letsencrypt : minor updates

Minor updates from review comments for I1f66da614751a29cc565b37cdc9ff34d70fdfd3f Change-Id: Ie011f768345ca3d8fdcc0b833f5645a635983d64
2019-04-05 16:49:41 +11:00 · 2019-04-05 16:49:41 +11:00 · 6088c788f1
commit 6088c788f1
parent afd907c16d
3 changed files with 14 additions and 10 deletions
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@ -73,8 +73,7 @@ groups:
    - kdc[0-9]*.open*.org
  kubernetes:
    - opendev-k8s*.opendev.org
-#  letsencrypt:
-#    - TBD
+  letsencrypt: []
  logstash:
    - logstash[0-9]*.open*.org
  logstash-worker:
--- a/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
@ -17,13 +17,17 @@
 - debug:
    var: acme_output.stdout_lines

-# NOTE(ianw): The output is domain:key which we split into a tuple
-# here.  We don't make use of the domain part ATM; our default CNAME
-# setup points "_acme-challenge.host.acme.opendev.org" to just
-# "acme.opendev.org" so we put all the keys into "top-level" TXT
-# records directly at acme.opendev.org.  letsencyrpt doesn't care; it
-# just follows the CNAME and enumerates all the TXT records in
-# acme.opendev.org looking for one that matches.
+# NOTE(ianw): The output is challenge-domain:txt-key which we split
+# into a tuple here.  acme.sh by default puts the hostname into the
+# challenge domain it outputs.  For simplicity, we don't actually make
+# use of the full challenge-domain part; our default CNAME setup
+# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
+# -- thus we put all the keys into "top-level" TXT records directly at
+# acme.opendev.org.  letsencyrpt doesn't care; it just follows the
+# CNAME and enumerates all the TXT records in acme.opendev.org looking
+# for one that matches.  So even though we don't put it in the dns
+# records, having the hostname the TXT record is for is handy for
+# debugging, etc, so we pass it through.
 - set_fact:
    acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
  loop: '{{ acme_output.stdout_lines }}'
--- a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
@ -16,7 +16,8 @@
 #
 # All required TXT keys are put into acme_txt_required

- include_tasks: acme.yaml
+- name: Generate certificate creation/renewal requests
+  include_tasks: acme.yaml
  loop: "{{ query('dict', letsencrypt_certs) }}"
  loop_control:
    loop_var: cert