feat(kubernetes): add initial setup for ArgoCD, Cert-Manager, MetalLB, and Traefik

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

roles/kubernetes_cert_manager/defaults/main.yml

@@ -0,0 +1,5 @@
+cert_manager_version: "v1.18.2"
+cert_manager_email: "mail@example.com"
+cert_manager_manifest: "https://github.com/cert-manager/cert-manager/releases/download/{{ cert_manager_version }}/cert-manager.yaml"
+cert_manager_issuer_name: "letsencrypt-prod"
+cert_manager_issuer_env: "staging"

roles/kubernetes_cert_manager/tasks/main.yml

@@ -0,0 +1,69 @@
+---
+- name: Ensure cert-manager namespace exists
+  kubernetes.core.k8s:
+    name: cert-manager
+    api_version: v1
+    kind: Namespace
+    state: present
+  tags:
+    - cert_manager
+    - namespace
+
+- name: Create netcup-secret
+  kubernetes.core.k8s:
+    namespace: cert-manager
+    definition: "{{ lookup('ansible.builtin.template', 'netcup.yml.j2') | from_yaml }}"
+
+- name: Add a repository
+  kubernetes.core.helm_repository:
+    name: cert-manager-webhook-netcup
+    repo_url: https://aellwein.github.io/cert-manager-webhook-netcup/charts/
+
+- name: Install NetCup Webhook
+  kubernetes.core.helm:
+    name: my-cert-manager-webhook-netcup
+    chart_ref: cert-manager-webhook-netcup/cert-manager-webhook-netcup
+    release_namespace: cert-manager
+    create_namespace: true
+
+- name: Download cert-manager manifest
+  ansible.builtin.get_url:
+    url: "{{ cert_manager_manifest }}"
+    dest: "/tmp/cert-manager.yaml"
+    mode: "0644"
+    validate_certs: true
+  tags:
+    - cert_manager
+    - download
+
+- name: Apply cert-manager core manifests
+  kubernetes.core.k8s:
+    src: "/tmp/cert-manager.yaml"
+    state: present
+  tags:
+    - cert_manager
+    - apply_manifest
+
+- name: Wait for cert-manager deployments to be ready
+  kubernetes.core.k8s_info:
+    api_version: apps/v1
+    kind: Deployment
+    namespace: cert-manager
+    name: "{{ item }}"
+    wait: true
+    wait_timeout: 300
+  loop:
+    - cert-manager
+    - cert-manager-cainjector
+    - cert-manager-webhook
+  tags:
+    - cert_manager
+    - wait_ready
+
+- name: Create Let's Encrypt ClusterIssuer
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('ansible.builtin.template', 'clusterissuer.yml.j2') | from_yaml }}"
+  tags:
+    - cert_manager
+    - cluster_issuer

roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+spec:
+    # For staging: https://acme-staging-v02.api.letsencrypt.org/directory
+    # For production: https://acme-v02.api.letsencrypt.org/directory
+    server: "{% if cert_manager_issuer_env == 'production' %}https://acme-v02.api.letsencrypt.org/directory{% else %}https://acme-staging-v02.api.letsencrypt.org/directory{% endif %}"
+    email: "{{ cert_manager_email }}"
+    privateKeySecretRef:
+      name: "{{ cert_manager_issuer_name }}-account-key"
+
+    solvers:
+    - dns01:
+        webhook:
+            groupName: com.netcup.webhook
+            solverName: netcup
+            config:
+                secretRef: netcup-secret
+                secretNamespace: cert-manager

roles/kubernetes_cert_manager/templates/netcup.yml.j2

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: netcup-secret
+type: Opaque
+data:
+  customer-number: {{ netcup_customer_id | b64encode }}
+  api-key: {{ netcup_api_key |b64encode }}
+  api-password: {{ netcup_api_password | b64encode }}
+