65e53499f5
Currently Let's Encrypt is using `haproxy_bind_external_lb_vip_address` to identify naming of resulting certificate which might not match with expectations, as all other parts of code already do use `haproxy_vip_binds` for calculating resulting TLS path. This patch introduces `type` key for `haproxy_vip_binds` which is used to identify for which frontends Let's Encrypt certificate should be used as in most scenarios it's not gonna be issued for "internal" VIPs anyway due to dns-01 requirement. Also moving to single "source of truth" for VIP bindings allows to override and have control over this behaviour. Change-Id: Id07d9a0ea270d613b37b6adfa373d01a47f7421f
10 lines
502 B
Django/Jinja
10 lines
502 B
Django/Jinja
#!/bin/bash
|
|
# renew cert if required and copy to haproxy destination
|
|
|
|
{% for vip in haproxy_vip_binds | selectattr('type', 'defined') | selectattr('type', 'eq', 'external') %}
|
|
cat /etc/letsencrypt/live/{{ haproxy_ssl_letsencrypt_domains | first }}/{fullchain,privkey}.pem \
|
|
> {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (vip.get('interface')) | ternary(vip['address'] ~ '-' ~ vip.get('interface'), vip['address']) ~ '.pem' }}
|
|
{% endfor %}
|
|
|
|
systemctl reload haproxy
|