# Cert Manager Deployment Role This role deploys and configures cert-manager in an OpenShift cluster to automate the management of TLS certificates. ## Overview cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. This role: 1. Creates the cert-manager namespace 2. Deploys cert-manager using the Operator Hub 3. Configures ClusterIssuers for Let's Encrypt (staging and production) 4. Sets up Cloudflare DNS integration for DNS-01 challenges ## Prerequisites - Access to an OpenShift cluster with admin privileges - Operator Hub and OLM accessible in the cluster - Cloudflare API credentials configured in the Ansible vault ## Role Variables | Variable | Description | Default | |----------|-------------|---------| | certmanager_namespace | Namespace where cert-manager will be installed | "cert-manager" | | certmanager_operator_source | Operator source for cert-manager | "community-operators" | | certmanager_channel | Channel for the cert-manager operator | "stable" | | letsencrypt_email | Email address for Let's Encrypt registration | "admin@container.mom" | | letsencrypt_staging_server | Let's Encrypt staging API endpoint | "https://acme-staging-v02.api.letsencrypt.org/directory" | | letsencrypt_prod_server | Let's Encrypt production API endpoint | "https://acme-v02.api.letsencrypt.org/directory" | ## Directory Structure ``` cert_manager_deployment/ ├── defaults/ # Default variables │ └── main.yml └── tasks/ # Tasks for deploying cert-manager └── main.yml ``` ## Cloudflare Integration The role sets up Cloudflare DNS integration for DNS-01 challenges by: 1. Creating a Secret containing the Cloudflare API token 2. Configuring ClusterIssuers to use Cloudflare for DNS validation 3. Setting up the necessary DNS solver configurations ## Let's Encrypt Configuration Two ClusterIssuers are created: 1. **letsencrypt-staging**: For testing certificate issuance without rate limits 2. **letsencrypt-production**: For production certificates trusted by browsers Both issuers use the Cloudflare DNS solver for domain validation. ## Dependencies This role depends on: - **kubernetes_auth**: For cluster authentication - **namespace_setup**: For creating required namespaces (optional) ## Required Vault Variables The following variables must be set in your Ansible vault (secrets.yml): ```yaml global: cloudflare: api_token: "your_cloudflare_api_token" zone_id: "your_cloudflare_zone_id" ``` ## Example Usage ```yaml - name: Deploy cert-manager hosts: localhost roles: - role: cert_manager_deployment vars: certmanager_namespace: "cert-manager" letsencrypt_email: "admin@container.mom" ``` ## Verification After the role completes, verify the installation by: 1. Checking that the cert-manager pods are running: ```bash oc get pods -n cert-manager ``` 2. Verifying the ClusterIssuers are correctly configured: ```bash oc get clusterissuers oc describe clusterissuer letsencrypt-production ``` ## Troubleshooting Common issues: - **Operator installation failing**: Check Operator Hub and OLM status - **ClusterIssuer not ready**: Verify Cloudflare API token permissions - **DNS validation failing**: Check Cloudflare Zone ID and API token configuration ## Notes - Let's Encrypt has rate limits, especially for production issuers - Use the staging issuer for testing to avoid hitting rate limits - The Cloudflare API token needs Zone:DNS:Edit and Zone:Zone:Read permissions