openstack/kolla-ansible
Code Issues Proposed changes

Merge "Set default external Let's Encrypt cert server"

Browse Source
This commit is contained in:
Zuul
2025-08-14 06:08:11 +00:00
committed by Gerrit Code Review
parent 26533c345d 15dc0d0ede
commit 8fdfca3af1
3 changed files with 32 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/group_vars/all.yml
View File

@@ -504,7 +504,7 @@ kuryr_port: "23750"
letsencrypt_webserver_port: "8081"
letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
letsencrypt_external_cert_server: ""
letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
letsencrypt_internal_cert_server: ""
magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"

29
doc/source/admin/tls.rst
View File

@@ -316,19 +316,26 @@ to the HAProxy containers using SSH.
with HAProxy.
You can configure separate ACME servers for internal and external
certificate requests.
certificate requests by setting server URL on
``letsencrypt_internal_cert_server`` and
``letsencrypt_external_cert_server`` respectively.
The default is external certificate ACME server set to
``https://acme-v02.api.letsencrypt.org/directory``.
.. code-block:: yaml
.. list-table:: Let's Encrypt management
:widths: 28 72
:header-rows: 1
letsencrypt_external_cert_server: "<ACME server URL for external cert>"
letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
.. note::
The ``letsencrypt_external_cert_server`` has a default value of
``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
``letsencrypt_internal_cert_server`` is reachable from the controller
if you configure it for internal certificate requests.
* - Desired outcome
- Settings
* - External only (default)
- Enable Let's Encrypt; no further changes.
* - External + internal
- Set ``letsencrypt_internal_cert_server`` and ensure it is reachable
from the controller.
* - Internal only
- Set ``letsencrypt_external_cert_server: ""`` and set
``letsencrypt_internal_cert_server``.
.. _admin-tls-generating-a-private-ca:

13
releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
fixes:
- |
Restore the default Let's Encrypt ACME server for external certificates
so that enabling ``enable_letsencrypt`` works out of the box again
without explicitly setting ``letsencrypt_external_cert_server``. The
default is ``https://acme-v02.api.letsencrypt.org/directory``.
upgrade:
- |
Deployments using a file-based external certificate and Let's Encrypt for
the internal certificate (separate VIPs) default to managing the external
certificate with Let's Encrypt. To retain a file-based external
certificate, set ``letsencrypt_external_cert_server: ""``.