Merge "letsencrypt: split staging and self-signed generation"

playbooks/host_vars/graphite01.opendev.org.yaml

@@ -1,5 +1,5 @@
 # NOTE(ianw): 2019-03 initial bringup in testing only mode
-letsencrypt_test_only: True
+letsencrypt_use_staging: True
 letsencrypt_certs:
   main:
     - graphite01.opendev.org

playbooks/roles/letsencrypt-create-certs/README.rst

@@ -7,13 +7,19 @@ on the host.
 
 **Role Variables**
 
-.. zuul:rolevar:: letsencrypt_test_only
+.. zuul:rolevar:: letsencrypt_self_sign_only
 
    If set to True, will locally generate self-signed certificates in
    the same locations the real script would, instead of contacting
    letsencrypt.  This is set during gate testing as the
    authentication tokens are not available.
 
+.. zuul:rolevar:: letsencrypt_use_staging
+
+   If set to True will use the letsencrypt staging environment, rather
+   than make production requests.  Useful during initial provisioning
+   of hosts to avoid affecting production quotas.
+
 .. zuul:rolevar:: letsencrypt_certs
 
    The same variable as described in ``letsencrypt-request-certs``.

playbooks/roles/letsencrypt-create-certs/defaults/main.yaml

@@ -1 +1,2 @@
-letsencrypt_test_only: False
+letsencrypt_use_staging: False
+letsencrypt_self_sign_only: False

playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml

@@ -5,12 +5,10 @@
 - name: 'Run acme.sh driver for {{ item.key }} certificate issue'
   shell:
     cmd: |
-      /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_test_only else 'renew' }}  {{ acme_args }}
+      /opt/acme.sh/driver.sh {{ 'selfsign' if letsencrypt_self_sign_only else 'renew' }}  {{ acme_args }}
   args:
     chdir: /opt/acme.sh/
-  register: acme_output
+  environment:
-
+    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
-- debug:
-    var: acme_output.stdout_lines
 
 # Keys generated!

playbooks/roles/letsencrypt-request-certs/README.rst

@@ -15,9 +15,11 @@ provision process.
 
 **Role Variables**
 
-.. zuul:rolevar:: letsencrypt_test_only
+.. zuul:rolevar:: letsencrypt_use_staging
 
-   Uses staging, rather than prodcution requests to letsencrypt
+   If set to True will use the letsencrypt staging environment, rather
+   than make production requests.  Useful during initial provisioning
+   of hosts to avoid affecting production quotas.
 
 .. zuul:rolevar:: letsencrypt_certs
 

playbooks/roles/letsencrypt-request-certs/defaults/main.yaml

@@ -1 +1 @@
-letsencrypt_test_only: False
+letsencrypt_use_staging: False

playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml

@@ -10,12 +10,9 @@
       /opt/acme.sh/driver.sh issue {{ acme_args }}
   args:
     chdir: /opt/acme.sh/
-  environment:
-    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_test_only else "0" }}'
   register: acme_output
-
+  environment:
-- debug:
+    LETSENCRYPT_STAGING: '{{ "1" if letsencrypt_use_staging else "0" }}'
-    var: acme_output.stdout_lines
 
 # NOTE(ianw): The output is challenge-domain:txt-key which we split
 # into a tuple here.  acme.sh by default puts the hostname into the

playbooks/zuul/templates/group_vars/letsencrypt.yaml.j2

@@ -1,4 +1,6 @@
 # We don't want CI tests trying to really authenticate against
 # letsencrypt; apart from just being unfriendly it might cause quota
-# issues.
+# issues.  As we don't have the authentication keys exposed in the
-letsencrypt_test_only: True
+# gate, only generate a place-holder self-signed cert for testing.
+letsencrypt_use_staging: True
+letsencrypt_self_sign_only: True