diff --git a/ansible/roles/letsencrypt/defaults/main.yml b/ansible/roles/letsencrypt/defaults/main.yml index 4d41fe9d08..b8f2e7cc72 100644 --- a/ansible/roles/letsencrypt/defaults/main.yml +++ b/ansible/roles/letsencrypt/defaults/main.yml @@ -58,3 +58,5 @@ letsencrypt_external_fqdns: - "{{ kolla_external_fqdn }}" letsencrypt_internal_fqdns: - "{{ kolla_internal_fqdn }}" + +letsencrypt_external_account_binding: "no" diff --git a/ansible/roles/letsencrypt/tasks/precheck.yml b/ansible/roles/letsencrypt/tasks/precheck.yml index 6ad18cb535..daa4a79c31 100644 --- a/ansible/roles/letsencrypt/tasks/precheck.yml +++ b/ansible/roles/letsencrypt/tasks/precheck.yml @@ -31,3 +31,14 @@ when: - enable_letsencrypt | bool - kolla_enable_tls_external | bool + +- name: Validating letsencrypt EAB variables + run_once: true + assert: + that: + - letsencrypt_eab_key_id != "" + - letsencrypt_eab_hmac != "" + fail_msg: "Both letsencrypt_eab_key_id and letsencrypt_eab_hmac must be set when External account binding is turned on." + when: + - enable_letsencrypt | bool + - letsencrypt_external_account_binding | bool diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 index 3f1282f80c..3e38c1d360 100644 --- a/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 +++ b/ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2 @@ -3,10 +3,10 @@ {% set cron_cmd = 'cron -f' if kolla_base_distro in ['ubuntu', 'debian'] else 'crond -s -n' %} {% if kolla_external_vip_address != kolla_internal_vip_address and kolla_external_fqdn != kolla_external_vip_address %} -/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log +/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id | bool }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log {% endif %} {% if kolla_external_vip_address == kolla_internal_vip_address and kolla_internal_fqdn != kolla_internal_vip_address %} -/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log +/usr/bin/letsencrypt-certificates --internal --fqdns {% for fqdn in letsencrypt_internal_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups['loadbalancer'] %}{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %}{% if letsencrypt_external_account_binding | bool %} --eab --hmac {{ letsencrypt_eab_hmac }} --kid {{ letsencrypt_eab_key_id | bool }}{% endif %} 2>&1 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log {% endif %} {{ cron_cmd }} diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index a092c11dbe..32801e5ac7 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -274,6 +274,13 @@ workaround_ansible_issue_8743: yes # attempt to renew Let's Encrypt certificate every 12 hours #letsencrypt_cron_renew_schedule: "0 */12 * * *" +#################### +# LetsEncrypt external account binding options +#################### +#letsencrypt_external_account_binding: "no" +#letsencrypt_eab_hmac: "" +#letsencrypt_eab_key_id: "" + ################ # Region options ################ diff --git a/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml b/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml new file mode 100644 index 0000000000..ac473fb0dd --- /dev/null +++ b/releasenotes/notes/add-letsencrypt-eab-support-7951e7a572718ce9.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for external account binding (EAB) in Let's Encrypt.