5581a28253
Add support for automatic provisioning and renewal of HTTPS certificates via LetsEncrypt. Spec is available at: https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347 Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io> Implements: blueprint letsencrypt-https Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106
79 lines
2.7 KiB
Bash
Executable File
79 lines
2.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -o xtrace
|
|
set -o errexit
|
|
|
|
# Enable unbuffered output for Ansible in Jenkins.
|
|
export PYTHONUNBUFFERED=1
|
|
|
|
function init_pebble {
|
|
|
|
sudo echo "[i] Pulling letsencrypt/pebble" > /tmp/logs/ansible/certificates
|
|
sudo docker pull letsencrypt/pebble &>> /tmp/logs/ansible/certificates
|
|
|
|
sudo echo "[i] Force removing old pebble container" &>> /tmp/logs/ansible/certificates
|
|
sudo docker rm -f pebble &>> /tmp/logs/ansible/certificates
|
|
|
|
sudo echo "[i] Run new pebble container" &>> /tmp/logs/ansible/certificates
|
|
sudo docker run --name pebble --rm -d -e "PEBBLE_VA_NOSLEEP=1" -e "PEBBLE_VA_ALWAYS_VALID=1" --net=host letsencrypt/pebble &>> /tmp/logs/ansible/certificates
|
|
|
|
sudo echo "[i] Wait for pebble container be up" &>> /tmp/logs/ansible/certificates
|
|
# wait until pebble starts
|
|
while ! sudo docker logs pebble | grep -q "Listening on"; do
|
|
sleep 1
|
|
done
|
|
sudo echo "[i] Wait for pebble container done" &>> /tmp/logs/ansible/certificates
|
|
|
|
sudo echo "[i] Pebble container logs" &>> /tmp/logs/ansible/certificates
|
|
sudo docker logs pebble &>> /tmp/logs/ansible/certificates
|
|
}
|
|
|
|
function pebble_cacert {
|
|
|
|
sudo docker cp pebble:/test/certs/pebble.minica.pem /etc/kolla/certificates/ca/pebble-root.crt
|
|
sudo curl -k -s -o /etc/kolla/certificates/ca/pebble.crt -v https://127.0.0.1:15000/roots/0
|
|
}
|
|
|
|
function certificates {
|
|
|
|
RAW_INVENTORY=/etc/kolla/inventory
|
|
source $KOLLA_ANSIBLE_VENV_PATH/bin/activate
|
|
|
|
# generate self-signed certificates for the optional internal TLS tests
|
|
if [[ "$TLS_ENABLED" = "True" ]]; then
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv certificates > /tmp/logs/ansible/certificates
|
|
fi
|
|
if [[ "$LE_ENABLED" = "True" ]]; then
|
|
init_pebble
|
|
pebble_cacert
|
|
fi
|
|
|
|
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
|
|
sudo chmod -R 777 /etc/kolla
|
|
}
|
|
|
|
|
|
function deploy {
|
|
|
|
RAW_INVENTORY=/etc/kolla/inventory
|
|
source $KOLLA_ANSIBLE_VENV_PATH/bin/activate
|
|
|
|
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
|
|
sudo chmod -R 777 /etc/kolla
|
|
|
|
certificates
|
|
|
|
# Actually do the deployment
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/deploy-prechecks
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv deploy &> /tmp/logs/ansible/deploy
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/post-deploy
|
|
|
|
if [[ $HAS_UPGRADE == 'no' ]]; then
|
|
kolla-ansible -i ${RAW_INVENTORY} -vvv validate-config &> /tmp/logs/ansible/validate-config
|
|
fi
|
|
}
|
|
|
|
|
|
deploy
|