diff --git a/ansible/roles/letsencrypt/defaults/main.yml b/ansible/roles/letsencrypt/defaults/main.yml index c839b747b1..e0287add43 100644 --- a/ansible/roles/letsencrypt/defaults/main.yml +++ b/ansible/roles/letsencrypt/defaults/main.yml @@ -57,3 +57,5 @@ letsencrypt_external_fqdns: - "{{ kolla_external_fqdn }}" letsencrypt_internal_fqdns: - "{{ kolla_internal_fqdn }}" + +letsencrypt_external_account_binding: "no" diff --git a/ansible/roles/letsencrypt/tasks/precheck.yml b/ansible/roles/letsencrypt/tasks/precheck.yml index b1462dbadc..f232457106 100644 --- a/ansible/roles/letsencrypt/tasks/precheck.yml +++ b/ansible/roles/letsencrypt/tasks/precheck.yml @@ -31,3 +31,14 @@ when: - enable_letsencrypt | bool - kolla_enable_tls_external | bool + +- name: Validating letsencrypt EAB variables + run_once: true + assert: + that: + - letsencrypt_eab_key_id != "" + - letsencrypt_eab_hmac != "" + fail_msg: "Both letsencrypt_eab_key_id and letsencrypt_eab_hmac must be set when External account binding is turned on." + when: + - enable_letsencrypt | bool + - letsencrypt_external_account_binding | bool diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 index 5c472f706b..743f390946 100644 --- a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 +++ b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 @@ -4,11 +4,11 @@ {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %} # External Certificates -/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log +/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log {% endif %} {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %} # Internal Certificates -/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log +/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log {% endif %} {{ cron_cmd }} diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 1c0ee0371b..2afc0a1554 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -281,6 +281,13 @@ workaround_ansible_issue_8743: yes # attempt to renew Let's Encrypt certificate every 12 hours #letsencrypt_cron_renew_schedule: "0 */12 * * *" +#################### +# LetsEncrypt external account binding options +#################### +#letsencrypt_external_account_binding: "no" +#letsencrypt_eab_hmac: "" +#letsencrypt_eab_key_id: "" + ################ # Region options ################ diff --git a/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml b/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml new file mode 100644 index 0000000000..ac473fb0dd --- /dev/null +++ b/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for external account binding (EAB) in Let's Encrypt.