From 4461916dc227e65729e88d5cb95f0ade7f784da4 Mon Sep 17 00:00:00 2001 From: treddy08 Date: Sat, 2 May 2026 23:07:06 +1000 Subject: [PATCH] Exclude Google Trust Services ClusterIssuers when reencrypt route is enabled When ocp4_workload_rhacs_enable_reencrypt_route is set to true, filter out ClusterIssuers that use Google Trust Services (/acme/google/) as they are incompatible with OpenShift reencrypt routes. The role will now prefer ZeroSSL, Let's Encrypt, or other ACME providers for certificate issuance when the reencrypt route feature is enabled, while maintaining existing behavior when reencrypt is disabled. --- roles/ocp4_workload_rhacs/tasks/certificate.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/ocp4_workload_rhacs/tasks/certificate.yml b/roles/ocp4_workload_rhacs/tasks/certificate.yml index 0b3fc00..81b8cb7 100644 --- a/roles/ocp4_workload_rhacs/tasks/certificate.yml +++ b/roles/ocp4_workload_rhacs/tasks/certificate.yml @@ -37,13 +37,18 @@ retries: 5 delay: 5 - - name: Filter to Ready ClusterIssuers only + - name: Filter to Ready ClusterIssuers only (exclude Google Trust Services if reencrypt enabled) ansible.builtin.set_fact: _ready_cluster_issuers: >- {{ - r_cluster_issuers.resources + (r_cluster_issuers.resources | json_query("[?status.conditions[?type=='Ready' && status=='True']]") - | default([]) + | rejectattr('spec.acme.server', 'search', '/acme/google/') + | list) + if ocp4_workload_rhacs_enable_reencrypt_route | bool + else (r_cluster_issuers.resources + | json_query("[?status.conditions[?type=='Ready' && status=='True']]") + | list) }} - name: Fail if no ClusterIssuer is found but certificates are requested