Add Let's Encrypt EAB support

Depends-on: https://review.opendev.org/c/openstack/kolla/+/916617
Change-Id: I57f621e5480db7caa7c939b31cb4080d51d02ff0
This commit is contained in:
Piotr Parczewski 2024-11-19 14:53:49 +01:00
parent 4ac2701740
commit a349ca19a2
5 changed files with 26 additions and 2 deletions

View File

@ -57,3 +57,5 @@ letsencrypt_external_fqdns:
- "{{ kolla_external_fqdn }}" - "{{ kolla_external_fqdn }}"
letsencrypt_internal_fqdns: letsencrypt_internal_fqdns:
- "{{ kolla_internal_fqdn }}" - "{{ kolla_internal_fqdn }}"
letsencrypt_external_account_binding: "no"

View File

@ -31,3 +31,14 @@
when: when:
- enable_letsencrypt | bool - enable_letsencrypt | bool
- kolla_enable_tls_external | bool - kolla_enable_tls_external | bool
- name: Validating letsencrypt EAB variables
run_once: true
assert:
that:
- letsencrypt_eab_key_id != ""
- letsencrypt_eab_hmac != ""
fail_msg: "Both letsencrypt_eab_key_id and letsencrypt_eab_hmac must be set when External account binding is turned on."
when:
- enable_letsencrypt | bool
- letsencrypt_external_account_binding | bool

View File

@ -4,11 +4,11 @@
{% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %} {% if 'external' in letsencrypt_managed_certs and kolla_external_fqdn != kolla_external_vip_address %}
# External Certificates # External Certificates
/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log /usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_external_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}
{% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %} {% if 'internal' in letsencrypt_managed_certs and kolla_internal_fqdn != kolla_internal_vip_address %}
# Internal Certificates # Internal Certificates
/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log /usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_internal_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
{% endif %} {% endif %}
{{ cron_cmd }} {{ cron_cmd }}

View File

@ -281,6 +281,13 @@ workaround_ansible_issue_8743: yes
# attempt to renew Let's Encrypt certificate every 12 hours # attempt to renew Let's Encrypt certificate every 12 hours
#letsencrypt_cron_renew_schedule: "0 */12 * * *" #letsencrypt_cron_renew_schedule: "0 */12 * * *"
####################
# LetsEncrypt external account binding options
####################
#letsencrypt_external_account_binding: "no"
#letsencrypt_eab_hmac: ""
#letsencrypt_eab_key_id: ""
################ ################
# Region options # Region options
################ ################

View File

@ -0,0 +1,4 @@
---
features:
- |
Adds support for external account binding (EAB) in Let's Encrypt.