Add variable for setting certbot `domains` option

openstack/openstack-ansible-haproxy_server

Code Issues Proposed changes

Add `haproxy_ssl_letsencrypt_domains` variable, which
contains a list (defaults to `external_lb_vip_address`)
for `--domains` certbot option.
Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5

This commit is contained in:

Danila Balagansky

2022年09月14日 17:29:42 +03:00

committed by Dmitriy Rabotyagov

parent ab0c91f810

commit 1664c993b6

4 changed files with 7 additions and 5 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml

View File

@@ -176,6 +176,8 @@ haproxy_ssl_letsencrypt_acl:

backend_name:letsencrypt

# Use alternative CA that supports ACME, can be a public or private CA

# haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory"

haproxy_ssl_letsencrypt_domains:

- "{{ external_lb_vip_address }}"

# hatop extra package URL and checksum

haproxy_hatop_download_url:"https://github.com/jhunt/hatop/archive/v0.8.0.tar.gz"

6
tasks/haproxy_ssl_letsencrypt.yml

View File

@@ -75,7 +75,7 @@

--text

--rsa-key-size 4096

--email {{ haproxy_ssl_letsencrypt_email }}

--domains {{ haproxy_bind_external_lb_vip_address }}

--domains {{ haproxy_ssl_letsencrypt_domains | join(',') }}

{% if haproxy_ssl_letsencrypt_certbot_server is defined %}

--server {{ haproxy_ssl_letsencrypt_certbot_server }}

{% endif %}

@@ -85,7 +85,7 @@

{% endif %}

{{ haproxy_ssl_letsencrypt_setup_extra_params }}

args:

creates:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"

creates:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"

- name:Create certbot pre hook

template:

@@ -105,7 +105,7 @@

- name:Create new pem file for haproxy

assemble:

src:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"

src:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"

dest:"{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"

regexp:'(privkey|fullchain).pem$'

with_items:

2
templates/letsencrypt_renew_certbot_auto.j2

View File

@@ -6,7 +6,7 @@

--pre-hook "systemctl stop haproxy" \

{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}

cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \

cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \

> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}

{% endfor %}

2
templates/letsencrypt_renew_certbot_distro.j2

View File

@@ -2,7 +2,7 @@

# renew cert if required and copy to haproxy destination

{% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}

cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \

cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \

> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }}

{% endfor %}