letsencrypt-request-certs: refactor certcheck list

In Ansible 6 this doesn't come out as a list.  Refactor this into a
more jinja-y pipeline that should do a better job of it.

Change-Id: I5684291047a3e1000cd38ba33a951bed9fa3081f
This commit is contained in:
Ian Wienand 2022-11-22 13:26:00 +11:00
parent 476b225fca
commit fdb68ed81a
No known key found for this signature in database
2 changed files with 17 additions and 22 deletions

View File

@ -4,7 +4,7 @@
- name: Build SSL domain list - name: Build SSL domain list
set_fact: set_fact:
letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains }} + {{ hostvars[item]["letsencrypt_certcheck_domains" ] }}' letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains + hostvars[item]["letsencrypt_certcheck_domains"] }}'
with_inventory_hostnames: with_inventory_hostnames:
- letsencrypt:!disabled - letsencrypt:!disabled

View File

@ -7,7 +7,7 @@
# main: # main:
# hostname.opendev.org # hostname.opendev.org
# secondary: # secondary:
# foo.opendev.org # foo.opendev.org:8000
# baz.opendev.org # baz.opendev.org
# #
# All required TXT keys are put into acme_txt_required # All required TXT keys are put into acme_txt_required
@ -18,25 +18,20 @@
loop_control: loop_control:
loop_var: cert loop_var: cert
# For each generated certificate get the first entry as the domain to
# run the certificate validation tests against. If it specifies a
# port explicitly (with <host>:<port>), make it "<host> <port>", if it
# doesn't explicitly set a port make it "<host> 443" (i.e. the second
# regex is "if this doesn't have a space in it, then add " 443").
#
# For example above, we'd get
# [ 'hostname.opendev.org 443', 'foo.opendev.org 8000' ]
#
# Later in ssl-check role, the final certificate validation list is
# generated by walking the letsencrypt_certcheck_domains variable
# for each host in the letsencrypt group.
#
- name: Create ssl check domain list - name: Create ssl check domain list
# For each generated certificate get the first entry as the domain
# to run the certificate validation tests against. If it specifies
# a port explicitly, use that, otherwise assume 443.
#
# Later in ssl-check role, the final certificate validation list is
# generated by walking the letsencrypt_certcheck_domains variable
# for each host in the letsencrypt group.
set_fact: set_fact:
letsencrypt_certcheck_domains: >- letsencrypt_certcheck_domains: '{{ letsencrypt_certcheck_domains|default([]) + [item.value|first|regex_replace(":", " ")|regex_replace("^([^\s]*)$", "\1 443")] }}'
{%- set d = [] -%} loop: '{{ letsencrypt_certs | dict2items }}'
{%- for cert in letsencrypt_certs.keys() -%}
{%- for host in letsencrypt_certs[cert] -%}
{%- if loop.first -%}
{%- if not ":" in host -%}
{%- set host = host+":443" -%}
{%- endif -%}
{%- set d = d.append(host.replace(":"," ")) -%}
{% endif %}
{% endfor %}
{% endfor %}
{{- d -}}