From 4346570a0bb2cf3372589a0b6d522963654ab44b Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 6 Oct 2021 08:30:25 -0700 Subject: [PATCH] Fix letsencrypt_self_generate_tokens defaults We set the letsencrypt_self_generate_tokens value to True in testing which means the variable is valid and exists in testing. However, in production this variable isn't set and doesn't ahve a default so we get: The task includes an option with an undefined variable. The error was: 'letsencrypt_self_generate_tokens' is undefined Fix this by setting the default value for this var to False. Also, add it to the README of letsencrypt-request-certs as this is where it is primarily used. Change-Id: I862df6ea3ff7f3a1df2a088b04d230bb618aaa85 --- .../roles/letsencrypt-create-certs/defaults/main.yaml | 1 + playbooks/roles/letsencrypt-request-certs/README.rst | 11 +++++++++++ .../letsencrypt-request-certs/defaults/main.yaml | 3 ++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml index c273d03269..4c05902f44 100644 --- a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml @@ -1,2 +1,3 @@ letsencrypt_use_staging: False letsencrypt_self_sign_only: False +letsencrypt_self_generate_tokens: False diff --git a/playbooks/roles/letsencrypt-request-certs/README.rst b/playbooks/roles/letsencrypt-request-certs/README.rst index 57cb25e0fa..92695ef949 100644 --- a/playbooks/roles/letsencrypt-request-certs/README.rst +++ b/playbooks/roles/letsencrypt-request-certs/README.rst @@ -15,6 +15,17 @@ provision process. **Role Variables** +.. zuul:rolevar:: letsencrypt_self_generate_tokens + :default: False + + When set to ``True``, self-generate fake DNS-01 TXT tokens rather + than acquiring them through the ACME process with letsencrypt. + This avoids leaving "half-open" challenges during gate testing, + where we have no way to publish the DNS TXT records letsencrypt + gives us to complete the certificate issue. This should be + ``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you + wish to specifically test the ``acme.sh`` operation). + .. zuul:rolevar:: letsencrypt_use_staging If set to True will use the letsencrypt staging environment, rather diff --git a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml index 40f89a22be..371b55d6c3 100644 --- a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml +++ b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml @@ -1 +1,2 @@ -letsencrypt_use_staging: False \ No newline at end of file +letsencrypt_use_staging: False +letsencrypt_self_generate_tokens: False