letsencrypt : minor updates

Minor updates from review comments for
I1f66da614751a29cc565b37cdc9ff34d70fdfd3f

Change-Id: Ie011f768345ca3d8fdcc0b833f5645a635983d64
This commit is contained in:
Ian Wienand 2019-04-05 16:49:41 +11:00
parent afd907c16d
commit 6088c788f1
3 changed files with 14 additions and 10 deletions

View File

@ -73,8 +73,7 @@ groups:
- kdc[0-9]*.open*.org
kubernetes:
- opendev-k8s*.opendev.org
# letsencrypt:
# - TBD
letsencrypt: []
logstash:
- logstash[0-9]*.open*.org
logstash-worker:

View File

@ -17,13 +17,17 @@
- debug:
var: acme_output.stdout_lines
# NOTE(ianw): The output is domain:key which we split into a tuple
# here. We don't make use of the domain part ATM; our default CNAME
# setup points "_acme-challenge.host.acme.opendev.org" to just
# "acme.opendev.org" so we put all the keys into "top-level" TXT
# records directly at acme.opendev.org. letsencyrpt doesn't care; it
# just follows the CNAME and enumerates all the TXT records in
# acme.opendev.org looking for one that matches.
# NOTE(ianw): The output is challenge-domain:txt-key which we split
# into a tuple here. acme.sh by default puts the hostname into the
# challenge domain it outputs. For simplicity, we don't actually make
# use of the full challenge-domain part; our default CNAME setup
# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
# -- thus we put all the keys into "top-level" TXT records directly at
# acme.opendev.org. letsencyrpt doesn't care; it just follows the
# CNAME and enumerates all the TXT records in acme.opendev.org looking
# for one that matches. So even though we don't put it in the dns
# records, having the hostname the TXT record is for is handy for
# debugging, etc, so we pass it through.
- set_fact:
acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
loop: '{{ acme_output.stdout_lines }}'

View File

@ -16,7 +16,8 @@
#
# All required TXT keys are put into acme_txt_required
- include_tasks: acme.yaml
- name: Generate certificate creation/renewal requests
include_tasks: acme.yaml
loop: "{{ query('dict', letsencrypt_certs) }}"
loop_control:
loop_var: cert