From a0afbb0d8a7c87c6b672f134e520621f0c1a52f1 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Date: Mon, 5 Jan 2026 23:29:32 +0100 Subject: [PATCH 01/23] Update cert_manager to support fallback properly + acme-bifrost --- .../tasks/cert_manager_api_cert_check.yml | 77 ++++++- .../tasks/cert_manager_ingress_cert_check.yml | 30 +++ .../tasks/workload.yml | 1 + .../templates/certificate-api.yaml.j2 | 1 - .../templates/certificate-ingress.yaml.j2 | 9 +- .../templates/clusterissuer.yaml.j2 | 29 ++- .../templates/clusterissuer_fallback.yaml.j2 | 73 ++++++ .../templates/webhook_acme_bifrost.yaml.j2 | 207 ++++++++++++++++++ 8 files changed, 412 insertions(+), 15 deletions(-) create mode 100644 roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 create mode 100644 roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml index 11888a3..8897007 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml @@ -38,15 +38,84 @@ - name: Report fail on api certificate failure when: - - (_ocp4_workload_cert_manager_api_retry_count | int > ocp4_workload_cert_manager_api_cert_max_retries | int) + - (api_cert_retry_counter | int > api_cert_max_retries | int) - r_certificate_api is failed block: - name: Print error message if requesting certificates failed when: ocp4_workload_cert_manager_ignore_errors | bool ansible.builtin.debug: - msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." + msg: "Requesting certificate for API servers failed after {{ api_cert_max_retries }} retries." - name: Fail if requesting certificates failed - when: not ocp4_workload_cert_manager_ignore_errors | bool + when: + - not ocp4_workload_cert_manager_ignore_errors | bool + - ocp4_workload_cert_manager_provider_fallback == "" ansible.builtin.fail: - msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." + msg: "Requesting certificate for API servers failed after {{ api_cert_max_retries }} retries." + + - name: Try fallback provider if defined + when: + - ocp4_workload_cert_manager_provider_fallback != "" + - r_certificate_api is failed + block: + - name: Remove existing API Certificate + kubernetes.core.k8s: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + state: absent + + - name: Add certificate requests using fallback provider + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', item) }}" + loop: + - certificate-api-fallback.yaml.j2 + register: r_clusterissuer + retries: 10 + delay: 30 + until: r_clusterissuer is success + + - name: Wait until API Certificate is ready + when: not api_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_api + rescue: + - name: Restart cert-manager on failure + kubernetes.core.k8s: + api_version: v1 + kind: Pod + state: absent + label_selectors: + - app.kubernetes.io/instance=cert-manager + - app.kubernetes.io/component=controller + namespace: cert-manager + - name: Wait until API Certificate is ready + when: not api_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-api-cert + namespace: openshift-config + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_api + - name: Mark cert ready + when: not r_certificate_api is failed + ansible.builtin.set_fact: + api_cert_ready: true diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml index 54b5e1e..9c7919c 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml @@ -94,3 +94,33 @@ when: not r_certificate_ingress is failed ansible.builtin.set_fact: ingress_cert_ready: true + rescue: + - name: Restart cert-manager on failure + kubernetes.core.k8s: + api_version: v1 + kind: Pod + state: absent + label_selectors: + - app.kubernetes.io/instance=cert-manager + - app.kubernetes.io/component=controller + namespace: cert-manager + + - name: Wait until Ingress Certificate is ready + when: not ingress_cert_ready | default(false) | bool + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: Certificate + name: cert-manager-ingress-cert + namespace: openshift-ingress + wait: true + wait_sleep: 5 + wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}" + wait_condition: + type: "Ready" + status: "True" + register: r_certificate_ingress + + - name: Mark cert ready + when: not r_certificate_ingress is failed + ansible.builtin.set_fact: + ingress_cert_ready: true diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 32db8e5..7862af1 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -67,6 +67,7 @@ template: "{{ item }}" loop: - clusterissuer.yaml.j2 + - clusterissuer_fallback.yaml.j2 - certificate-ingress.yaml.j2 - certificate-api.yaml.j2 register: r_clusterissuer diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 index 1844fdd..1c8423b 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2 @@ -12,7 +12,6 @@ spec: renewBefore: 360h usages: - server auth - - client auth dnsNames: - "{{ _ocp4_workload_cert_manager_api_hostname }}" issuerRef: diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 index 063609c..403ceb5 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 @@ -2,21 +2,20 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-ingress-cert + name: cert-manager-ingress-cert-fallback namespace: openshift-ingress spec: isCA: false - commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}" + commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" secretName: cert-manager-ingress-cert duration: 2160h renewBefore: 360h usages: - server auth - - client auth dnsNames: - - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" + - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" issuerRef: kind: ClusterIssuer - name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }} + name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback group: cert-manager.io diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 index b5f8ecd..0d1626f 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 @@ -9,7 +9,7 @@ spec: server: {{ ocp4_workload_cert_manager_acme_url }} privateKeySecretRef: name: cluster-issuer-acme-production -{% if ocp4_workload_cert_manager_provider == "zerossl" %} +{% if ocp4_workload_cert_manager_provider == "zerossl" %} externalAccountBinding: keyID: {{ ocp4_workload_cert_manager_zerossl_eab_key_id }} keySecretRef: @@ -24,16 +24,16 @@ spec: - {{ _ocp4_workload_cert_manager_api_hostname }} - {{ _ocp4_workload_cert_manager_wildcard_domain }} dns01: -{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} +{% if ocp4_workload_cert_manager_cloud_provider == "ec2" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: - region: {{ ocp4_workload_cert_manager_aws_region }} + region: {{ ocp4_workload_cert_manager_ec2_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} - accessKeyID: {{ ocp4_workload_cert_manager_aws_access_key_id }} + accessKeyID: {{ ocp4_workload_cert_manager_ec2_access_key_id }} secretAccessKeySecretRef: name: cert-manager-aws-creds key: aws_secret_access_key {% endif %} -{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} +{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} cloudDNS: project: {{ ocp4_workload_cert_manager_gcp_project_id }} hostedZoneName: dns-zone-{{ guid }} @@ -53,3 +53,22 @@ spec: subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }} tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }} {% endif %} +{% if ocp4_workload_cert_manager_provider == "acme-bifrost" %} + webhook: + groupName: acme.gateway.redhat.com + solverName: gateway-passthrough + config: + gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} + caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} + region: {{ ocp4_workload_cert_manager_ec2_region }} + zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" + accessKeyIDSecretRef: + name: cert-manager-aws-creds + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key + webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" + webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" +{% endif %} + diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 new file mode 100644 index 0000000..7902b2c --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 @@ -0,0 +1,73 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback +spec: + acme: + email: rhpds-admins@redhat.com + server: {{ ocp4_workload_cert_manager_acme_url_fallback }} + privateKeySecretRef: + name: cluster-issuer-acme-production-fallback +{% if ocp4_workload_cert_manager_provider_fallback == "zerossl" %} + externalAccountBinding: + keyID: {{ ocp4_workload_cert_manager_zerossl_eab_key_id }} + keySecretRef: + name: cert-manager-zerossl-creds + key: zerossl_hmac_key + privateKeySecretRef: + name: zerossl-prod-fallback +{% endif %} + solvers: + - selector: + dnsZones: + - {{ _ocp4_workload_cert_manager_api_hostname }} + - {{ _ocp4_workload_cert_manager_wildcard_domain }} + dns01: +{% if ocp4_workload_cert_manager_cloud_provider == "ec2" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} + route53: + region: {{ ocp4_workload_cert_manager_ec2_region }} + hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} + accessKeyID: {{ ocp4_workload_cert_manager_ec2_access_key_id }} + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key +{% endif %} +{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %} + cloudDNS: + project: {{ ocp4_workload_cert_manager_gcp_project_id }} + hostedZoneName: dns-zone-{{ guid }} + serviceAccountSecretRef: + name: cert-manager-gcp-creds + key: key.json +{% endif %} +{% if ocp4_workload_cert_manager_cloud_provider == "azure" %} + azureDNS: + clientID: {{ ocp4_workload_cert_manager_azure_client_id }} + clientSecretSecretRef: + name: cert-manager-azure-creds + key: client-secret + environment: AzurePublicCloud + hostedZoneName: {{ ocp4_workload_cert_manager_azure_hostedzone_name }} + resourceGroupName: {{ ocp4_workload_cert_manager_azure_resource_group_name }} + subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }} + tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }} +{% endif %} +{% if ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" %} + webhook: + groupName: acme.gateway.redhat.com + solverName: gateway-passthrough + config: + gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} + caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider_fallback | default("letsencrypt") }} + region: {{ ocp4_workload_cert_manager_ec2_region }} + zoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} + accessKeyIDSecretRef: + name: cert-manager-aws-creds + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-aws-creds + key: aws_secret_access_key + webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" + webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" +{% endif %} diff --git a/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 new file mode 100644 index 0000000..bad42de --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 @@ -0,0 +1,207 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +rules: +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: acme-bifrost-webhook +subjects: +- apiGroup: "" + kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager +--- +# ClusterRole for cert-manager to create webhook solver resources +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook:flowcontrol-solver + labels: + app: acme-bifrost-webhook +rules: +- apiGroups: + - acme.gateway.redhat.com + resources: + - '*' + verbs: + - 'create' +--- +# ClusterRoleBinding for cert-manager to use the webhook +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook:flowcontrol-solver + labels: + app: acme-bifrost-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook:flowcontrol-solver +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +# ClusterRole for webhook to create subjectaccessreviews (required for API aggregation) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook:subjectaccessreviews + labels: + app: acme-bifrost-webhook +rules: +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# ClusterRoleBinding for webhook subjectaccessreviews +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook:subjectaccessreviews + labels: + app: acme-bifrost-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: acme-bifrost-webhook + namespace: cert-manager +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: 8443 + protocol: TCP + name: https + selector: + app: acme-bifrost-webhook +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: acme-bifrost-webhook + namespace: cert-manager + labels: + app: acme-bifrost-webhook +spec: + replicas: 1 + selector: + matchLabels: + app: acme-bifrost-webhook + template: + metadata: + labels: + app: acme-bifrost-webhook + spec: + serviceAccountName: acme-bifrost-webhook + containers: + - name: webhook + image: {{ ocp4_workload_cert_manager_acme_bifrost_webhook_image }} + imagePullPolicy: IfNotPresent + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + - --secure-port=8443 + env: + - name: GROUP_NAME + value: "acme.gateway.redhat.com" + ports: + - name: https + containerPort: 8443 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: https + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + volumes: + - name: certs + secret: + secretName: acme-bifrost-webhook-webhook-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: acme-bifrost-webhook-webhook-tls + namespace: cert-manager +spec: + secretName: acme-bifrost-webhook-webhook-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + issuerRef: + name: selfsigned + kind: ClusterIssuer + dnsNames: + - acme-bifrost-webhook + - acme-bifrost-webhook.cert-manager + - acme-bifrost-webhook.cert-manager.svc +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.acme.gateway.redhat.com + labels: + app: acme-bifrost-webhook + annotations: + cert-manager.io/inject-ca-from: "cert-manager/acme-bifrost-webhook-webhook-tls" +spec: + group: acme.gateway.redhat.com + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: acme-bifrost-webhook + namespace: cert-manager + version: v1alpha1 + From cca0d67126f94a5ad0ea17f330b46286e2322b1d Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 15:01:52 +0100 Subject: [PATCH 02/23] Update clusterissuer.yaml.j2 --- .../ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 index 0d1626f..01f4372 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 @@ -24,7 +24,7 @@ spec: - {{ _ocp4_workload_cert_manager_api_hostname }} - {{ _ocp4_workload_cert_manager_wildcard_domain }} dns01: -{% if ocp4_workload_cert_manager_cloud_provider == "ec2" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: region: {{ ocp4_workload_cert_manager_ec2_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} From 70d26e2f1b923c99dea87737fe3c699c23d9edb1 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 15:02:21 +0100 Subject: [PATCH 03/23] Change cloud provider check from 'ec2' to 'aws' --- ...erissuer_fallback.yaml.j2 => clusterissuer-fallback.yaml.j2} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename roles/ocp4_workload_cert_manager/templates/{clusterissuer_fallback.yaml.j2 => clusterissuer-fallback.yaml.j2} (98%) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 similarity index 98% rename from roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 rename to roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 index 7902b2c..c6aea77 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer_fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 @@ -24,7 +24,7 @@ spec: - {{ _ocp4_workload_cert_manager_api_hostname }} - {{ _ocp4_workload_cert_manager_wildcard_domain }} dns01: -{% if ocp4_workload_cert_manager_cloud_provider == "ec2" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: region: {{ ocp4_workload_cert_manager_ec2_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} From 116bc98dc877155ea9475b7bdd62d5e598167ca9 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 15:02:45 +0100 Subject: [PATCH 04/23] Rename clusterissuer_fallback.yaml.j2 to clusterissuer-fallback.yaml.j2 --- roles/ocp4_workload_cert_manager/tasks/workload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 7862af1..086aeca 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -67,7 +67,7 @@ template: "{{ item }}" loop: - clusterissuer.yaml.j2 - - clusterissuer_fallback.yaml.j2 + - clusterissuer-fallback.yaml.j2 - certificate-ingress.yaml.j2 - certificate-api.yaml.j2 register: r_clusterissuer From 2e17149bc29ba62a2ac4edb8ad4e209109d81093 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 16:40:06 +0100 Subject: [PATCH 05/23] Update clusterissuer.yaml.j2 --- .../templates/clusterissuer.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 index 01f4372..b83987b 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 @@ -26,9 +26,9 @@ spec: dns01: {% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: - region: {{ ocp4_workload_cert_manager_ec2_region }} + region: {{ ocp4_workload_cert_manager_aws_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} - accessKeyID: {{ ocp4_workload_cert_manager_ec2_access_key_id }} + accessKeyID: {{ ocp4_workload_cert_manager_aws_access_key_id }} secretAccessKeySecretRef: name: cert-manager-aws-creds key: aws_secret_access_key @@ -60,7 +60,7 @@ spec: config: gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} - region: {{ ocp4_workload_cert_manager_ec2_region }} + region: {{ ocp4_workload_cert_manager_aws_region }} zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" accessKeyIDSecretRef: name: cert-manager-aws-creds From e5736a8e93b715f9497ac9711ec656cfcbc3eb6d Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 16:40:23 +0100 Subject: [PATCH 06/23] Update clusterissuer-fallback.yaml.j2 --- .../templates/clusterissuer-fallback.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 index c6aea77..0aa772f 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 @@ -26,9 +26,9 @@ spec: dns01: {% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %} route53: - region: {{ ocp4_workload_cert_manager_ec2_region }} + region: {{ ocp4_workload_cert_manager_aws_region }} hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} - accessKeyID: {{ ocp4_workload_cert_manager_ec2_access_key_id }} + accessKeyID: {{ ocp4_workload_cert_manager_aws_access_key_id }} secretAccessKeySecretRef: name: cert-manager-aws-creds key: aws_secret_access_key @@ -60,7 +60,7 @@ spec: config: gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider_fallback | default("letsencrypt") }} - region: {{ ocp4_workload_cert_manager_ec2_region }} + region: {{ ocp4_workload_cert_manager_aws_region }} zoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} accessKeyIDSecretRef: name: cert-manager-aws-creds From 5092b761a329aab0c30ab587b06e7a2fe0790b58 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 17:54:34 +0100 Subject: [PATCH 07/23] Update certificate-ingress-fallback.yaml.j2 --- .../templates/certificate-ingress-fallback.yaml.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 index f88b2c4..403ceb5 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 @@ -2,21 +2,20 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-ingress-cert + name: cert-manager-ingress-cert-fallback namespace: openshift-ingress spec: isCA: false - commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}" + commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" secretName: cert-manager-ingress-cert duration: 2160h renewBefore: 360h usages: - server auth - - client auth dnsNames: - - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}" + - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" issuerRef: kind: ClusterIssuer - name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }} + name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback group: cert-manager.io From ccd6c1e933be459be9859619819552ab9588a183 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 6 Jan 2026 17:54:58 +0100 Subject: [PATCH 08/23] Rename certificate and update issuer reference --- .../templates/certificate-ingress.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 index 403ceb5..2a2bf2c 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-ingress-cert-fallback + name: cert-manager-ingress-cert namespace: openshift-ingress spec: isCA: false @@ -17,5 +17,5 @@ spec: - "{{ _ocp4_workload_cert_manager_wildcard_domain }}" issuerRef: kind: ClusterIssuer - name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback + name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }} group: cert-manager.io From 71d09838e6f4ff50562240e9e2d123f0b8916b21 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Date: Wed, 7 Jan 2026 09:33:24 +0100 Subject: [PATCH 09/23] Update cert_manager to support fallback properly + acme-bifrost --- roles/ocp4_workload_cert_manager/tasks/workload.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 086aeca..e0ca257 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -21,7 +21,7 @@ - name: Update CertManager for AWS/GCP/Azure to use external DNS when: > - ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure"] + ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure", "acme-bifrost"] kubernetes.core.k8s: state: present template: certmanager.yaml.j2 @@ -75,6 +75,17 @@ delay: 30 until: r_clusterissuer is success +- name: Deploy ACME Bifrost webhook + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'webhook_acme_bifrost.yaml.j2') }}" + register: r_webhook_acme_bifrost + retries: 10 + delay: 30 + until: r_webhook_acme_bifrost is success + + - name: Install Ingress controller certificate when: ocp4_workload_cert_manager_install_ingress_certificates | bool block: From 0f94cd9b1305c22a25c864da53c81c29d4d71b0a Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 7 Jan 2026 12:13:55 +0100 Subject: [PATCH 10/23] Update workload.yml --- roles/ocp4_workload_cert_manager/tasks/workload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index e0ca257..100fe88 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -94,7 +94,7 @@ with_sequence: start=0 end={{ ocp4_workload_cert_manager_ingress_cert_max_retries }} - name: Update Ingress controller to use certificate - when: not r_certificate_ingress is failed + when: _ocp4_workload_cert_manager_ingress_cert_ready | default(false) | bool kubernetes.core.k8s: state: present template: default-ingress-controller.yaml.j2 @@ -107,7 +107,7 @@ with_sequence: start=0 end={{ ocp4_workload_cert_manager_api_cert_max_retries }} - name: API Certificate successfull - when: not r_certificate_api is failed + when: _ocp4_workload_cert_manager_api_cert_ready | default(false) | bool block: - name: Update API server to use certificate kubernetes.core.k8s: From ff52855a58c6ca183ea7d70623fcdd39d9e6759d Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 7 Jan 2026 12:22:45 +0100 Subject: [PATCH 11/23] Update cert_manager_ingress_cert_check.yml --- .../tasks/cert_manager_ingress_cert_check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml index 9c7919c..c7e2927 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml @@ -93,7 +93,7 @@ - name: Mark certificate ready when: not r_certificate_ingress is failed ansible.builtin.set_fact: - ingress_cert_ready: true + _ocp4_workload_cert_manager_ingress_cert_ready: true rescue: - name: Restart cert-manager on failure kubernetes.core.k8s: @@ -123,4 +123,4 @@ - name: Mark cert ready when: not r_certificate_ingress is failed ansible.builtin.set_fact: - ingress_cert_ready: true + _ocp4_workload_cert_manager_ingress_cert_ready: true From 5e75aa8c10920fa8d345cd2296458b4cb5bbf1e2 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 16:23:41 +0100 Subject: [PATCH 12/23] Update webhook_acme_bifrost.yaml.j2 --- .../templates/webhook_acme_bifrost.yaml.j2 | 58 +++++++++++++++++-- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 index bad42de..194d80a 100644 --- a/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/webhook_acme_bifrost.yaml.j2 @@ -42,7 +42,7 @@ metadata: app: acme-bifrost-webhook rules: - apiGroups: - - acme.gateway.redhat.com + - bifrost.demo.redhat.com resources: - '*' verbs: @@ -112,6 +112,15 @@ spec: selector: app: acme-bifrost-webhook --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: acme-bifrost-webhook-orders +rules: +- apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["list", "get", "patch", "watch", "update"] +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -140,7 +149,12 @@ spec: - --secure-port=8443 env: - name: GROUP_NAME - value: "acme.gateway.redhat.com" + value: "bifrost.demo.redhat.com" + - name: TSIG_SECRET + valueFrom: + secretKeyRef: + name: cert-manager-tsig-creds + key: tsig-secret ports: - name: https containerPort: 8443 @@ -191,17 +205,51 @@ spec: apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1alpha1.acme.gateway.redhat.com + name: v1alpha1.bifrost.demo.redhat.com labels: app: acme-bifrost-webhook annotations: cert-manager.io/inject-ca-from: "cert-manager/acme-bifrost-webhook-webhook-tls" spec: - group: acme.gateway.redhat.com + group: bifrost.demo.redhat.com groupPriorityMinimum: 1000 versionPriority: 15 service: name: acme-bifrost-webhook namespace: cert-manager version: v1alpha1 - +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook-bifrost +rules: +- apiGroups: ["bifrost.demo.redhat.com"] + resources: ["*"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook-bifrost +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-bifrost +subjects: +- kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: acme-bifrost-webhook-orders +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: acme-bifrost-webhook-orders +subjects: +- kind: ServiceAccount + name: acme-bifrost-webhook + namespace: cert-manager From 4b5c4e4f0b003c47a043215d95e654a7c0140552 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 16:33:01 +0100 Subject: [PATCH 13/23] Update clusterissuer.yaml.j2 --- .../templates/clusterissuer.yaml.j2 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 index b83987b..c72329b 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer.yaml.j2 @@ -55,11 +55,12 @@ spec: {% endif %} {% if ocp4_workload_cert_manager_provider == "acme-bifrost" %} webhook: - groupName: acme.gateway.redhat.com + groupName: bifrost.demo.redhat.com solverName: gateway-passthrough config: gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} region: {{ ocp4_workload_cert_manager_aws_region }} zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" accessKeyIDSecretRef: @@ -68,6 +69,16 @@ spec: secretAccessKeySecretRef: name: cert-manager-aws-creds key: aws_secret_access_key +{% elif ocp4_workload_cert_manager_cloud_provider == "ddns" %} + dnsProvider: ddns + ddnsServer: "{{ cluster_dns_server }}" + ddnsZone: "{{ cluster_dns_zone }}" + tsigKeyName: "{{ ddns_key_name }}" + tsigAlgorithm: "hmac-sha256" + tsigSecretRef: + name: cert-manager-tsig-creds + key: tsig-secret +{% endif %} webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" {% endif %} From c1e53ee83365a563b84e8097efd0797e06c8dbf3 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 16:33:18 +0100 Subject: [PATCH 14/23] Update clusterissuer-fallback.yaml.j2 --- .../templates/clusterissuer-fallback.yaml.j2 | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 index 0aa772f..8cd289c 100644 --- a/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2 @@ -53,21 +53,32 @@ spec: subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }} tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }} {% endif %} -{% if ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" %} +{% if ocp4_workload_cert_manager_provider == "acme-bifrost" %} webhook: - groupName: acme.gateway.redhat.com + groupName: bifrost.demo.redhat.com solverName: gateway-passthrough config: gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }} - caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider_fallback | default("letsencrypt") }} + caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }} +{% if ocp4_workload_cert_manager_cloud_provider == "aws" %} region: {{ ocp4_workload_cert_manager_aws_region }} - zoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }} + zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}" accessKeyIDSecretRef: name: cert-manager-aws-creds key: aws_access_key_id secretAccessKeySecretRef: name: cert-manager-aws-creds key: aws_secret_access_key +{% elif ocp4_workload_cert_manager_cloud_provider == "ddns" %} + dnsProvider: ddns + ddnsServer: "{{ cluster_dns_server }}" + ddnsZone: "{{ cluster_dns_zone }}" + tsigKeyName: "{{ ddns_key_name }}" + tsigAlgorithm: "hmac-sha256" + tsigSecretRef: + name: cert-manager-tsig-creds + key: tsig-secret +{% endif %} webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}" - webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" + webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}" {% endif %} From 697ca4b477ab65d20828d88e874045c85cd76f26 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 19:09:17 +0100 Subject: [PATCH 15/23] Create cert_manager_ddns.yml --- roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml new file mode 100644 index 0000000..3d609cb --- /dev/null +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml @@ -0,0 +1,4 @@ +--- +- name: TODO + ansible.builtin.debug: + msg: "TODO" From 9ff7b5f8dc79b310a6ffcaee12108ba1d4c9a634 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 20:33:52 +0100 Subject: [PATCH 16/23] Update workload.yml --- .../tasks/workload.yml | 57 +++++++++++++++---- 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 100fe88..2094026 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -61,19 +61,15 @@ - name: Set up cloud provider specific prerequisites for cert manager ansible.builtin.include_tasks: "cert_manager_{{ ocp4_workload_cert_manager_cloud_provider }}.yml" -- name: Set up ClusterIssuer and request certificates +- name: Create DDNS secret kubernetes.core.k8s: state: present - template: "{{ item }}" - loop: - - clusterissuer.yaml.j2 - - clusterissuer-fallback.yaml.j2 - - certificate-ingress.yaml.j2 - - certificate-api.yaml.j2 - register: r_clusterissuer + definition: "{{ lookup('template', 'secret-tsig-creds.yaml.j2') }}" + register: r_ddns_secret retries: 10 - delay: 30 - until: r_clusterissuer is success + delay: 60 + until: r_ddns_secret is success + when: ocp4_workload_cert_manager_cloud_provider == "ddns" - name: Deploy ACME Bifrost webhook when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" @@ -85,6 +81,47 @@ delay: 30 until: r_webhook_acme_bifrost is success +- name: Wait for acme-bifrost-webhook deployment to be ready + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s_info: + api_version: apps/v1 + kind: Deployment + name: acme-bifrost-webhook + namespace: cert-manager + register: r_webhook_deployment + until: + - r_webhook_deployment.resources | length > 0 + - r_webhook_deployment.resources[0].status.readyReplicas is defined + - r_webhook_deployment.resources[0].status.readyReplicas == r_webhook_deployment.resources[0].spec.replicas + retries: 30 + delay: 10 + +- name: Wait for webhook APIService to be available + when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" + kubernetes.core.k8s_info: + api_version: apiregistration.k8s.io/v1 + kind: APIService + name: v1alpha1.bifrost.demo.redhat.com + register: r_webhook_apiservice + until: + - r_webhook_apiservice.resources | length > 0 + - r_webhook_apiservice.resources[0].status.conditions | selectattr('type', 'equalto', 'Available') | selectattr('status', 'equalto', 'True') | list | length > 0 + retries: 30 + delay: 10 + +- name: Set up ClusterIssuer and request certificates + kubernetes.core.k8s: + state: present + template: "{{ item }}" + loop: + - clusterissuer.yaml.j2 + - clusterissuer-fallback.yaml.j2 + - certificate-ingress.yaml.j2 + - certificate-api.yaml.j2 + register: r_clusterissuer + retries: 10 + delay: 30 + until: r_clusterissuer is success - name: Install Ingress controller certificate when: ocp4_workload_cert_manager_install_ingress_certificates | bool From bac69ddb89ab957145cac1a7b7044f3570a18d54 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Tue, 13 Jan 2026 20:34:26 +0100 Subject: [PATCH 17/23] Create secret-tsig-creds.yaml.j2 --- .../templates/secret-tsig-creds.yaml.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 diff --git a/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 new file mode 100644 index 0000000..4e0ecf5 --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/secret-tsig-creds.yaml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-tsig-creds + namespace: cert-manager +type: Opaque +data: + tsig-secret: {{ ddns_key_secret | b64encode }} From 38d7511d1950d14edad2151298e9d8ea3d15a702 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:14:52 +0100 Subject: [PATCH 18/23] Update cert_manager_ddns.yml --- .../tasks/cert_manager_ddns.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml index 3d609cb..12546b1 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml @@ -1,4 +1,8 @@ ---- -- name: TODO - ansible.builtin.debug: - msg: "TODO" +- name: Create DDNS secret + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'secret-tsig-creds.yaml.j2') }}" + register: r_ddns_secret + retries: 10 + delay: 60 + until: r_ddns_secret is success From f7e88f9c52b53d4690bf75a442fb218716031fcd Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:15:40 +0100 Subject: [PATCH 19/23] Update workload.yml --- roles/ocp4_workload_cert_manager/tasks/workload.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/workload.yml b/roles/ocp4_workload_cert_manager/tasks/workload.yml index 2094026..a349bfd 100644 --- a/roles/ocp4_workload_cert_manager/tasks/workload.yml +++ b/roles/ocp4_workload_cert_manager/tasks/workload.yml @@ -61,15 +61,6 @@ - name: Set up cloud provider specific prerequisites for cert manager ansible.builtin.include_tasks: "cert_manager_{{ ocp4_workload_cert_manager_cloud_provider }}.yml" -- name: Create DDNS secret - kubernetes.core.k8s: - state: present - definition: "{{ lookup('template', 'secret-tsig-creds.yaml.j2') }}" - register: r_ddns_secret - retries: 10 - delay: 60 - until: r_ddns_secret is success - when: ocp4_workload_cert_manager_cloud_provider == "ddns" - name: Deploy ACME Bifrost webhook when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost" From 368c4e35e384677f93730537772a4d43a47ab1c4 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:20:31 +0100 Subject: [PATCH 20/23] Update cert_manager_api_cert_check.yml --- .../tasks/cert_manager_api_cert_check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml index 8897007..1048be8 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml @@ -38,7 +38,7 @@ - name: Report fail on api certificate failure when: - - (api_cert_retry_counter | int > api_cert_max_retries | int) + - (_ocp4_workload_cert_manager_api_retry_count | int > api_cert_max_retries | int) - r_certificate_api is failed block: - name: Print error message if requesting certificates failed From 5dbd86ca65f64178bd51711b1e85014f402d9df4 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:21:52 +0100 Subject: [PATCH 21/23] Update certificate-ingress-fallback.yaml.j2 --- .../templates/certificate-ingress-fallback.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 index 403ceb5..dd62d51 100644 --- a/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 +++ b/roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: cert-manager-ingress-cert-fallback + name: cert-manager-ingress-cert namespace: openshift-ingress spec: isCA: false From 02b7fbd6d74d138eaa645095ddc99dd0fca8f5e7 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:24:54 +0100 Subject: [PATCH 22/23] Create certificate-api-fallback.yaml.j2 --- .../certificate-api-fallback.yaml.j2 | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 diff --git a/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 b/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 new file mode 100644 index 0000000..db62ad5 --- /dev/null +++ b/roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2 @@ -0,0 +1,20 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: cert-manager-api-cert + namespace: openshift-config +spec: + isCA: false + commonName: "{{ _ocp4_workload_cert_manager_api_hostname }}" + secretName: cert-manager-api-cert + duration: 2160h + renewBefore: 360h + usages: + - server auth + dnsNames: + - "{{ _ocp4_workload_cert_manager_api_hostname }}" + issuerRef: + kind: ClusterIssuer + name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback + group: cert-manager.io From 90339f4af3a2b2d9bba693b85a2463c53b2b417c Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 14 Jan 2026 18:26:17 +0100 Subject: [PATCH 23/23] Update cert_manager_api_cert_check.yml --- .../tasks/cert_manager_api_cert_check.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml index 1048be8..4bb1ee5 100644 --- a/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml +++ b/roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml @@ -38,20 +38,20 @@ - name: Report fail on api certificate failure when: - - (_ocp4_workload_cert_manager_api_retry_count | int > api_cert_max_retries | int) + - (_ocp4_workload_cert_manager_api_retry_count | int > ocp4_workload_cert_manager_api_cert_max_retries | int) - r_certificate_api is failed block: - name: Print error message if requesting certificates failed when: ocp4_workload_cert_manager_ignore_errors | bool ansible.builtin.debug: - msg: "Requesting certificate for API servers failed after {{ api_cert_max_retries }} retries." + msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." - name: Fail if requesting certificates failed when: - not ocp4_workload_cert_manager_ignore_errors | bool - ocp4_workload_cert_manager_provider_fallback == "" ansible.builtin.fail: - msg: "Requesting certificate for API servers failed after {{ api_cert_max_retries }} retries." + msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries." - name: Try fallback provider if defined when: