Merge "Use handlers for letsencrypt cert updates"
This commit is contained in:
Zuul
Gerrit Code Review
commit
33e09b7ef5
|
|
@ -1,4 +1,4 @@
|
||||||
letsencrypt_certs:
|
letsencrypt_certs:
|
||||||
main:
|
graphite01-main:
|
||||||
- graphite01.opendev.org
|
- graphite01.opendev.org
|
||||||
- graphite.opendev.org
|
- graphite.opendev.org
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Handlers for "letsencrypt update {{ key }}" events
|
||||||
|
#
|
||||||
|
# Note that because Ansible requires every called handler to have a
|
||||||
|
# listener, every host will need to provide a handler somehow.
|
||||||
|
#
|
||||||
|
# NOTE(ianw): as at 04/2019 it seems that something like
|
||||||
|
#
|
||||||
|
# listen: letsencrypt updated letsencrypt01-main-service
|
||||||
|
#
|
||||||
|
# doesn't actually register the handler. May be a bug or a feature to
|
||||||
|
# do with import_tasks; currently unsure.
|
||||||
|
|
||||||
|
- name: letsencrypt updated graphite01-main
|
||||||
|
import_tasks: touch_file.yaml
|
||||||
|
vars:
|
||||||
|
touch_file: '/tmp/letsencrypt-graphite01-main.stamp'
|
||||||
|
|
||||||
|
# Gate testing hosts:
|
||||||
|
- name: letsencrypt updated letsencrypt01-main-service
|
||||||
|
import_tasks: touch_file.yaml
|
||||||
|
vars:
|
||||||
|
touch_file: '/tmp/letsencrypt01-main-service.stamp'
|
||||||
|
|
||||||
|
- name: letsencrypt updated letsencrypt01-other-service
|
||||||
|
import_tasks: touch_file.yaml
|
||||||
|
vars:
|
||||||
|
touch_file: '/tmp/letsencrypt01-other-service.stamp'
|
||||||
|
|
||||||
|
- name: letsencrypt updated letsencrypt02-main-service
|
||||||
|
import_tasks: touch_file.yaml
|
||||||
|
vars:
|
||||||
|
touch_file: '/tmp/letsencrypt02-main-service.stamp'
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
- name: 'Touch {{ touch_file }}'
|
||||||
|
file:
|
||||||
|
path: '{{ touch_file }}'
|
||||||
|
state: touch
|
||||||
|
|
||||||
|
|
@ -10,5 +10,6 @@
|
||||||
chdir: /opt/acme.sh/
|
chdir: /opt/acme.sh/
|
||||||
environment:
|
environment:
|
||||||
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
|
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
|
||||||
|
notify: 'letsencrypt updated {{ item.key }}'
|
||||||
|
|
||||||
# Keys generated!
|
# Keys generated!
|
||||||
|
|
@ -35,16 +35,25 @@ provision process.
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
letsencrypt_certs:
|
letsencrypt_certs:
|
||||||
main:
|
hostname-main-cert:
|
||||||
- hostname01.opendev.org
|
- hostname01.opendev.org
|
||||||
- hostname.opendev.org
|
- hostname.opendev.org
|
||||||
secondary:
|
hostname-secondary-cert:
|
||||||
- foo.opendev.org
|
- foo.opendev.org
|
||||||
|
|
||||||
will ultimately result in two certificates being provisioned on the
|
will ultimately result in two certificates being provisioned on the
|
||||||
host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
|
host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
|
||||||
``/etc/letsencrypt-certs/foo.opendev.org``.
|
``/etc/letsencrypt-certs/foo.opendev.org``.
|
||||||
|
|
||||||
|
Note the creation role ``letsencrypt-create-certs`` will call a
|
||||||
|
handler ``letsencrypt updated {{ key }}`` (for example,
|
||||||
|
``letsencrypt updated hostname-main-cert``) when that certificate
|
||||||
|
is created or updated. Because Ansible errors if a handler is
|
||||||
|
called with no listeners, you *must* define a listener for event.
|
||||||
|
``letsencrypt-create-certs`` has ``handlers/main.yaml`` where
|
||||||
|
handlers can be defined. Since handlers reside in a global
|
||||||
|
namespace, you should choose an appropriately unique name.
|
||||||
|
|
||||||
Note that each entry will require a ``CNAME`` pointing the ACME
|
Note that each entry will require a ``CNAME`` pointing the ACME
|
||||||
challenge domain to the TXT record that will be created in the
|
challenge domain to the TXT record that will be created in the
|
||||||
signing domain. For example above, the following records would need
|
signing domain. For example above, the following records would need
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
letsencrypt_certs:
|
letsencrypt_certs:
|
||||||
main:
|
letsencrypt01-main-service:
|
||||||
- letsencrypt01.opendev.org
|
- letsencrypt01.opendev.org
|
||||||
- letsencrypt.opendev.org
|
- letsencrypt.opendev.org
|
||||||
- alias.opendev.org
|
- alias.opendev.org
|
||||||
secondary:
|
letsencrypt01-other-service:
|
||||||
- someotherservice.opendev.org
|
- someotherservice.opendev.org
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
letsencrypt_certs:
|
letsencrypt_certs:
|
||||||
main:
|
letsencrypt02-main-service:
|
||||||
- letsencrypt02.opendev.org
|
- letsencrypt02.opendev.org
|
||||||
- letsencrypt.opendev.org
|
- letsencrypt.opendev.org
|
||||||
|
|
|
||||||
|
|
@ -68,3 +68,17 @@ def test_certs_created(host):
|
||||||
|
|
||||||
else:
|
else:
|
||||||
pytest.skip()
|
pytest.skip()
|
||||||
|
|
||||||
|
def test_updated_handler(host):
|
||||||
|
if host.backend.get_hostname() == 'letsencrypt01.opendev.org':
|
||||||
|
stamp_file = host.file('/tmp/letsencrypt01-main-service.stamp')
|
||||||
|
assert stamp_file.exists
|
||||||
|
stamp_file = host.file('/tmp/letsencrypt01-other-service.stamp')
|
||||||
|
assert stamp_file.exists
|
||||||
|
|
||||||
|
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
|
||||||
|
stamp_file = host.file('/tmp/letsencrypt02-main-service.stamp')
|
||||||
|
assert stamp_file.exists
|
||||||
|
|
||||||
|
else:
|
||||||
|
pytest.skip()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue