Skip to content

Skip reencrypt route config if rhacs-central-tls secret does not exist #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
treddy08 merged 3 commits into from
May 1, 2026
Merged

Skip reencrypt route config if rhacs-central-tls secret does not exist #142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9b9886b
Skip reencrypt route config if rhacs-central-tls secret does not exist
treddy08 May 1, 2026
ec570fb
Add conditional check for destinationCACertificate in template
treddy08 May 1, 2026
f1dddd7
Use underscore prefix for internal reencrypt CA variable
treddy08 May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions roles/ocp4_workload_rhacs/tasks/workload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,18 +69,20 @@
when: ocp4_workload_rhacs_enable_route_certs | bool
ansible.builtin.include_tasks: certificate.yml

- name: Extract CA certificate chain for reencrypt route
- name: Get rhacs-central-tls secret for reencrypt route
when: ocp4_workload_rhacs_enable_reencrypt_route | bool
block:
- name: Get rhacs-central-tls secret
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: rhacs-central-tls
namespace: "{{ ocp4_workload_rhacs_central_namespace }}"
register: r_rhacs_central_tls_secret
failed_when: r_rhacs_central_tls_secret.resources | length == 0
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: rhacs-central-tls
namespace: "{{ ocp4_workload_rhacs_central_namespace }}"
register: r_rhacs_central_tls_secret

- name: Extract CA certificate chain for reencrypt route
when:
- ocp4_workload_rhacs_enable_reencrypt_route | bool
- r_rhacs_central_tls_secret.resources | default([]) | length > 0
block:
- name: Extract intermediate CA chain from certificate
ansible.builtin.set_fact:
_cert_intermediate_ca_chain: >-
Expand All @@ -97,7 +99,7 @@

- name: Combine intermediate CAs with cluster trust bundle
ansible.builtin.set_fact:
ocp4_workload_rhacs_reencrypt_destination_ca: >-
_ocp4_workload_rhacs_reencrypt_destination_ca: >-
{{ _cert_intermediate_ca_chain }}{{ r_cluster_trusted_ca_bundle.resources[0].data['ca-bundle.crt'] }}

- name: Create Central
Expand Down
4 changes: 2 additions & 2 deletions roles/ocp4_workload_rhacs/templates/central.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ spec:
enabled: false
route:
enabled: true
{% if ocp4_workload_rhacs_enable_reencrypt_route | bool %}
{% if ocp4_workload_rhacs_enable_reencrypt_route | bool and _ocp4_workload_rhacs_reencrypt_destination_ca is defined %}
reencrypt:
enabled: true
tls:
destinationCACertificate: |
{{ ocp4_workload_rhacs_reencrypt_destination_ca | indent(14, True) }}
{{ _ocp4_workload_rhacs_reencrypt_destination_ca | indent(14, True) }}
{% endif %}
persistence:
persistentVolumeClaim:
Expand Down
Loading