letsencrypt : minor updates
Minor updates from review comments for I1f66da614751a29cc565b37cdc9ff34d70fdfd3f Change-Id: Ie011f768345ca3d8fdcc0b833f5645a635983d64
This commit is contained in:
parent
afd907c16d
commit
6088c788f1
@ -73,8 +73,7 @@ groups:
|
|||||||
- kdc[0-9]*.open*.org
|
- kdc[0-9]*.open*.org
|
||||||
kubernetes:
|
kubernetes:
|
||||||
- opendev-k8s*.opendev.org
|
- opendev-k8s*.opendev.org
|
||||||
# letsencrypt:
|
letsencrypt: []
|
||||||
# - TBD
|
|
||||||
logstash:
|
logstash:
|
||||||
- logstash[0-9]*.open*.org
|
- logstash[0-9]*.open*.org
|
||||||
logstash-worker:
|
logstash-worker:
|
||||||
|
@ -17,13 +17,17 @@
|
|||||||
- debug:
|
- debug:
|
||||||
var: acme_output.stdout_lines
|
var: acme_output.stdout_lines
|
||||||
|
|
||||||
# NOTE(ianw): The output is domain:key which we split into a tuple
|
# NOTE(ianw): The output is challenge-domain:txt-key which we split
|
||||||
# here. We don't make use of the domain part ATM; our default CNAME
|
# into a tuple here. acme.sh by default puts the hostname into the
|
||||||
# setup points "_acme-challenge.host.acme.opendev.org" to just
|
# challenge domain it outputs. For simplicity, we don't actually make
|
||||||
# "acme.opendev.org" so we put all the keys into "top-level" TXT
|
# use of the full challenge-domain part; our default CNAME setup
|
||||||
# records directly at acme.opendev.org. letsencyrpt doesn't care; it
|
# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
|
||||||
# just follows the CNAME and enumerates all the TXT records in
|
# -- thus we put all the keys into "top-level" TXT records directly at
|
||||||
# acme.opendev.org looking for one that matches.
|
# acme.opendev.org. letsencyrpt doesn't care; it just follows the
|
||||||
|
# CNAME and enumerates all the TXT records in acme.opendev.org looking
|
||||||
|
# for one that matches. So even though we don't put it in the dns
|
||||||
|
# records, having the hostname the TXT record is for is handy for
|
||||||
|
# debugging, etc, so we pass it through.
|
||||||
- set_fact:
|
- set_fact:
|
||||||
acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
|
acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
|
||||||
loop: '{{ acme_output.stdout_lines }}'
|
loop: '{{ acme_output.stdout_lines }}'
|
||||||
|
@ -16,7 +16,8 @@
|
|||||||
#
|
#
|
||||||
# All required TXT keys are put into acme_txt_required
|
# All required TXT keys are put into acme_txt_required
|
||||||
|
|
||||||
- include_tasks: acme.yaml
|
- name: Generate certificate creation/renewal requests
|
||||||
|
include_tasks: acme.yaml
|
||||||
loop: "{{ query('dict', letsencrypt_certs) }}"
|
loop: "{{ query('dict', letsencrypt_certs) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: cert
|
loop_var: cert
|
||||||
|
Loading…
Reference in New Issue
Block a user