Browse Source

Merge "letsencrypt : minor updates"

changes/53/651053/1
Zuul 1 month ago
parent
commit
693fe27610

+ 1
- 2
inventory/groups.yaml View File

@@ -72,8 +72,7 @@ groups:
72 72
     - kdc[0-9]*.open*.org
73 73
   kubernetes:
74 74
     - opendev-k8s*.opendev.org
75
-#  letsencrypt:
76
-#    - TBD
75
+  letsencrypt: []
77 76
   logstash:
78 77
     - logstash[0-9]*.open*.org
79 78
   logstash-worker:

+ 11
- 7
playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml View File

@@ -17,13 +17,17 @@
17 17
 - debug:
18 18
     var: acme_output.stdout_lines
19 19
 
20
-# NOTE(ianw): The output is domain:key which we split into a tuple
21
-# here.  We don't make use of the domain part ATM; our default CNAME
22
-# setup points "_acme-challenge.host.acme.opendev.org" to just
23
-# "acme.opendev.org" so we put all the keys into "top-level" TXT
24
-# records directly at acme.opendev.org.  letsencyrpt doesn't care; it
25
-# just follows the CNAME and enumerates all the TXT records in
26
-# acme.opendev.org looking for one that matches.
20
+# NOTE(ianw): The output is challenge-domain:txt-key which we split
21
+# into a tuple here.  acme.sh by default puts the hostname into the
22
+# challenge domain it outputs.  For simplicity, we don't actually make
23
+# use of the full challenge-domain part; our default CNAME setup
24
+# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
25
+# -- thus we put all the keys into "top-level" TXT records directly at
26
+# acme.opendev.org.  letsencyrpt doesn't care; it just follows the
27
+# CNAME and enumerates all the TXT records in acme.opendev.org looking
28
+# for one that matches.  So even though we don't put it in the dns
29
+# records, having the hostname the TXT record is for is handy for
30
+# debugging, etc, so we pass it through.
27 31
 - set_fact:
28 32
     acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
29 33
   loop: '{{ acme_output.stdout_lines }}'

+ 2
- 1
playbooks/roles/letsencrypt-request-certs/tasks/main.yaml View File

@@ -16,7 +16,8 @@
16 16
 #
17 17
 # All required TXT keys are put into acme_txt_required
18 18
 
19
-- include_tasks: acme.yaml
19
+- name: Generate certificate creation/renewal requests
20
+  include_tasks: acme.yaml
20 21
   loop: "{{ query('dict', letsencrypt_certs) }}"
21 22
   loop_control:
22 23
     loop_var: cert

Loading…
Cancel
Save