opendev/system-config
Code Issues Proposed changes
157ad6d521
system-config/playbooks/base.yaml
Ian Wienand afd907c16d letsencrypt support 
This change contains the roles and testing for deploying certificates
on hosts using letsencrypt with domain authentication.

From a top level, the process is implemented in the roles as follows:

1) letsencrypt-acme-sh-install

   This role installs the acme.sh tool on hosts in the letsencrypt
   group, along with a small custom driver script to help parse output
   that is used by later roles.

2) letsencrypt-request-certs

   This role runs on each host, and reads a host variable describing
   the certificates required.  It uses the acme.sh tool (via the
   driver) to request the certificates from letsencrypt.  It populates
   a global Ansible variable with the authentication TXT records
   required.

   If the certificate exists on the host and is not within the renewal
   period, it should do nothing.

3) letsencrypt-install-txt-record

   This role runs on the adns server.  It installs the TXT records
   generated in step 2 to the acme.opendev.org domain and then
   refreshes the server.  Hosts wanting certificates will have
   pre-provisioned CNAME records for _acme-challenge.host.opendev.org
   pointing to acme.opendev.org.

4) letsencrypt-create-certs

   This role runs on each host, reading the same variable as in step
   2.  However this time the acme.sh tool is run to authenticate and
   create the certificates, which should now work correctly via the
   TXT records from step 3.  After this, the host will have the
   full certificate material.

Testing is added via testinfra.  For testing purposes requests are
made to the staging letsencrypt servers and a self-signed certificate
is provisioned in step 4 (as the authentication is not available
during CI).  We test that the DNS TXT records are created locally on
the CI adns server, however.

Related-Spec: https://review.openstack.org/587283

Change-Id: I1f66da614751a29cc565b37cdc9ff34d70fdfd3f
2019-04-02 15:31:41 +11:00

111 lines
2.9 KiB
YAML
Raw Blame History

- hosts: "!disabled"
name: "Base: set up users and base package repositories on all hosts"
roles:
- users
- base-repos
# Run base-server seperately so that the update apt cache handler in base-repos
# fires before we run base-server
- hosts: "!disabled"
name: "Base: set up common environment on all hosts"
roles:
- base-server
- timezone
- unbound
- exim
# Do not run firewall rules on kubernetes hosts, they are managed by k8s-on-openstack.
# TODO(mordred) snmpd should be able to be re-added to kubernetes hosts but we will
# need to add cacti to sg-opendev-nodes and sg-opendev-master security groups first.
- hosts: "!disabled:!kubernetes"
name: "Base: set up firewall rules"
roles:
- snmpd
- iptables
- hosts: bridge.openstack.org:!disabled
name: "Base: configure cloud credentials on bridge"
roles:
- install-kubectl
- configure-kubectl
tasks:
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml'
openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_template: clouds/bridge_clouds.yaml.j2
- hosts: nodepool-launcher:nodepool-builder:!disabled
name: "Base: configure OpenStackSDK on nodepool"
strategy: free
roles:
- minimal-nodepool
- configure-openstacksdk
- configure-kubectl
- hosts: "puppet:!disabled"
name: "Base: install and configure puppet on puppet hosts"
roles:
- puppet-install
- disable-puppet-agent
- hosts: adns:!disabled
name: "Base: configure adns server"
roles:
- master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers"
roles:
- nameserver
- hosts: "docker:!disabled"
name: "Base: install and configure docker on docker hosts"
roles:
- install-docker
- hosts: "registry:!disabled"
name: "Base: configure registry"
roles:
- install-docker
- registry
- hosts: "gitea:!disabled"
name: "Base: configure gitea"
roles:
- install-docker
- gitea
- hosts: "gitea-lb:!disabled"
name: "Base: configure gitea load balancer"
roles:
- install-docker
- haproxy
- hosts: "zuul-preview:!disabled"
name: "Base: configure zuul-preview"
roles:
- install-docker
- zuul-preview
# This next section needs to happen in order. letsencrypt hosts
# export their TXT authentication records which is installed onto
# adns1, and then the hosts verify to issue/renew keys
- hosts: "letsencrypt:!disabled"
name: "Base: deploy and renew certificates"
roles:
- letsencrypt-acme-sh-install
- letsencrypt-request-certs
- hosts: "adns:!disabled"
name: "Install txt records"
roles:
- letsencrypt-install-txt-record
- hosts: "letsencrypt:!disabled"
name: "Create certs"
roles:
- letsencrypt-create-certs
View Git Blame Copy Permalink