letsencrypt-request-certs: refactor certcheck list

In Ansible 6 this doesn't come out as a list. Refactor this into a more jinja-y pipeline that should do a better job of it. Change-Id: I5684291047a3e1000cd38ba33a951bed9fa3081f
2022-11-22 13:26:00 +11:00 · 2022-11-22 13:26:00 +11:00 · fdb68ed81a
commit fdb68ed81a
parent 476b225fca
2 changed files with 17 additions and 22 deletions
--- a/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml
@ -4,7 +4,7 @@

 - name: Build SSL domain list
  set_fact:
-    letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains }} + {{ hostvars[item]["letsencrypt_certcheck_domains" ] }}'
+    letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains + hostvars[item]["letsencrypt_certcheck_domains"] }}'
  with_inventory_hostnames:
    - letsencrypt:!disabled

--- a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
@ -7,7 +7,7 @@
 #    main:
 #      hostname.opendev.org
 #    secondary:
-#      foo.opendev.org
+#      foo.opendev.org:8000
 #      baz.opendev.org
 #
 # All required TXT keys are put into acme_txt_required
@ -18,25 +18,20 @@
  loop_control:
    loop_var: cert

+# For each generated certificate get the first entry as the domain to
+# run the certificate validation tests against.  If it specifies a
+# port explicitly (with <host>:<port>), make it "<host> <port>", if it
+# doesn't explicitly set a port make it "<host> 443" (i.e. the second
+# regex is "if this doesn't have a space in it, then add " 443").
+#
+# For example above, we'd get
+#  [ 'hostname.opendev.org 443', 'foo.opendev.org 8000' ]
+#
+# Later in ssl-check role, the final certificate validation list is
+# generated by walking the letsencrypt_certcheck_domains variable
+# for each host in the letsencrypt group.
+#
 - name: Create ssl check domain list
-  # For each generated certificate get the first entry as the domain
-  # to run the certificate validation tests against.  If it specifies
-  # a port explicitly, use that, otherwise assume 443.
-  #
-  # Later in ssl-check role, the final certificate validation list is
-  # generated by walking the letsencrypt_certcheck_domains variable
-  # for each host in the letsencrypt group.
  set_fact:
-    letsencrypt_certcheck_domains: >-
-      {%- set d = [] -%}
-      {%- for cert in letsencrypt_certs.keys() -%}
-       {%- for host in letsencrypt_certs[cert] -%}
-        {%- if loop.first -%}
-         {%- if not ":" in host -%}
-           {%- set host = host+":443" -%}
-         {%- endif -%}
-         {%- set d = d.append(host.replace(":"," ")) -%}
-        {% endif %}
-       {% endfor %}
-      {% endfor %}
-      {{- d -}}
+    letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains|default([]) + [item.value|first|regex_replace(":", " ")|regex_replace("^([^\s]*)$", "\1 443")] }}'
+  loop: '{{ letsencrypt_certs | dict2items }}'