openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update system-config from branch 'master'
  - Merge "letsencrypt support"
  - letsencrypt support
    
    This change contains the roles and testing for deploying certificates
    on hosts using letsencrypt with domain authentication.
    
    From a top level, the process is implemented in the roles as follows:
    
    1) letsencrypt-acme-sh-install
    
       This role installs the acme.sh tool on hosts in the letsencrypt
       group, along with a small custom driver script to help parse output
       that is used by later roles.
    
    2) letsencrypt-request-certs
    
       This role runs on each host, and reads a host variable describing
       the certificates required.  It uses the acme.sh tool (via the
       driver) to request the certificates from letsencrypt.  It populates
       a global Ansible variable with the authentication TXT records
       required.
    
       If the certificate exists on the host and is not within the renewal
       period, it should do nothing.
    
    3) letsencrypt-install-txt-record
    
       This role runs on the adns server.  It installs the TXT records
       generated in step 2 to the acme.opendev.org domain and then
       refreshes the server.  Hosts wanting certificates will have
       pre-provisioned CNAME records for _acme-challenge.host.opendev.org
       pointing to acme.opendev.org.
    
    4) letsencrypt-create-certs
    
       This role runs on each host, reading the same variable as in step
       2.  However this time the acme.sh tool is run to authenticate and
       create the certificates, which should now work correctly via the
       TXT records from step 3.  After this, the host will have the
       full certificate material.
    
    Testing is added via testinfra.  For testing purposes requests are
    made to the staging letsencrypt servers and a self-signed certificate
    is provisioned in step 4 (as the authentication is not available
    during CI).  We test that the DNS TXT records are created locally on
    the CI adns server, however.
    
    Related-Spec: https://review.openstack.org/587283
    
    Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f
This commit is contained in:
Zuul 2019-04-08 22:43:54 +00:00 committed by Gerrit Code Review
parent 14030ae73f
commit ce9f8f5518
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
system-config

@ -1 +1 @@
Subproject commit 9ed2297b2ed81a3454e9e267bda55fc22c642215
Subproject commit f139a819940316250c79470261a40ecde4ccf519