Define http-01 params with already provided variables

There's no real need in asking user to manually provide http-01 port and address when we already have corresponding variables we rely on. Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354
2020-09-11 18:17:42 +03:00 · 2020-09-11 18:17:42 +03:00 · 0343893881
commit 0343893881
parent 5d7da9df3b
4 changed files with 36 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -57,10 +57,10 @@ haproxy_service_configs: []
 #         white_list:
 #           rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
 #           backend_name: "mybackend"
-#      haproxy_frontend_acls:
-#          letsencrypt-acl:
-#            rule: "path_beg /.well-known/acme-challenge/"
-#            backend_name: letsencrypt
+#       haproxy_frontend_acls:
+#         letsencrypt-acl:
+#           rule: "path_beg /.well-known/acme-challenge/"
+#           backend_name: letsencrypt

 galera_monitoring_user: monitoring
 haproxy_bind_on_non_local: False
@ -86,6 +86,7 @@ haproxy_ssl_letsencrypt_certbot_binary: "{{ (haproxy_ssl_letsencrypt_install_met
 haproxy_ssl_letsencrypt_certbot_backend_port: 8888
 haproxy_ssl_letsencrypt_pre_hook_timeout: 5
 haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
+haproxy_ssl_letsencrypt_certbot_challenge: "http-01"
 haproxy_ssl_letsencrypt_email: "example@example.com"
 haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
 haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
@ -95,6 +96,10 @@ haproxy_ssl_letsencrypt_setup_extra_params: ""
 haproxy_ssl_letsencrypt_cron_minute: "0"
 haproxy_ssl_letsencrypt_cron_hour: "0"
 haproxy_ssl_letsencrypt_cron_weekday: "0"
+haproxy_ssl_letsencrypt_acl:
+  letsencrypt-acl:
+    rule: "path_beg /.well-known/acme-challenge/"
+    backend_name: letsencrypt

 # hatop extra package URL and checksum
 haproxy_hatop_download_url: "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-0.7.7.tar.gz"
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@ -164,7 +164,6 @@ The following variables must be set for the haproxy hosts.

   haproxy_ssl_letsencrypt_enable: True
   haproxy_ssl_letsencrypt_install_method: "distro"
-   haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"
   haproxy_ssl_letsencrypt_email: example@example.com
   haproxy_interval: 2000

@ -218,7 +217,8 @@ node plus each of the others, and direct any incoming acme-challenge
 requests to the HAProxy instance which is performing a renewal.

 It is necessary to configure certbot to bind to the HAproxy node local
-internal IP address via the --http-01-address parameter in a H/A setup
+internal IP address via the haproxy_ssl_letsencrypt_certbot_bind_address
+variable in a H/A setup.

 Using Certificates from LetsEncrypt (legacy method)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/releasenotes/notes/haproxy_letsencrypt-4a13c7911a20b993.yaml
+++ b/releasenotes/notes/haproxy_letsencrypt-4a13c7911a20b993.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    There's no need in providing neither `http-01-address` nor `http-01-port`
+    options with `haproxy_ssl_letsencrypt_setup_extra_params`, as they are now
+    configured with corresponding variables
+    `haproxy_ssl_letsencrypt_certbot_bind_address` and
+    `haproxy_ssl_letsencrypt_certbot_backend_port`
+features:
+  - |
+    Added variable `haproxy_ssl_letsencrypt_certbot_challenge` which is default
+    to `http-01`. As for now really tested in only `http-01` but we keep door
+    open for adding support for more challanges, like `dns-01`. For `http-01`
+    all required arguments are passed, but oth other challanges you might want
+    to use `haproxy_ssl_letsencrypt_setup_extra_params` to pass missing
+    arguments.
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -63,9 +63,11 @@

 - name: Create first time ssl cert with certbot
  shell: >
+    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
    python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
+    {% endif %}
    {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
    --standalone
    --agree-tos
@ -74,6 +76,10 @@
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
    --domains {{ external_lb_vip_address }}
+    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
+    --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
+    --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
+    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
@ -83,7 +89,9 @@
    src: letsencrypt_pre_hook_certbot_distro.j2
    dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
    mode: 0755
-  when: haproxy_ssl_letsencrypt_install_method == 'distro'
+  when:
+    - haproxy_ssl_letsencrypt_install_method == 'distro'
+    - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'

 - name: Create certbot post renewal hook
  template: