From fdb68ed81ab799cb1d5fa626048a338805357450 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 22 Nov 2022 13:26:00 +1100 Subject: [PATCH] letsencrypt-request-certs: refactor certcheck list In Ansible 6 this doesn't come out as a list. Refactor this into a more jinja-y pipeline that should do a better job of it. Change-Id: I5684291047a3e1000cd38ba33a951bed9fa3081f --- .../tasks/main.yaml | 2 +- .../letsencrypt-request-certs/tasks/main.yaml | 37 ++++++++----------- 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml b/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml index 70c8c44225..3449a87d0e 100644 --- a/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml +++ b/playbooks/roles/letsencrypt-config-certcheck/tasks/main.yaml @@ -4,7 +4,7 @@ - name: Build SSL domain list set_fact: - letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains }} + {{ hostvars[item]["letsencrypt_certcheck_domains" ] }}' + letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains + hostvars[item]["letsencrypt_certcheck_domains"] }}' with_inventory_hostnames: - letsencrypt:!disabled diff --git a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml index 4276485609..454effd2dc 100644 --- a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml +++ b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml @@ -7,7 +7,7 @@ # main: # hostname.opendev.org # secondary: -# foo.opendev.org +# foo.opendev.org:8000 # baz.opendev.org # # All required TXT keys are put into acme_txt_required @@ -18,25 +18,20 @@ loop_control: loop_var: cert +# For each generated certificate get the first entry as the domain to +# run the certificate validation tests against. If it specifies a +# port explicitly (with :), make it " ", if it +# doesn't explicitly set a port make it " 443" (i.e. the second +# regex is "if this doesn't have a space in it, then add " 443"). +# +# For example above, we'd get +# [ 'hostname.opendev.org 443', 'foo.opendev.org 8000' ] +# +# Later in ssl-check role, the final certificate validation list is +# generated by walking the letsencrypt_certcheck_domains variable +# for each host in the letsencrypt group. +# - name: Create ssl check domain list - # For each generated certificate get the first entry as the domain - # to run the certificate validation tests against. If it specifies - # a port explicitly, use that, otherwise assume 443. - # - # Later in ssl-check role, the final certificate validation list is - # generated by walking the letsencrypt_certcheck_domains variable - # for each host in the letsencrypt group. set_fact: - letsencrypt_certcheck_domains: >- - {%- set d = [] -%} - {%- for cert in letsencrypt_certs.keys() -%} - {%- for host in letsencrypt_certs[cert] -%} - {%- if loop.first -%} - {%- if not ":" in host -%} - {%- set host = host+":443" -%} - {%- endif -%} - {%- set d = d.append(host.replace(":"," ")) -%} - {% endif %} - {% endfor %} - {% endfor %} - {{- d -}} + letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains|default([]) + [item.value|first|regex_replace(":", " ")|regex_replace("^([^\s]*)$", "\1 443")] }}' + loop: '{{ letsencrypt_certs | dict2items }}'