Browse Source

Merge "letsencrypt: split staging and self-signed generation"

Zuul 1 month ago
parent
commit
a83ecc7ed1

+ 1
- 1
playbooks/host_vars/graphite01.opendev.org.yaml View File

@@ -1,5 +1,5 @@
1 1
 # NOTE(ianw): 2019-03 initial bringup in testing only mode
2
-letsencrypt_test_only: True
2
+letsencrypt_use_staging: True
3 3
 letsencrypt_certs:
4 4
   main:
5 5
     - graphite01.opendev.org

+ 7
- 1
playbooks/roles/letsencrypt-create-certs/README.rst View File

@@ -7,13 +7,19 @@ on the host.
7 7
 
8 8
 **Role Variables**
9 9
 
10
-.. zuul:rolevar:: letsencrypt_test_only
10
+.. zuul:rolevar:: letsencrypt_self_sign_only
11 11
 
12 12
    If set to True, will locally generate self-signed certificates in
13 13
    the same locations the real script would, instead of contacting
14 14
    letsencrypt.  This is set during gate testing as the
15 15
    authentication tokens are not available.
16 16
 
17
+.. zuul:rolevar:: letsencrypt_use_staging
18
+
19
+   If set to True will use the letsencrypt staging environment, rather
20
+   than make production requests.  Useful during initial provisioning
21
+   of hosts to avoid affecting production quotas.
22
+
17 23
 .. zuul:rolevar:: letsencrypt_certs
18 24
 
19 25
    The same variable as described in ``letsencrypt-request-certs``.

+ 2
- 1
playbooks/roles/letsencrypt-create-certs/defaults/main.yaml View File

@@ -1 +1,2 @@
1
-letsencrypt_test_only: False
1
+letsencrypt_use_staging: False
2
+letsencrypt_self_sign_only: False

+ 3
- 5
playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml View File

@@ -5,12 +5,10 @@
5 5
 - name: 'Run acme.sh driver for {{ item.key }} certificate issue'
6 6
   shell:
7 7
     cmd: |
8
-      /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_test_only else 'renew' }}  {{ acme_args }}
8
+      /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_self_sign_only else 'renew' }}  {{ acme_args }}
9 9
   args:
10 10
     chdir: /opt/acme.sh/
11
-  register: acme_output
12
-
13
-- debug:
14
-    var: acme_output.stdout_lines
11
+  environment:
12
+    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
15 13
 
16 14
 # Keys generated!

+ 4
- 2
playbooks/roles/letsencrypt-request-certs/README.rst View File

@@ -15,9 +15,11 @@ provision process.
15 15
 
16 16
 **Role Variables**
17 17
 
18
-.. zuul:rolevar:: letsencrypt_test_only
18
+.. zuul:rolevar:: letsencrypt_use_staging
19 19
 
20
-   Uses staging, rather than prodcution requests to letsencrypt
20
+   If set to True will use the letsencrypt staging environment, rather
21
+   than make production requests.  Useful during initial provisioning
22
+   of hosts to avoid affecting production quotas.
21 23
 
22 24
 .. zuul:rolevar:: letsencrypt_certs
23 25
 

+ 1
- 1
playbooks/roles/letsencrypt-request-certs/defaults/main.yaml View File

@@ -1 +1 @@
1
-letsencrypt_test_only: False
1
+letsencrypt_use_staging: False

+ 2
- 5
playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml View File

@@ -10,12 +10,9 @@
10 10
       /opt/acme.sh/driver.sh issue {{ acme_args }}
11 11
   args:
12 12
     chdir: /opt/acme.sh/
13
-  environment:
14
-    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_test_only else "0" }}'
15 13
   register: acme_output
16
-
17
-- debug:
18
-    var: acme_output.stdout_lines
14
+  environment:
15
+    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
19 16
 
20 17
 # NOTE(ianw): The output is challenge-domain:txt-key which we split
21 18
 # into a tuple here.  acme.sh by default puts the hostname into the

+ 4
- 2
playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2 View File

@@ -1,4 +1,6 @@
1 1
 # We don't want CI tests trying to really authenticate against
2 2
 # letsencrypt; apart from just being unfriendly it might cause quota
3
-# issues.
4
-letsencrypt_test_only: True
3
+# issues.  As we don't have the authentication keys exposed in the
4
+# gate, only generate a place-holder self-signed cert for testing.
5
+letsencrypt_use_staging: True
6
+letsencrypt_self_sign_only: True

Loading…
Cancel
Save