From 36f9dfad72d6a302169637aa5fea347d3544d6d8 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 12:27:27 +0200 Subject: [PATCH 01/14] Update certificate.yml --- .../ocp4_workload_rhacs/tasks/certificate.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 0b3fc00..8f4af87 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -1,4 +1,51 @@ --- +- name: Create specific CNAME record for central + when: cluster_dns_server is defined + block: + - name: Get ClusterIssuer info + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: ClusterIssuer + name: acme-bifrost-production-ddns + register: r_clusterissuer + - name: Set facts from ClusterIssuer + vars: + _webhook: "{{ r_clusterissuer.resources[0].spec.acme.solvers[0].dns01.webhook.config }}" + set_fact: + ddns_server: "{{ _webhook.ddnsServer }}" + ddns_zone: "{{ _webhook.ddnsZone }}" + tsig_key_name: "{{ _webhook.tsigKeyName }}" + tsig_secret_ref_name: "{{ _webhook.tsigSecretRef.name }}" + tsig_secret_ref_key: "{{ _webhook.tsigSecretRef.key }}" + - name: Get TSIG secret value + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: "{{ tsig_secret_ref_name }}" + namespace: cert-manager + register: r_tsig_secret + - name: Set TSIG secret fact + set_fact: + tsig_secret: "{{ r_tsig_secret.resources[0].data[tsig_secret_ref_key] | b64decode }}" + + - name: Create specific CNAME record for central + when: cluster_dns_server is defined + community.general.nsupdate: + server: >- + {{ ddns_server + | ansible.utils.ipaddr + | ternary(cluster_dns_server, lookup('community.general.dig', ddns_server)) + }} + zone: "{{ ddns_zone }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_ingress_domain }}" + type: CNAME + ttl: 30 + port: "{{ cluster_dns_port | d('53') }}" + value: "console-openshift-console.{{ openshift_cluster_ingress_domain }} + key_name: "{{ tsig_key_name }}" + key_secret: "{{ tsig_secret }}" + key_algorithm: "hmac-sha256" + # Check for existing valid certificate and skip provisioning if found - name: Check if valid Certificate already exists kubernetes.core.k8s_info: From a9789b1783da47793d286c07a8b8e83f56b6a299 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 14:24:54 +0200 Subject: [PATCH 02/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 8f4af87..2d1525b 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -41,7 +41,7 @@ type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" - value: "console-openshift-console.{{ openshift_cluster_ingress_domain }} + value: "console-openshift-console.{{ openshift_cluster_ingress_domain }}" key_name: "{{ tsig_key_name }}" key_secret: "{{ tsig_secret }}" key_algorithm: "hmac-sha256" From c03c6ccc1f318f7ac745225fc401601640459a8c Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 15:42:29 +0200 Subject: [PATCH 03/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 2d1525b..4ff68a1 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -1,13 +1,14 @@ --- +- name: Get ClusterIssuer info + kubernetes.core.k8s_info: + api_version: cert-manager.io/v1 + kind: ClusterIssuer + name: acme-bifrost-production-ddns + register: r_clusterissuer + - name: Create specific CNAME record for central - when: cluster_dns_server is defined + when: r_clusterissuer.resources | default([]) | length > 0 block: - - name: Get ClusterIssuer info - kubernetes.core.k8s_info: - api_version: cert-manager.io/v1 - kind: ClusterIssuer - name: acme-bifrost-production-ddns - register: r_clusterissuer - name: Set facts from ClusterIssuer vars: _webhook: "{{ r_clusterissuer.resources[0].spec.acme.solvers[0].dns01.webhook.config }}" From 113fd1c16ce9770de59079f45e23aab6dae87a36 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 17:12:35 +0200 Subject: [PATCH 04/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 4ff68a1..43de305 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -30,7 +30,6 @@ tsig_secret: "{{ r_tsig_secret.resources[0].data[tsig_secret_ref_key] | b64decode }}" - name: Create specific CNAME record for central - when: cluster_dns_server is defined community.general.nsupdate: server: >- {{ ddns_server From 75aea2abe7ab2c9b3b36a6d88b96db9c5e93a251 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 18:35:40 +0200 Subject: [PATCH 05/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 43de305..d254e29 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -31,11 +31,7 @@ - name: Create specific CNAME record for central community.general.nsupdate: - server: >- - {{ ddns_server - | ansible.utils.ipaddr - | ternary(cluster_dns_server, lookup('community.general.dig', ddns_server)) - }} + server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_ingress_domain }}" type: CNAME From c4b6d6ee079e00e78a5457bbdb222fd5bd5343d0 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 20:21:52 +0200 Subject: [PATCH 06/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index d254e29..18d481b 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -37,7 +37,7 @@ type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" - value: "console-openshift-console.{{ openshift_cluster_ingress_domain }}" + value: "console-openshift-console.{{ openshift_cluster_ingress_domain }}." key_name: "{{ tsig_key_name }}" key_secret: "{{ tsig_secret }}" key_algorithm: "hmac-sha256" From d495131d6d315d72134e85812923e86401356096 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Wed, 29 Apr 2026 22:05:14 +0200 Subject: [PATCH 07/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 18d481b..8881e8c 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -33,7 +33,7 @@ community.general.nsupdate: server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_ingress_domain }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}" type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" From 1728184ba7c4dbc9ce954ae2310f775eca35bd50 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 00:58:39 +0200 Subject: [PATCH 08/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 8881e8c..b1d6dfc 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -33,7 +33,7 @@ community.general.nsupdate: server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.apps.cluster-{{ guid }}" type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" From 6ba21bef174a23ad9a1afd1294e9cc1c3fd783b7 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 01:04:52 +0200 Subject: [PATCH 09/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index b1d6dfc..f0cce40 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -5,7 +5,7 @@ kind: ClusterIssuer name: acme-bifrost-production-ddns register: r_clusterissuer - + - name: Create specific CNAME record for central when: r_clusterissuer.resources | default([]) | length > 0 block: From 15da4dbb5b31651cd68e6ecc423190d1e8021c0e Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 01:06:06 +0200 Subject: [PATCH 10/14] Update certificate.yml --- .../ocp4_workload_rhacs/tasks/certificate.yml | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index f0cce40..2cfe964 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -9,39 +9,39 @@ - name: Create specific CNAME record for central when: r_clusterissuer.resources | default([]) | length > 0 block: - - name: Set facts from ClusterIssuer - vars: - _webhook: "{{ r_clusterissuer.resources[0].spec.acme.solvers[0].dns01.webhook.config }}" - set_fact: - ddns_server: "{{ _webhook.ddnsServer }}" - ddns_zone: "{{ _webhook.ddnsZone }}" - tsig_key_name: "{{ _webhook.tsigKeyName }}" - tsig_secret_ref_name: "{{ _webhook.tsigSecretRef.name }}" - tsig_secret_ref_key: "{{ _webhook.tsigSecretRef.key }}" - - name: Get TSIG secret value - kubernetes.core.k8s_info: - api_version: v1 - kind: Secret - name: "{{ tsig_secret_ref_name }}" - namespace: cert-manager - register: r_tsig_secret - - name: Set TSIG secret fact - set_fact: - tsig_secret: "{{ r_tsig_secret.resources[0].data[tsig_secret_ref_key] | b64decode }}" - - - name: Create specific CNAME record for central - community.general.nsupdate: - server: "{{ lookup('community.general.dig', ddns_server) }}" - zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}.apps.cluster-{{ guid }}" - type: CNAME - ttl: 30 - port: "{{ cluster_dns_port | d('53') }}" - value: "console-openshift-console.{{ openshift_cluster_ingress_domain }}." - key_name: "{{ tsig_key_name }}" - key_secret: "{{ tsig_secret }}" - key_algorithm: "hmac-sha256" - + - name: Set facts from ClusterIssuer + vars: + _webhook: "{{ r_clusterissuer.resources[0].spec.acme.solvers[0].dns01.webhook.config }}" + set_fact: + ddns_server: "{{ _webhook.ddnsServer }}" + ddns_zone: "{{ _webhook.ddnsZone }}" + tsig_key_name: "{{ _webhook.tsigKeyName }}" + tsig_secret_ref_name: "{{ _webhook.tsigSecretRef.name }}" + tsig_secret_ref_key: "{{ _webhook.tsigSecretRef.key }}" + - name: Get TSIG secret value + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: "{{ tsig_secret_ref_name }}" + namespace: cert-manager + register: r_tsig_secret + - name: Set TSIG secret fact + set_fact: + tsig_secret: "{{ r_tsig_secret.resources[0].data[tsig_secret_ref_key] | b64decode }}" + + - name: Create specific CNAME record for central + community.general.nsupdate: + server: "{{ lookup('community.general.dig', ddns_server) }}" + zone: "{{ ddns_zone }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.apps.cluster-{{ guid }}" + type: CNAME + ttl: 30 + port: "{{ cluster_dns_port | d('53') }}" + value: "console-openshift-console.{{ openshift_cluster_ingress_domain }}." + key_name: "{{ tsig_key_name }}" + key_secret: "{{ tsig_secret }}" + key_algorithm: "hmac-sha256" + # Check for existing valid certificate and skip provisioning if found - name: Check if valid Certificate already exists kubernetes.core.k8s_info: From 6dc05a111d208b0efb78890e009b8cb8d5173979 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 01:08:24 +0200 Subject: [PATCH 11/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 2cfe964..1fd3317 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -12,7 +12,7 @@ - name: Set facts from ClusterIssuer vars: _webhook: "{{ r_clusterissuer.resources[0].spec.acme.solvers[0].dns01.webhook.config }}" - set_fact: + ansible.builtin.set_fact: ddns_server: "{{ _webhook.ddnsServer }}" ddns_zone: "{{ _webhook.ddnsZone }}" tsig_key_name: "{{ _webhook.tsigKeyName }}" @@ -26,7 +26,7 @@ namespace: cert-manager register: r_tsig_secret - name: Set TSIG secret fact - set_fact: + ansible.builtin.set_fact: tsig_secret: "{{ r_tsig_secret.resources[0].data[tsig_secret_ref_key] | b64decode }}" - name: Create specific CNAME record for central From edc084cda8b36935cdb15d44f54a306c4c2ea100 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 08:30:12 +0200 Subject: [PATCH 12/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 1fd3317..a02577f 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -33,7 +33,7 @@ community.general.nsupdate: server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}.apps.cluster-{{ guid }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_inress_domain | ansible.builtin.replace('.' + ddns_zone, '') }}" type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" From e2d9b2cb3a3de90b5847a603cdcaf7d83439ee20 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 08:39:25 +0200 Subject: [PATCH 13/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index a02577f..0a405d0 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -33,7 +33,7 @@ community.general.nsupdate: server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_inress_domain | ansible.builtin.replace('.' + ddns_zone, '') }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_inress_domain | replace('.' + ddns_zone, '') }}" type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}" From 4e01883f112f944e162074115761a436a44a0e4c Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Rodriguez Date: Thu, 30 Apr 2026 09:59:45 +0200 Subject: [PATCH 14/14] Update certificate.yml --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 0a405d0..ee8997e 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -33,7 +33,7 @@ community.general.nsupdate: server: "{{ lookup('community.general.dig', ddns_server) }}" zone: "{{ ddns_zone }}" - record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_inress_domain | replace('.' + ddns_zone, '') }}" + record: "central-{{ ocp4_workload_rhacs_central_namespace }}.{{ openshift_cluster_ingress_domain | replace('.' + ddns_zone, '') }}" type: CNAME ttl: 30 port: "{{ cluster_dns_port | d('53') }}"