diff --git a/playbooks/infrastructure.yml b/playbooks/infrastructure.yml index db62f05e4..d1c8ea6b9 100644 --- a/playbooks/infrastructure.yml +++ b/playbooks/infrastructure.yml @@ -13,7 +13,7 @@ # under the License. - name: Deploy Infrastructure - hosts: controllers[0] + hosts: controllers become: true roles: - role: cert_manager diff --git a/roles/cluster_issuer/tasks/main.yml b/roles/cluster_issuer/tasks/main.yml index 851677166..72e9ac4bb 100644 --- a/roles/cluster_issuer/tasks/main.yml +++ b/roles/cluster_issuer/tasks/main.yml @@ -13,6 +13,7 @@ # under the License. - name: Create self-signed cluster issuer + run_once: true kubernetes.core.k8s: state: present definition: @@ -30,6 +31,7 @@ when: cluster_issuer_type in ("self-signed", "ca") block: - name: Wait till the secret is created + run_once: true kubernetes.core.k8s_info: api_version: v1 kind: Secret diff --git a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml index 431b08ea5..c7cd8df15 100644 --- a/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml +++ b/roles/cluster_issuer/tasks/type/acme/solver/cloudflare.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml index 363dc6441..ac93dc5b8 100644 --- a/roles/cluster_issuer/tasks/type/acme/solver/http01.yml +++ b/roles/cluster_issuer/tasks/type/acme/solver/http01.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml index 60306ea8f..d706cb2c9 100644 --- a/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml +++ b/roles/cluster_issuer/tasks/type/acme/solver/rfc2136.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml index fa805d667..2f056ed6e 100644 --- a/roles/cluster_issuer/tasks/type/acme/solver/route53.yml +++ b/roles/cluster_issuer/tasks/type/acme/solver/route53.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/ca/main.yml b/roles/cluster_issuer/tasks/type/ca/main.yml index a52b70a7d..d7a34a09a 100644 --- a/roles/cluster_issuer/tasks/type/ca/main.yml +++ b/roles/cluster_issuer/tasks/type/ca/main.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/self-signed/main.yml b/roles/cluster_issuer/tasks/type/self-signed/main.yml index dd237735a..a9bb49603 100644 --- a/roles/cluster_issuer/tasks/type/self-signed/main.yml +++ b/roles/cluster_issuer/tasks/type/self-signed/main.yml @@ -13,6 +13,7 @@ # under the License. - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml index 006012f87..47f60d838 100644 --- a/roles/cluster_issuer/tasks/type/venafi/main.yml +++ b/roles/cluster_issuer/tasks/type/venafi/main.yml @@ -13,6 +13,7 @@ # under the License. - name: Create secret (username/password) + run_once: true when: - cluster_issuer_venafi_username is defined - cluster_issuer_venafi_password is defined @@ -30,6 +31,7 @@ password: "{{ cluster_issuer_venafi_password }}" - name: Create secret (access token) + run_once: true when: - cluster_issuer_venafi_username is not defined - cluster_issuer_venafi_password is not defined @@ -46,6 +48,7 @@ access-token: "{{ cluster_issuer_venafi_access_token }}" - name: Create ClusterIssuer + run_once: true kubernetes.core.k8s: state: present definition: diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml index 97011b9c0..5bc8bd0fb 100644 --- a/roles/defaults/defaults/main.yml +++ b/roles/defaults/defaults/main.yml @@ -23,3 +23,6 @@ atmosphere_network_backend: openvswitch # This is for override values in atmosphere_images atmosphere_image_overrides: {} + +defaults_ca_certificates_path: >- + {{ '/etc/ssl/certs/ca-certificates.crt' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' }}" diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml index 4eff17965..ceaa88ab0 100644 --- a/roles/keepalived/tasks/main.yml +++ b/roles/keepalived/tasks/main.yml @@ -13,6 +13,7 @@ # under the License. - name: Deploy service + run_once: true when: keepalived_enabled | bool kubernetes.core.k8s: state: present diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 609f3c830..ed85ea6c7 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -25,6 +25,7 @@ name: PyMySQL - name: Check MySQL ready + run_once: true community.mysql.mysql_info: login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" login_user: root @@ -56,6 +57,7 @@ priv: "{{ keycloak_database_name }}.*:ALL" - name: Disable pxc strict mode + run_once: true community.mysql.mysql_query: login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" login_user: root @@ -89,6 +91,7 @@ cert-manager.io/cluster-issuer: atmosphere - name: Enable pxc strict mode + run_once: true community.mysql.mysql_query: login_host: "{{ _pxc_service.resources[0].spec.clusterIP }}" login_user: root diff --git a/roles/keystone/vars/main.yml b/roles/keystone/vars/main.yml index 625ff2f73..1b67f80b9 100644 --- a/roles/keystone/vars/main.yml +++ b/roles/keystone/vars/main.yml @@ -22,11 +22,14 @@ _keystone_helm_values: mounts: keystone_api: keystone_api: - volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts }}" + volumeMounts: "{{ keystone_domains | vexxhost.atmosphere.keystone_domains_to_mounts + [{'name': 'etc-ssl-certs', 'mountPath': '/etc/ssl/certs', 'readOnly': true}] }}" volumes: - name: keystone-openid-metadata configMap: name: keystone-openid-metadata + - name: etc-ssl-certs + hostPath: + path: "{{ defaults_ca_certificates_path }}" conf: keystone: DEFAULT: diff --git a/roles/magnum/vars/main.yml b/roles/magnum/vars/main.yml index 61fd18bfb..7fd919f2a 100644 --- a/roles/magnum/vars/main.yml +++ b/roles/magnum/vars/main.yml @@ -25,6 +25,8 @@ _magnum_helm_values: barbican_client: endpoint_type: internalURL region_name: "{{ openstack_helm_endpoints_barbican_region_name }}" + capi_client: + ca_file: /etc/ssl/certs/ca-certificates.crt cinder_client: endpoint_type: internalURL region_name: "{{ openstack_helm_endpoints_cinder_region_name }}" @@ -74,6 +76,17 @@ _magnum_helm_values: replicas: api: 3 conductor: 3 + mounts: + magnum_conductor: + magnum_conductor: + volumeMounts: + - name: etc-ssl-certs + mountPath: /etc/ssl/certs + readOnly: true + volumes: + - name: etc-ssl-certs + hostPath: + path: "{{ defaults_ca_certificates_path }}" manifests: ingress_api: false service_ingress_api: false