Timotej Lazar
46a9ff6fc0
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.
Use with something like this (port 80 must be kept free for standalone
certbot renewal):
service_type: rgw
spec:
rgw_frontend_port: 8080
rgw_frontend_extra_args:
- ssl_port=443
- ssl_private_key=/etc/ceph/privkey.pem
- ssl_certificate=/etc/ceph/fullchain.pem
extra_container_args:
- "--volume"
- "/etc/ceph:/etc/ceph:ro"
- "--volume"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
35 lines
984 B
YAML
35 lines
984 B
YAML
- name: Get DNS names
|
|
set_fact:
|
|
domains: '{{ interfaces | selectattr("name", "==", "lo")
|
|
| map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
|
|
| sort | unique }}'
|
|
|
|
- name: Install certbot
|
|
package:
|
|
name: certbot
|
|
|
|
- name: Get LE certificate
|
|
command:
|
|
cmd: ip vrf exec default certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --standalone -d {{ domains | join(',') }}
|
|
creates: '/etc/letsencrypt/renewal/{{ domains | first }}.conf'
|
|
|
|
- name: Create common directory for ceph nodes
|
|
file:
|
|
path: /etc/ceph
|
|
state: directory
|
|
|
|
- name: Link key and certificate to common location
|
|
file:
|
|
dest: '/etc/ceph/{{ item }}'
|
|
src: '/etc/letsencrypt/live/{{ domains | first }}/{{ item }}'
|
|
state: link
|
|
loop:
|
|
- privkey.pem
|
|
- fullchain.pem
|
|
|
|
- name: Install certificate deploy hook
|
|
copy:
|
|
dest: /etc/letsencrypt/renewal-hooks/deploy/
|
|
src: restart-ceph-rgw.sh
|
|
mode: 0755
|