Fix letsencrypt_self_generate_tokens defaults

We set the letsencrypt_self_generate_tokens value to True in testing
which means the variable is valid and exists in testing. However, in
production this variable isn't set and doesn't ahve a default so we get:

  The task includes an option with an undefined variable. The error was:
  'letsencrypt_self_generate_tokens' is undefined

Fix this by setting the default value for this var to False. Also, add
it to the README of letsencrypt-request-certs as this is where it is
primarily used.

Change-Id: I862df6ea3ff7f3a1df2a088b04d230bb618aaa85

playbooks/roles/letsencrypt-create-certs/defaults/main.yaml

@@ -1,2 +1,3 @@
 letsencrypt_use_staging: False
 letsencrypt_self_sign_only: False
+letsencrypt_self_generate_tokens: False

playbooks/roles/letsencrypt-request-certs/README.rst

@@ -15,6 +15,17 @@ provision process.
 
 **Role Variables**
 
+.. zuul:rolevar:: letsencrypt_self_generate_tokens
+   :default: False
+
+   When set to ``True``, self-generate fake DNS-01 TXT tokens rather
+   than acquiring them through the ACME process with letsencrypt.
+   This avoids leaving "half-open" challenges during gate testing,
+   where we have no way to publish the DNS TXT records letsencrypt
+   gives us to complete the certificate issue.  This should be
+   ``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you
+   wish to specifically test the ``acme.sh`` operation).
+
 .. zuul:rolevar:: letsencrypt_use_staging
 
    If set to True will use the letsencrypt staging environment, rather

playbooks/roles/letsencrypt-request-certs/defaults/main.yaml

@@ -1 +1,2 @@
-letsencrypt_use_staging: False
+letsencrypt_use_staging: False
+letsencrypt_self_generate_tokens: False