letsencrypt : minor updates

Minor updates from review comments for
I1f66da614751a29cc565b37cdc9ff34d70fdfd3f

Change-Id: Ie011f768345ca3d8fdcc0b833f5645a635983d64
This commit is contained in:
Ian Wienand 2019-04-05 16:49:41 +11:00
parent afd907c16d
commit 6088c788f1
3 changed files with 14 additions and 10 deletions

View File

@ -73,8 +73,7 @@ groups:
- kdc[0-9]*.open*.org - kdc[0-9]*.open*.org
kubernetes: kubernetes:
- opendev-k8s*.opendev.org - opendev-k8s*.opendev.org
# letsencrypt: letsencrypt: []
# - TBD
logstash: logstash:
- logstash[0-9]*.open*.org - logstash[0-9]*.open*.org
logstash-worker: logstash-worker:

View File

@ -17,13 +17,17 @@
- debug: - debug:
var: acme_output.stdout_lines var: acme_output.stdout_lines
# NOTE(ianw): The output is domain:key which we split into a tuple # NOTE(ianw): The output is challenge-domain:txt-key which we split
# here. We don't make use of the domain part ATM; our default CNAME # into a tuple here. acme.sh by default puts the hostname into the
# setup points "_acme-challenge.host.acme.opendev.org" to just # challenge domain it outputs. For simplicity, we don't actually make
# "acme.opendev.org" so we put all the keys into "top-level" TXT # use of the full challenge-domain part; our default CNAME setup
# records directly at acme.opendev.org. letsencyrpt doesn't care; it # points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
# just follows the CNAME and enumerates all the TXT records in # -- thus we put all the keys into "top-level" TXT records directly at
# acme.opendev.org looking for one that matches. # acme.opendev.org. letsencyrpt doesn't care; it just follows the
# CNAME and enumerates all the TXT records in acme.opendev.org looking
# for one that matches. So even though we don't put it in the dns
# records, having the hostname the TXT record is for is handy for
# debugging, etc, so we pass it through.
- set_fact: - set_fact:
acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}' acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
loop: '{{ acme_output.stdout_lines }}' loop: '{{ acme_output.stdout_lines }}'

View File

@ -16,7 +16,8 @@
# #
# All required TXT keys are put into acme_txt_required # All required TXT keys are put into acme_txt_required
- include_tasks: acme.yaml - name: Generate certificate creation/renewal requests
include_tasks: acme.yaml
loop: "{{ query('dict', letsencrypt_certs) }}" loop: "{{ query('dict', letsencrypt_certs) }}"
loop_control: loop_control:
loop_var: cert loop_var: cert