diff --git a/playbooks/host_vars/graphite01.opendev.org.yaml b/playbooks/host_vars/graphite01.opendev.org.yaml index ce2cf60f13..5f0777589b 100644 --- a/playbooks/host_vars/graphite01.opendev.org.yaml +++ b/playbooks/host_vars/graphite01.opendev.org.yaml @@ -1,5 +1,5 @@ # NOTE(ianw): 2019-03 initial bringup in testing only mode -letsencrypt_test_only: True +letsencrypt_use_staging: True letsencrypt_certs: main: - graphite01.opendev.org diff --git a/playbooks/roles/letsencrypt-create-certs/README.rst b/playbooks/roles/letsencrypt-create-certs/README.rst index d121aa8d48..223aa011da 100644 --- a/playbooks/roles/letsencrypt-create-certs/README.rst +++ b/playbooks/roles/letsencrypt-create-certs/README.rst @@ -7,13 +7,19 @@ on the host. **Role Variables** -.. zuul:rolevar:: letsencrypt_test_only +.. zuul:rolevar:: letsencrypt_self_sign_only If set to True, will locally generate self-signed certificates in the same locations the real script would, instead of contacting letsencrypt. This is set during gate testing as the authentication tokens are not available. +.. zuul:rolevar:: letsencrypt_use_staging + + If set to True will use the letsencrypt staging environment, rather + than make production requests. Useful during initial provisioning + of hosts to avoid affecting production quotas. + .. zuul:rolevar:: letsencrypt_certs The same variable as described in ``letsencrypt-request-certs``. diff --git a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml index 79476abe0a..c273d03269 100644 --- a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml @@ -1 +1,2 @@ -letsencrypt_test_only: False +letsencrypt_use_staging: False +letsencrypt_self_sign_only: False diff --git a/playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml b/playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml index 5ee9887ead..f16c9372aa 100644 --- a/playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml +++ b/playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml @@ -5,12 +5,10 @@ - name: 'Run acme.sh driver for {{ item.key }} certificate issue' shell: cmd: | - /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_test_only else 'renew' }} {{ acme_args }} + /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_self_sign_only else 'renew' }} {{ acme_args }} args: chdir: /opt/acme.sh/ - register: acme_output - -- debug: - var: acme_output.stdout_lines + environment: + LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}' # Keys generated! \ No newline at end of file diff --git a/playbooks/roles/letsencrypt-request-certs/README.rst b/playbooks/roles/letsencrypt-request-certs/README.rst index 181f2e092e..0e54613134 100644 --- a/playbooks/roles/letsencrypt-request-certs/README.rst +++ b/playbooks/roles/letsencrypt-request-certs/README.rst @@ -15,9 +15,11 @@ provision process. **Role Variables** -.. zuul:rolevar:: letsencrypt_test_only +.. zuul:rolevar:: letsencrypt_use_staging - Uses staging, rather than prodcution requests to letsencrypt + If set to True will use the letsencrypt staging environment, rather + than make production requests. Useful during initial provisioning + of hosts to avoid affecting production quotas. .. zuul:rolevar:: letsencrypt_certs diff --git a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml index b62bfec72c..40f89a22be 100644 --- a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml +++ b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml @@ -1 +1 @@ -letsencrypt_test_only: False \ No newline at end of file +letsencrypt_use_staging: False \ No newline at end of file diff --git a/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml b/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml index f1f062d7a1..d52f8020e1 100644 --- a/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml +++ b/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml @@ -10,12 +10,9 @@ /opt/acme.sh/driver.sh issue {{ acme_args }} args: chdir: /opt/acme.sh/ - environment: - LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_test_only else "0" }}' register: acme_output - -- debug: - var: acme_output.stdout_lines + environment: + LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}' # NOTE(ianw): The output is challenge-domain:txt-key which we split # into a tuple here. acme.sh by default puts the hostname into the diff --git a/playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2 b/playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2 index 1d315d24e9..aaf62c6518 100644 --- a/playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2 @@ -1,4 +1,6 @@ # We don't want CI tests trying to really authenticate against # letsencrypt; apart from just being unfriendly it might cause quota -# issues. -letsencrypt_test_only: True +# issues. As we don't have the authentication keys exposed in the +# gate, only generate a place-holder self-signed cert for testing. +letsencrypt_use_staging: True +letsencrypt_self_sign_only: True