Add Let's Encrypt EAB support

Depends-on: https://review.opendev.org/c/openstack/kolla/+/916617
Change-Id: I57f621e5480db7caa7c939b31cb4080d51d02ff0

ansible/roles/letsencrypt/defaults/main.yml

@@ -57,3 +57,5 @@ letsencrypt_external_fqdns:
   - "{{ kolla_external_fqdn }}"
 letsencrypt_internal_fqdns:
   - "{{ kolla_internal_fqdn }}"
+
+letsencrypt_external_account_binding: "no"

ansible/roles/letsencrypt/tasks/precheck.yml

@@ -31,3 +31,14 @@
   when:
     - enable_letsencrypt | bool
     - kolla_enable_tls_external | bool
+
+- name: Validating letsencrypt EAB variables
+  run_once: true
+  assert:
+    that:
+      - letsencrypt_eab_key_id != ""
+      - letsencrypt_eab_hmac != ""
+    fail_msg: "Both letsencrypt_eab_key_id and letsencrypt_eab_hmac must be set when External account binding is turned on."
+  when:
+    - enable_letsencrypt | bool
+    - letsencrypt_external_account_binding | bool

ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2

@@ -4,11 +4,11 @@
 
 {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %}
 # External Certificates
-/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
 {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %}
 # Internal Certificates
-/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
 
 {{ cron_cmd }}

etc/kolla/globals.yml

@@ -281,6 +281,13 @@ workaround_ansible_issue_8743: yes
 # attempt to renew Let's Encrypt certificate every 12 hours
 #letsencrypt_cron_renew_schedule:  "0   */12   *   *   *"
 
+####################
+# LetsEncrypt external account binding options
+####################
+#letsencrypt_external_account_binding: "no"
+#letsencrypt_eab_hmac: ""
+#letsencrypt_eab_key_id: ""
+
 ################
 # Region options
 ################

releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds support for external account binding (EAB) in Let's Encrypt.