system-config/playbooks/roles/gitea/defaults/main.yaml
Ian Wienand 0d83dd3ea0 letsencrypt: selfsigned testing certs - use common CA, setup SAN
Some of our testing makes use of secure communication between testing
nodes; e.g. testing a load-balancer pass-through.  Other parts
"loop-back" but require flags like "curl --insecure" because the
self-signed certificates aren't trusted.

To make testing more realistic, create a CA that is distributed and
trusted by all testing nodes early in the Zuul playbook.  This then
allows us to sign local certificates created by the letsencrypt
playbooks with this trusted CA and have realistic peer-to-peer secure
communications.

The other thing this does is reworks the letsencrypt self-signed cert
path to correctly setup SAN records for the host.  This also improves
the "realism" of our testing environment.  This is so realistic that
it requires fixing the gitea playbook :).  The Apache service proxying
gitea currently has to override in testing to "localhost" because that
is all the old certificate covered; we can now just proxy to the
hostname directly for testing and production.

Change-Id: I3d49a7b683462a076263127018ec6a0f16735c94
2022-07-07 10:02:46 +10:00

2 lines
19 B
YAML

gitea_no_log: true