[ocp4_workload_cert_manager] Add ACME and Bifrost support

roles/ocp4_workload_cert_manager/tasks/cert_manager_api_cert_check.yml

@@ -47,6 +47,75 @@
         msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries."
 
     - name: Fail if requesting certificates failed
-      when: not ocp4_workload_cert_manager_ignore_errors | bool
+      when:
+      - not ocp4_workload_cert_manager_ignore_errors | bool
+      - ocp4_workload_cert_manager_provider_fallback == ""
       ansible.builtin.fail:
         msg: "Requesting certificate for API servers failed after {{ ocp4_workload_cert_manager_api_cert_max_retries }} retries."
+
+  - name: Try fallback provider if defined
+    when:
+    - ocp4_workload_cert_manager_provider_fallback != ""
+    - r_certificate_api is failed
+    block:
+    - name: Remove existing API Certificate
+      kubernetes.core.k8s:
+        api_version: cert-manager.io/v1
+        kind: Certificate
+        name: cert-manager-api-cert
+        namespace: openshift-config
+        state: absent
+
+    - name: Add certificate requests using fallback provider
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('template', item) }}"
+      loop:
+      - certificate-api-fallback.yaml.j2
+      register: r_clusterissuer
+      retries: 10
+      delay: 30
+      until: r_clusterissuer is success
+
+    - name: Wait until API Certificate is ready
+      when: not api_cert_ready | default(false) | bool
+      kubernetes.core.k8s_info:
+        api_version: cert-manager.io/v1
+        kind: Certificate
+        name: cert-manager-api-cert
+        namespace: openshift-config
+        wait: true
+        wait_sleep: 5
+        wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}"
+        wait_condition:
+          type: "Ready"
+          status: "True"
+      register: r_certificate_api
+    rescue:
+    - name: Restart cert-manager on failure
+      kubernetes.core.k8s:
+        api_version: v1
+        kind: Pod
+        state: absent
+        label_selectors:
+        - app.kubernetes.io/instance=cert-manager
+        - app.kubernetes.io/component=controller
+        namespace: cert-manager
+    - name: Wait until API Certificate is ready
+      when: not api_cert_ready | default(false) | bool
+      kubernetes.core.k8s_info:
+        api_version: cert-manager.io/v1
+        kind: Certificate
+        name: cert-manager-api-cert
+        namespace: openshift-config
+        wait: true
+        wait_sleep: 5
+        wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}"
+        wait_condition:
+          type: "Ready"
+          status: "True"
+      register: r_certificate_api
+    - name: Mark cert ready
+      when: not r_certificate_api is failed
+      ansible.builtin.set_fact:
+        api_cert_ready: true

roles/ocp4_workload_cert_manager/tasks/cert_manager_ddns.yml

@@ -0,0 +1,8 @@
+- name: Create DDNS secret
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('template', 'secret-tsig-creds.yaml.j2') }}"
+  register: r_ddns_secret
+  retries: 10
+  delay: 60
+  until: r_ddns_secret is success

roles/ocp4_workload_cert_manager/tasks/cert_manager_ingress_cert_check.yml

@@ -93,4 +93,34 @@
     - name: Mark certificate ready
       when: not r_certificate_ingress is failed
       ansible.builtin.set_fact:
-        ingress_cert_ready: true
+        _ocp4_workload_cert_manager_ingress_cert_ready: true
+    rescue:
+    - name: Restart cert-manager on failure
+      kubernetes.core.k8s:
+        api_version: v1
+        kind: Pod
+        state: absent
+        label_selectors:
+        - app.kubernetes.io/instance=cert-manager
+        - app.kubernetes.io/component=controller
+        namespace: cert-manager
+
+    - name: Wait until Ingress Certificate is ready
+      when: not ingress_cert_ready | default(false) | bool
+      kubernetes.core.k8s_info:
+        api_version: cert-manager.io/v1
+        kind: Certificate
+        name: cert-manager-ingress-cert
+        namespace: openshift-ingress
+        wait: true
+        wait_sleep: 5
+        wait_timeout: "{{ ocp4_workload_cert_manager_wait_timeout | int }}"
+        wait_condition:
+          type: "Ready"
+          status: "True"
+      register: r_certificate_ingress
+
+    - name: Mark cert ready
+      when: not r_certificate_ingress is failed
+      ansible.builtin.set_fact:
+        _ocp4_workload_cert_manager_ingress_cert_ready: true

roles/ocp4_workload_cert_manager/tasks/workload.yml

@@ -21,7 +21,7 @@
 
 - name: Update CertManager for AWS/GCP/Azure to use external DNS
   when: >
-    ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure"]
+    ocp4_workload_cert_manager_cloud_provider in ["aws", "gcp", "azure", "acme-bifrost"]
   kubernetes.core.k8s:
     state: present
     template: certmanager.yaml.j2
@@ -61,12 +61,52 @@
 - name: Set up cloud provider specific prerequisites for cert manager
   ansible.builtin.include_tasks: "cert_manager_{{ ocp4_workload_cert_manager_cloud_provider }}.yml"
 
+
+- name: Deploy ACME Bifrost webhook
+  when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost"
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('template', 'webhook_acme_bifrost.yaml.j2') }}"
+  register: r_webhook_acme_bifrost
+  retries: 10
+  delay: 30
+  until: r_webhook_acme_bifrost is success
+
+- name: Wait for acme-bifrost-webhook deployment to be ready
+  when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost"
+  kubernetes.core.k8s_info:
+    api_version: apps/v1
+    kind: Deployment
+    name: acme-bifrost-webhook
+    namespace: cert-manager
+  register: r_webhook_deployment
+  until:
+  - r_webhook_deployment.resources | length > 0
+  - r_webhook_deployment.resources[0].status.readyReplicas is defined
+  - r_webhook_deployment.resources[0].status.readyReplicas == r_webhook_deployment.resources[0].spec.replicas
+  retries: 30
+  delay: 10
+
+- name: Wait for webhook APIService to be available
+  when: ocp4_workload_cert_manager_provider == "acme-bifrost" or ocp4_workload_cert_manager_provider_fallback == "acme-bifrost"
+  kubernetes.core.k8s_info:
+    api_version: apiregistration.k8s.io/v1
+    kind: APIService
+    name: v1alpha1.bifrost.demo.redhat.com
+  register: r_webhook_apiservice
+  until:
+  - r_webhook_apiservice.resources | length > 0
+  - r_webhook_apiservice.resources[0].status.conditions | selectattr('type', 'equalto', 'Available') | selectattr('status', 'equalto', 'True') | list | length > 0
+  retries: 30
+  delay: 10
+
 - name: Set up ClusterIssuer and request certificates
   kubernetes.core.k8s:
     state: present
     template: "{{ item }}"
   loop:
   - clusterissuer.yaml.j2
+  - clusterissuer-fallback.yaml.j2
   - certificate-ingress.yaml.j2
   - certificate-api.yaml.j2
   register: r_clusterissuer
@@ -82,7 +122,7 @@
     with_sequence: start=0 end={{ ocp4_workload_cert_manager_ingress_cert_max_retries }}
 
   - name: Update Ingress controller to use certificate
-    when: not r_certificate_ingress is failed
+    when: _ocp4_workload_cert_manager_ingress_cert_ready | default(false) | bool
     kubernetes.core.k8s:
       state: present
       template: default-ingress-controller.yaml.j2
@@ -95,7 +135,7 @@
     with_sequence: start=0 end={{ ocp4_workload_cert_manager_api_cert_max_retries }}
 
   - name: API Certificate successfull
-    when: not r_certificate_api is failed
+    when: _ocp4_workload_cert_manager_api_cert_ready | default(false) | bool
     block:
     - name: Update API server to use certificate
       kubernetes.core.k8s:

roles/ocp4_workload_cert_manager/templates/certificate-api-fallback.yaml.j2

@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-api-cert
+  namespace: openshift-config
+spec:
+  isCA: false
+  commonName: "{{ _ocp4_workload_cert_manager_api_hostname }}"
+  secretName: cert-manager-api-cert
+  duration: 2160h
+  renewBefore: 360h
+  usages:
+  - server auth
+  dnsNames:
+  - "{{ _ocp4_workload_cert_manager_api_hostname }}"
+  issuerRef:
+    kind: ClusterIssuer
+    name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback
+    group: cert-manager.io

roles/ocp4_workload_cert_manager/templates/certificate-api.yaml.j2

@@ -12,7 +12,6 @@ spec:
   renewBefore: 360h
   usages:
   - server auth
-  - client auth
   dnsNames:
   - "{{ _ocp4_workload_cert_manager_api_hostname }}"
   issuerRef:

roles/ocp4_workload_cert_manager/templates/certificate-ingress-fallback.yaml.j2

@@ -6,17 +6,16 @@ metadata:
   namespace: openshift-ingress
 spec:
   isCA: false
-  commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
+  commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   secretName: cert-manager-ingress-cert
   duration: 2160h
   renewBefore: 360h
   usages:
   - server auth
-  - client auth
   dnsNames:
-  - "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}"
+  - "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   issuerRef:
     kind: ClusterIssuer
-    name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}
+    name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback
     group: cert-manager.io

roles/ocp4_workload_cert_manager/templates/certificate-ingress.yaml.j2

@@ -6,16 +6,15 @@ metadata:
   namespace: openshift-ingress
 spec:
   isCA: false
-  commonName: "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
+  commonName: "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   secretName: cert-manager-ingress-cert
   duration: 2160h
   renewBefore: 360h
   usages:
   - server auth
-  - client auth
   dnsNames:
-  - "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   - "*.{{ _ocp4_workload_cert_manager_wildcard_domain }}"
+  - "{{ _ocp4_workload_cert_manager_wildcard_domain }}"
   issuerRef:
     kind: ClusterIssuer
     name: {{ ocp4_workload_cert_manager_provider }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}

roles/ocp4_workload_cert_manager/templates/clusterissuer-fallback.yaml.j2

@@ -0,0 +1,84 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ ocp4_workload_cert_manager_provider_fallback }}-production-{{ ocp4_workload_cert_manager_cloud_provider }}-fallback
+spec:
+  acme:
+    email: rhpds-admins@redhat.com
+    server: {{ ocp4_workload_cert_manager_acme_url_fallback }}
+    privateKeySecretRef:
+      name: cluster-issuer-acme-production-fallback
+{% if ocp4_workload_cert_manager_provider_fallback == "zerossl" %}      
+    externalAccountBinding:
+      keyID: {{ ocp4_workload_cert_manager_zerossl_eab_key_id }}
+      keySecretRef:
+        name: cert-manager-zerossl-creds
+        key: zerossl_hmac_key
+    privateKeySecretRef:
+      name: zerossl-prod-fallback
+{% endif %}
+    solvers:
+    - selector:
+        dnsZones:
+        - {{ _ocp4_workload_cert_manager_api_hostname }}
+        - {{ _ocp4_workload_cert_manager_wildcard_domain }}
+      dns01:
+{% if ocp4_workload_cert_manager_cloud_provider == "aws" and ocp4_workload_cert_manager_provider != "acme-bifrost" %}      
+        route53:
+          region: {{ ocp4_workload_cert_manager_aws_region }}
+          hostedZoneID: {{ _ocp4_workload_cert_manager_hostedzoneid }}
+          accessKeyID: {{ ocp4_workload_cert_manager_aws_access_key_id }}
+          secretAccessKeySecretRef:
+            name: cert-manager-aws-creds
+            key: aws_secret_access_key
+{% endif %}
+{% if ocp4_workload_cert_manager_cloud_provider == "gcp" %}      
+        cloudDNS:
+          project: {{ ocp4_workload_cert_manager_gcp_project_id }}
+          hostedZoneName: dns-zone-{{ guid }}
+          serviceAccountSecretRef:
+            name: cert-manager-gcp-creds
+            key: key.json
+{% endif %}
+{% if ocp4_workload_cert_manager_cloud_provider == "azure" %}
+        azureDNS:
+          clientID: {{ ocp4_workload_cert_manager_azure_client_id }}
+          clientSecretSecretRef:
+            name: cert-manager-azure-creds
+            key: client-secret
+          environment: AzurePublicCloud
+          hostedZoneName: {{ ocp4_workload_cert_manager_azure_hostedzone_name }}
+          resourceGroupName: {{ ocp4_workload_cert_manager_azure_resource_group_name }}
+          subscriptionID: {{ ocp4_workload_cert_manager_azure_subscription_id }}
+          tenantID: {{ ocp4_workload_cert_manager_azure_tenant_id }}
+{% endif %}
+{% if ocp4_workload_cert_manager_provider == "acme-bifrost" %}
+        webhook:
+          groupName: bifrost.demo.redhat.com
+          solverName: gateway-passthrough
+          config:
+            gatewayURL: {{ ocp4_workload_cert_manager_acme_bifrost_gateway_url }}
+            caProvider: {{ ocp4_workload_cert_manager_acme_bifrost_ca_provider | default("letsencrypt") }}
+{% if ocp4_workload_cert_manager_cloud_provider == "aws" %}
+            region: {{ ocp4_workload_cert_manager_aws_region }}
+            zoneID: "{{ _ocp4_workload_cert_manager_hostedzoneid }}"
+            accessKeyIDSecretRef:
+              name: cert-manager-aws-creds
+              key: aws_access_key_id
+            secretAccessKeySecretRef:
+              name: cert-manager-aws-creds
+              key: aws_secret_access_key
+{% elif ocp4_workload_cert_manager_cloud_provider == "ddns" %}
+            dnsProvider: ddns
+            ddnsServer: "{{ cluster_dns_server }}"
+            ddnsZone: "{{ cluster_dns_zone }}"
+            tsigKeyName: "{{ ddns_key_name }}"
+            tsigAlgorithm: "hmac-sha256"
+            tsigSecretRef:
+              name: cert-manager-tsig-creds
+              key: tsig-secret
+{% endif %}              
+            webhookKID: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_kid }}"
+            webhookSecret: "{{ ocp4_workload_cert_manager_acme_bifrost_webhook_secret }}"
+{% endif %}