--- # Tasks for installing and configuring cert-manager # Create cert-manager namespace - name: Create cert-manager namespace kubernetes.core.k8s: state: present definition: apiVersion: v1 kind: Namespace metadata: name: cert-manager kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Create cloudflare-secret in cert-manager namespace - name: Debug Cloudflare API token for cert-manager ansible.builtin.debug: msg: "Cloudflare API token set for cert-manager: {{ cloudflare_api_token | default('') | length > 0 }}" verbosity: 1 no_log: false # Allow debug output for troubleshooting - name: Check for nested structure in cloudflare_api_token ansible.builtin.fail: msg: "Cloudflare API token appears to be a complex object rather than a string. Check your variable definition." when: cloudflare_api_token is mapping - name: Create cloudflare-secret in cert-manager namespace kubernetes.core.k8s: state: present definition: apiVersion: v1 kind: Secret metadata: name: cloudflare-secret namespace: cert-manager type: Opaque stringData: # cert-manager expects just the API token as a simple string api-token: "{{ cloudflare_api_token }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: cloudflare_api_token | default('') | length > 0 # Deploy cert-manager using Helm - name: Deploy cert-manager kubernetes.core.helm: name: cert-manager release_namespace: cert-manager create_namespace: true chart_ref: "{{ cert_manager_chart_url }}" wait: true values: installCRDs: true prometheus: enabled: false webhook: timeoutSeconds: 10 kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Create ClusterIssuer for Let's Encrypt - name: Create ClusterIssuer for Let's Encrypt kubernetes.core.k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: "{{ letsencrypt_cluster_issuer_name }}" spec: acme: server: "{{ letsencrypt_server }}" email: "{{ letsencrypt_email }}" privateKeySecretRef: name: "{{ letsencrypt_cluster_issuer_name }}" solvers: - dns01: cloudflare: email: "{{ letsencrypt_email }}" apiTokenSecretRef: name: cloudflare-secret key: api-token kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Enable the RouteExternalCertificate feature - name: Enable RouteExternalCertificate feature gate kubernetes.core.k8s: state: present definition: apiVersion: config.openshift.io/v1 kind: FeatureGate metadata: name: cluster spec: featureSet: CustomNoUpgrade customNoUpgrade: enabled: - RouteExternalCertificate kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" register: feature_gate_result # Wait for feature gate to be applied - name: Wait for feature gate to be applied (60 seconds) ansible.builtin.pause: seconds: 60 when: feature_gate_result.changed | bool # Create HTTP01-based ClusterIssuer for customer routes - name: Create HTTP01 ClusterIssuer for customer routes kubernetes.core.k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-http01 spec: acme: server: "{{ letsencrypt_server }}" email: "{{ letsencrypt_email }}" privateKeySecretRef: name: letsencrypt-http01 solvers: - http01: ingress: class: openshift-default kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}"