preferred_nic: "eth1"
+    master_preferred_nic: "eth1"
+    kubernetes_allow_pods_on_master: False
     kube_firewall_zone: 'public'
     standalone_role: False
+    company_domain: osgiliath.test
+    company_realm_password: '123ADMin'
+    company_ad_password: '123ADmPass'
     reset_kube: True
-#    preferred_nic: "eth1"
     nfs_mountpoints: # Mountpoints should be configured by the tcharl.ansible_volume (nfs mounts) on the server and client side to be mounted on each node before kubernetes comes in
       - host: master.osgiliath.test
         mountpoints:

molecule/parallels/molecule.yml

@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -23,6 +21,17 @@ platforms:
         network_name: private_network
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-bento/fedora-38-arm64}
+    provider_options:
+      cpus: 2
+      memory: 5120
+    interfaces:
+      - type: dhcp
+        auto_config: true
+        network_name: private_network
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-bento/fedora-38-arm64}
@@ -35,6 +44,7 @@ platforms:
         network_name: private_network
     groups:
       - kube_node
+      - ipaclients
 provisioner:
   name: ansible
 #  config_options:
@@ -63,4 +73,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy

molecule/parallels/prepare.yml

@@ -2,17 +2,18 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.kube_certmanager
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'
         standalone_role: True
-        kubernetes_allow_pods_on_master: False

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tcharl.kube_certmanager"
-version = "0.1.0"
+version = "2.1.0"
 description = "Installs cert-manager on Kubernetes"
 authors = ["Charlie Mordant <[email protected]>"]
 license = "Apache2"