servers/roles/ceph/tasks/cert.yml

- name: Get DNS names
  set_fact:
    domains: '{{ interfaces | selectattr("name", "==", "lo")
             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
             | sort | unique }}'

- name: Install certbot
  package:
    name: certbot

- name: Get LE certificate
  command:
    cmd: ip vrf exec default certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --standalone -d {{ domains | join(',') }}
    creates: '/etc/letsencrypt/renewal/{{ domains | first }}.conf'

- name: Create common directory for ceph nodes
  file:
    path: /etc/ceph
    state: directory

- name: Link key and certificate to common location
  file:
    dest: '/etc/ceph/{{ item }}'
    src: '/etc/letsencrypt/live/{{ domains | first }}/{{ item }}'
    state: link
  loop:
    - privkey.pem
    - fullchain.pem

- name: Install certificate deploy hook
  copy:
    dest: /etc/letsencrypt/renewal-hooks/deploy/
    src: restart-ceph-rgw.sh
    mode: 0755
ceph: add LE certificates With a hook to restart RGW services on renewal, if there are any. Live certificates are linked to the same path under /etc/ceph on each host, so that the orch service spec is node-independent. Use with something like this (port 80 must be kept free for standalone certbot renewal): service_type: rgw spec: rgw_frontend_port: 8080 rgw_frontend_extra_args: - ssl_port=443 - ssl_private_key=/etc/ceph/privkey.pem - ssl_certificate=/etc/ceph/fullchain.pem extra_container_args: - "--volume" - "/etc/ceph:/etc/ceph:ro" - "--volume" - "/etc/letsencrypt:/etc/letsencrypt:ro" 2024-11-08 15:32:06 +00:00			`- name: Get DNS names`
			`set_fact:`
			`domains: '{{ interfaces \| selectattr("name", "==", "lo")`
			`\| map(attribute="ip_addresses") \| flatten \| map(attribute="dns_name")`
			`\| sort \| unique }}'`

			`- name: Install certbot`
			`package:`
			`name: certbot`

			`- name: Get LE certificate`
			`command:`
			`cmd: ip vrf exec default certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --standalone -d {{ domains \| join(',') }}`
			`creates: '/etc/letsencrypt/renewal/{{ domains \| first }}.conf'`

			`- name: Create common directory for ceph nodes`
			`file:`
			`path: /etc/ceph`
			`state: directory`

			`- name: Link key and certificate to common location`
			`file:`
			`dest: '/etc/ceph/{{ item }}'`
			`src: '/etc/letsencrypt/live/{{ domains \| first }}/{{ item }}'`
			`state: link`
			`loop:`
			`- privkey.pem`
			`- fullchain.pem`

			`- name: Install certificate deploy hook`
			`copy:`
			`dest: /etc/letsencrypt/renewal-hooks/deploy/`
			`src: restart-ceph-rgw.sh`
			`mode: 0755`