Add variable for setting certbot domains option

Add `haproxy_ssl_letsencrypt_domains` variable, which contains a list (defaults to `external_lb_vip_address`) for `--domains` certbot option. Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5
2022-09-14 17:29:42 +03:00 · 2022-09-14 17:29:42 +03:00 · 1664c993b6
commit 1664c993b6
parent ab0c91f810
4 changed files with 7 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -176,6 +176,8 @@ haproxy_ssl_letsencrypt_acl:
    backend_name: letsencrypt
 # Use alternative CA that supports ACME, can be a public or private CA
 # haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+haproxy_ssl_letsencrypt_domains:
+  - "{{ external_lb_vip_address }}"

 # hatop extra package URL and checksum
 haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/v0.8.0.tar.gz"
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@ -75,7 +75,7 @@
    --text
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
-    --domains {{ haproxy_bind_external_lb_vip_address }}
+    --domains {{ haproxy_ssl_letsencrypt_domains | join(',') }}
    {% if haproxy_ssl_letsencrypt_certbot_server is defined %}
    --server {{ haproxy_ssl_letsencrypt_certbot_server }}
    {% endif %}
@ -85,7 +85,7 @@
    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"

 - name: Create certbot pre hook
  template:
@ -105,7 +105,7 @@

 - name: Create new pem file for haproxy
  assemble:
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
    dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '.pem' }}"
    regexp: '(privkey|fullchain).pem$'
  with_items:
--- a/templates/letsencrypt_renew_certbot_auto.j2
+++ b/templates/letsencrypt_renew_certbot_auto.j2
@ -6,7 +6,7 @@
    --pre-hook "systemctl stop haproxy" \

 {% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
-cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \
    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
 {% endfor %}

--- a/templates/letsencrypt_renew_certbot_distro.j2
+++ b/templates/letsencrypt_renew_certbot_distro.j2
@ -2,7 +2,7 @@
 # renew cert if required and copy to haproxy destination

 {% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %}
-cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \
+cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \
    > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip  ~ '.pem' }}
 {% endfor %}