Add Let's Encrypt EAB support

Depends-on: https://review.opendev.org/c/openstack/kolla/+/916617 Change-Id: I57f621e5480db7caa7c939b31cb4080d51d02ff0
stackhpc · Dec 16, 2024 · 42d5585 · 42d5585
1 parent b734083
commit 42d5585
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 2 deletions.
diff --git a/ansible/roles/letsencrypt/defaults/main.yml b/ansible/roles/letsencrypt/defaults/main.yml
@@ -58,3 +58,5 @@ letsencrypt_external_fqdns:
   - "{{ kolla_external_fqdn }}"
 letsencrypt_internal_fqdns:
   - "{{ kolla_internal_fqdn }}"
+
+letsencrypt_external_account_binding: "no"
diff --git a/ansible/roles/letsencrypt/tasks/precheck.yml b/ansible/roles/letsencrypt/tasks/precheck.yml
@@ -31,3 +31,14 @@
   when:
     - enable_letsencrypt | bool
     - kolla_enable_tls_external | bool
+
+- name: Validating letsencrypt EAB variables
+  run_once: true
+  assert:
+    that:
+      - letsencrypt_eab_key_id != ""
+      - letsencrypt_eab_hmac != ""
+    fail_msg: "Both letsencrypt_eab_key_id and letsencrypt_eab_hmac must be set when External account binding is turned on."
+  when:
+    - enable_letsencrypt | bool
+    - letsencrypt_external_account_binding | bool
diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2
@@ -3,10 +3,10 @@
 {% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %}
 
 {% if kolla_external_vip_address != kolla_internal_vip_address and kolla_external_fqdn != kolla_external_vip_address %}
-/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id | bool }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
 {% if kolla_external_vip_address == kolla_internal_vip_address and kolla_internal_fqdn != kolla_internal_vip_address %}
-/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
+/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id | bool }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log
 {% endif %}
 
 {{ cron_cmd }}
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
@@ -274,6 +274,13 @@ workaround_ansible_issue_8743: yes
 # attempt to renew Let's Encrypt certificate every 12 hours
 #letsencrypt_cron_renew_schedule:  "0   */12   *   *   *"
 
+####################
+# LetsEncrypt external account binding options
+####################
+#letsencrypt_external_account_binding: "no"
+#letsencrypt_eab_hmac: ""
+#letsencrypt_eab_key_id: ""
+
 ################
 # Region options
 ################

diff --git a/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml b/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds support for external account binding (EAB) in Let's Encrypt.