eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this to render TLS Secret manifests from certificate material without applying them by default.

Boundary
Render-only
Authority
idm, certificate-authority, kubernetes, collection
Evidence
review-manifest

Render Kubernetes TLS from an IdM certificate

When To Use This

Use this to render TLS Secret manifests from certificate material without applying them by default.

Required Authority

IdM CA owns certificate issuance. Kubernetes enforces only after apply.

Safety Boundary

This workflow is render-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Inputs

  • Named target objects
  • Credentials with the required IdM or platform authority
  • A reviewed output path or downstream task

Steps

  1. Confirm the target objects and authority before running.
  2. Run the command or task with review-friendly output.
  3. Inspect the returned evidence before continuing to any mutating step.
ansible-playbook playbooks/render-kubernetes-tls-secret-from-idm-cert.yml

Example TLS Secret Rendering

This vars file renders a redacted TLS Secret manifest from certificate material that was already issued and reviewed.

render-tls-secret-vars.yml

---
eigenstate_k8s_tls_secret_name: app-tls
eigenstate_k8s_tls_namespace: payments
eigenstate_k8s_tls_certificate: "{{ lookup('file', 'artifacts/app.pem') }}"
eigenstate_k8s_tls_private_key: "{{ lookup('file', 'private/app.key') }}"
eigenstate_k8s_tls_output_dir: ./artifacts
eigenstate_k8s_tls_render_only: true
eigenstate_k8s_tls_apply: false
eigenstate_k8s_tls_render_review_manifest: true
eigenstate_k8s_tls_write_payload_manifest: false

Run It

ansible-playbook playbooks/render-kubernetes-tls-secret-from-idm-cert.yml \
  -e @render-tls-secret-vars.yml

Expected Evidence

The role renders a review-only TLS Secret manifest with redacted certificate fields. A captured render run produced:

PLAY [Render Kubernetes TLS Secret manifest from IdM certificate material]

TASK [eigenstate.ipa.kubernetes_tls_from_idm_cert : Render reviewable Kubernetes TLS Secret manifest] ***
changed: [localhost]

PLAY RECAP ************************************************************
localhost                  : ok=5    changed=2    unreachable=0    failed=0    skipped=4    rescued=0    ignored=0

The review artifact redacts both TLS fields:

apiVersion: v1
kind: Secret
metadata:
  name: "idm-tls-secret"
  namespace: "default"
  annotations:
    eigenstate.ipa/payload: "redacted-in-review-manifest"
    eigenstate.ipa/source: "idm-cert"
type: kubernetes.io/tls
stringData:
  tls.crt: "REDACTED"
  tls.key: "REDACTED"

Troubleshooting

  • Permission failure: verify the account and delegated authority.
  • Unexpected empty result: verify target names and source records.
  • Unsafe output: redact payloads and add no_log: true where secret material is present.