0a0ca77f3b
Switch the DNS testing names to "99" which helps disambiguate testing from production, and makes you think harder about ensuring references are abstracted properly. The LE zone gets installed on the hidden primary, so it should just use the inventory_hostname rather than hard-coding. Instead of hard-coding the secondaries, we grab them from the secondary DNS group. This should allow us to start up replacement DNS servers which will be inactive until they are enabled for the domain. This requires an update to the LE job, as it currently doesn't have a secondary nameserver as part of the nodes. This means the "adns-secondary" group is blank there. Even though this node isn't doing anything, I think it's worth adding to cover this path (I did consider some sort of dummy host add type thing, but that just makes things hard to follow). We also use the 99 suffix in that job just for consistency. Change-Id: I1a4be41b70180deab51a3cc8a2b3e83ffd0ff1dc
Install authentication records for letsencrypt
Install TXT records to the acme.opendev.org domain. This
role runs only the adns server, and assumes ownership of the
/var/lib/bind/zones/acme.opendev.org/zone.db file. After
installation the nameserver is refreshed.
After this, letsencrypt-create-certs can run on each
host to provision the certificates.
Role Variables
A global dictionary of TXT records to be installed. This is generated in a prior step on each host by the
letsencrypt-request-certsrole.