From 1664c993b6b18de69aade38c16c6fb60f8ebe978 Mon Sep 17 00:00:00 2001 From: Danila Balagansky Date: Wed, 14 Sep 2022 17:29:42 +0300 Subject: [PATCH] Add variable for setting certbot `domains` option Add `haproxy_ssl_letsencrypt_domains` variable, which contains a list (defaults to `external_lb_vip_address`) for `--domains` certbot option. Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5 --- defaults/main.yml | 2 ++ tasks/haproxy_ssl_letsencrypt.yml | 6 +++--- templates/letsencrypt_renew_certbot_auto.j2 | 2 +- templates/letsencrypt_renew_certbot_distro.j2 | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9ddfcd8..cc1a7c4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -176,6 +176,8 @@ haproxy_ssl_letsencrypt_acl: backend_name: letsencrypt # Use alternative CA that supports ACME, can be a public or private CA # haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory" +haproxy_ssl_letsencrypt_domains: + - "{{ external_lb_vip_address }}" # hatop extra package URL and checksum haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/v0.8.0.tar.gz" diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml index ab6191a..2bb975d 100644 --- a/tasks/haproxy_ssl_letsencrypt.yml +++ b/tasks/haproxy_ssl_letsencrypt.yml @@ -75,7 +75,7 @@ --text --rsa-key-size 4096 --email {{ haproxy_ssl_letsencrypt_email }} - --domains {{ haproxy_bind_external_lb_vip_address }} + --domains {{ haproxy_ssl_letsencrypt_domains | join(',') }} {% if haproxy_ssl_letsencrypt_certbot_server is defined %} --server {{ haproxy_ssl_letsencrypt_certbot_server }} {% endif %} @@ -85,7 +85,7 @@ {% endif %} {{ haproxy_ssl_letsencrypt_setup_extra_params }} args: - creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem" + creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem" - name: Create certbot pre hook template: @@ -105,7 +105,7 @@ - name: Create new pem file for haproxy assemble: - src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}" + src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}" dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}" regexp: '(privkey|fullchain).pem$' with_items: diff --git a/templates/letsencrypt_renew_certbot_auto.j2 b/templates/letsencrypt_renew_certbot_auto.j2 index 61293f0..db1ba34 100644 --- a/templates/letsencrypt_renew_certbot_auto.j2 +++ b/templates/letsencrypt_renew_certbot_auto.j2 @@ -6,7 +6,7 @@ --pre-hook "systemctl stop haproxy" \ {% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %} -cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \ +cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \ > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }} {% endfor %} diff --git a/templates/letsencrypt_renew_certbot_distro.j2 b/templates/letsencrypt_renew_certbot_distro.j2 index df5b2b9..fd89b08 100644 --- a/templates/letsencrypt_renew_certbot_distro.j2 +++ b/templates/letsencrypt_renew_certbot_distro.j2 @@ -2,7 +2,7 @@ # renew cert if required and copy to haproxy destination {% for vip in [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses %} -cat /etc/letsencrypt/live/{{ haproxy_bind_external_lb_vip_address }}/{fullchain,privkey}.pem \ +cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \ > {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip ~ '.pem' }} {% endfor %}