65e53499f5
Currently Let's Encrypt is using `haproxy_bind_external_lb_vip_address` to identify naming of resulting certificate which might not match with expectations, as all other parts of code already do use `haproxy_vip_binds` for calculating resulting TLS path. This patch introduces `type` key for `haproxy_vip_binds` which is used to identify for which frontends Let's Encrypt certificate should be used as in most scenarios it's not gonna be issued for "internal" VIPs anyway due to dns-01 requirement. Also moving to single "source of truth" for VIP bindings allows to override and have control over this behaviour. Change-Id: Id07d9a0ea270d613b37b6adfa373d01a47f7421f
77 lines
2.9 KiB
YAML
77 lines
2.9 KiB
YAML
---
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Install certbot from distro package
|
|
package:
|
|
name: "{{ haproxy_distro_certbot_packages }}"
|
|
state: present
|
|
|
|
- name: Create first time ssl cert with certbot
|
|
throttle: 1
|
|
shell: >
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
|
|
python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
|
|
--agree-tos
|
|
--non-interactive
|
|
--text
|
|
--rsa-key-size 4096
|
|
--email {{ haproxy_ssl_letsencrypt_email }}
|
|
--domains {{ haproxy_ssl_letsencrypt_domains | join(',') }}
|
|
{% if haproxy_ssl_letsencrypt_certbot_server is defined %}
|
|
--server {{ haproxy_ssl_letsencrypt_certbot_server }}
|
|
{% endif %}
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
--standalone
|
|
--http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_setup_extra_params }}
|
|
args:
|
|
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"
|
|
|
|
# Certbot automatically installs its systemd timer responsible for renewals
|
|
- name: Create certbot pre hook
|
|
template:
|
|
src: letsencrypt_pre_hook_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
|
|
mode: "0755"
|
|
when:
|
|
- haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
|
|
|
|
- name: Create certbot post renewal hook
|
|
template:
|
|
src: letsencrypt_renew_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
|
|
mode: "0755"
|
|
|
|
- name: Create new pem file for haproxy
|
|
assemble:
|
|
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
|
|
dest: >-
|
|
{{
|
|
haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (item.get('interface')) | ternary(
|
|
item.get('address') ~ '-' ~ item['interface'], item['address']) ~ '.pem'
|
|
}}
|
|
regexp: '(privkey|fullchain).pem$'
|
|
owner: haproxy
|
|
group: haproxy
|
|
mode: "0640"
|
|
with_items:
|
|
- "{{ haproxy_vip_binds | selectattr('type', 'defined') | selectattr('type', 'eq', 'external') }}"
|
|
notify:
|
|
- Reload haproxy
|