opendev
/
system-config
Code Issues Proposed changes

letsencrypt: split staging and self-signed generation 

We currently only have letsencrypt_test_only as a single flag that
sets tests to use the letsencrypt staging environment and also
generates a self-signed certificate.

However, for initial testing we actually want to fully generate
certificates on hosts, but using the staging environment (i.e. *not*
generate self-signed certs).  Thus we need to split this option into
two, so the gate tests still use staging+self-signed, but in-progress
production hosts can just using the staging flag.

These variables are split, and graphite01.opendev.org is made to
create staging certificates.

Also remove some debugging that is no longer necessary.

Change-Id: I08959ba904f821c9408d8f363542502cd76a30a4
This commit is contained in:
Ian Wienand 2019-04-10 07:31:26 +10:00
parent 00efd089a2
commit 86c5bc2b45
8 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/host_vars/graphite01.opendev.org.yaml
View File

@ -1,5 +1,5 @@
# NOTE(ianw): 2019-03 initial bringup in testing only mode # NOTE(ianw): 2019-03 initial bringup in testing only mode
letsencrypt_test_only: True letsencrypt_use_staging: True
letsencrypt_certs: letsencrypt_certs:
main: main:
- graphite01.opendev.org - graphite01.opendev.org

8
playbooks/roles/letsencrypt-create-certs/README.rst
View File

@ -7,13 +7,19 @@ on the host.
**Role Variables** **Role Variables**
.. zuul:rolevar:: letsencrypt_test_only .. zuul:rolevar:: letsencrypt_self_sign_only
If set to True, will locally generate self-signed certificates in If set to True, will locally generate self-signed certificates in
the same locations the real script would, instead of contacting the same locations the real script would, instead of contacting
letsencrypt. This is set during gate testing as the letsencrypt. This is set during gate testing as the
authentication tokens are not available. authentication tokens are not available.
.. zuul:rolevar:: letsencrypt_use_staging
If set to True will use the letsencrypt staging environment, rather
than make production requests. Useful during initial provisioning
of hosts to avoid affecting production quotas.
.. zuul:rolevar:: letsencrypt_certs .. zuul:rolevar:: letsencrypt_certs
The same variable as described in ``letsencrypt-request-certs``. The same variable as described in ``letsencrypt-request-certs``.

3
playbooks/roles/letsencrypt-create-certs/defaults/main.yaml
View File

@ -1 +1,2 @@
letsencrypt_test_only: False letsencrypt_use_staging: False
letsencrypt_self_sign_only: False

8
playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml
View File

@ -5,12 +5,10 @@
- name: 'Run acme.sh driver for {{ item.key }} certificate issue' - name: 'Run acme.sh driver for {{ item.key }} certificate issue'
shell: shell:
cmd: | cmd: |
/opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_test_only else 'renew' }} {{ acme_args }} /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_self_sign_only else 'renew' }} {{ acme_args }}
args: args:
chdir: /opt/acme.sh/ chdir: /opt/acme.sh/
register: acme_output environment:
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
- debug:
var: acme_output.stdout_lines
# Keys generated! # Keys generated!

6
playbooks/roles/letsencrypt-request-certs/README.rst
View File

@ -15,9 +15,11 @@ provision process.
**Role Variables** **Role Variables**
.. zuul:rolevar:: letsencrypt_test_only .. zuul:rolevar:: letsencrypt_use_staging
Uses staging, rather than prodcution requests to letsencrypt If set to True will use the letsencrypt staging environment, rather
than make production requests. Useful during initial provisioning
of hosts to avoid affecting production quotas.
.. zuul:rolevar:: letsencrypt_certs .. zuul:rolevar:: letsencrypt_certs

2
playbooks/roles/letsencrypt-request-certs/defaults/main.yaml
View File

@ -1 +1 @@
letsencrypt_test_only: False letsencrypt_use_staging: False

7
playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
View File

@ -10,12 +10,9 @@
/opt/acme.sh/driver.sh issue {{ acme_args }} /opt/acme.sh/driver.sh issue {{ acme_args }}
args: args:
chdir: /opt/acme.sh/ chdir: /opt/acme.sh/
environment:
LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_test_only else "0" }}'
register: acme_output register: acme_output
environment:
- debug: LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
var: acme_output.stdout_lines
# NOTE(ianw): The output is challenge-domain:txt-key which we split # NOTE(ianw): The output is challenge-domain:txt-key which we split
# into a tuple here. acme.sh by default puts the hostname into the # into a tuple here. acme.sh by default puts the hostname into the

6
playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2
View File

@ -1,4 +1,6 @@
# We don't want CI tests trying to really authenticate against # We don't want CI tests trying to really authenticate against
# letsencrypt; apart from just being unfriendly it might cause quota # letsencrypt; apart from just being unfriendly it might cause quota
# issues. # issues. As we don't have the authentication keys exposed in the
letsencrypt_test_only: True # gate, only generate a place-holder self-signed cert for testing.
letsencrypt_use_staging: True
letsencrypt_self_sign_only: True