Support Let's Encrypt for Open OnDemand #714
Conversation
priteau
force-pushed
the
lets-encrypt-ood
branch
from
c346577 to
2136629
Compare
priteau
force-pushed
the
lets-encrypt-ood
branch
4 times, most recently
from
a85f8da to
ffeafae
Compare
priteau
force-pushed
the
lets-encrypt-ood
branch
from
ffeafae to
ccafe06
Compare
|
|
||
| Alternatively, you can generate a certificate from Let's Encrypt automatically by configuring the following variables: | ||
| - `openondemand_certbot`: Optional. Default is false. Set to true to request a certificate from Let's Encrypt. | ||
| - `openondemand_certbot_email`: Optional. Default is empty. Set to the admin email address if using Let's Encrypt. |
There was a problem hiding this comment.
Does the domain for this have to match e.g. the cluster_domain_suffix or anything?
| default = [ | ||
| "default", # allow all in-cluster services | ||
| "SSH", # access via ssh | ||
| "HTTP", # HTTP-01 challenge and redirect to HTTPS |
There was a problem hiding this comment.
I really don't like the fact this means all existing deployments, when they merge this, are either going to have to add this HTTP secgroup or else override login_security_groups (or equivalent for the nodegroup containing ondemand host). I wonder if we can work around this somehow...
| import_role: | ||
| name: openondemand | ||
| tasks_from: certbot.yml | ||
| when: "'openondemand' in group_names" |
There was a problem hiding this comment.
I think this should also add when: openondemand_certbot | bool for consistency with behaviour of openondemand/tasks/main.yml?
|
|
||
| - name: Generate Let's Encrypt certificate | ||
| command: sudo certbot certonly --standalone -d {{ openondemand_servername }} -n -m {{ openondemand_certbot_email }} --agree-tos | ||
| when: appliances_mode == 'configure' |
There was a problem hiding this comment.
I think it'd be more consistent as:
| when: appliances_mode == 'configure' | |
| when: appliances_mode != 'build' |
b/c you can use e.g. -e appliances_mode=all to fake a build + deploy for debugging/dev - generally we've tried to make it so that not using "build" or "configure" does "everything".
But its definitely not totally consistent so not very fussed.
| - `openondemand_ssl_cert_key`: Optional. Default `/etc/pki/tls/private/localhost.key` (unless `openondemand_certbot` is true). | ||
|
|
||
| Alternatively, you can generate a certificate from Let's Encrypt automatically by configuring the following variables: | ||
| - `openondemand_certbot`: Optional. Default is false. Set to true to request a certificate from Let's Encrypt. |
There was a problem hiding this comment.
Agree this is the correct default, but wonder if we should set it true in stackhpc so
a) we include these packages in the StackHPC images
b) CI tests certbot
| - Created instances have access to internet (note proxies can be setup through the appliance if necessary). | ||
| - Created instances have accurate/synchronised time (for VM instances this is usually provided by the hypervisor; if not or for bare metal instances it may be necessary to configure a time service via the appliance). | ||
| - Three security groups are present: `default` allowing intra-cluster communication, `SSH` allowing external access via SSH and `HTTPS` allowing access for Open OnDemand. | ||
| - Four security groups are present: ``default`` allowing intra-cluster communication, ``SSH`` allowing external access via SSH, and ``HTTP`` and ``HTTPS`` allowing access for Open OnDemand. |
| - python3-certbot-apache | ||
|
|
||
| - block: | ||
| - name: Validate that server name is set |
There was a problem hiding this comment.
Actually already done in ansible/roles/openondemand/tasks/validate.yml?
| - certbot | ||
| - python3-certbot-apache | ||
|
|
||
| - block: |
There was a problem hiding this comment.
Can we move these to ansible/roles/openondemand/tasks/validate.yml? That is called much earlier (buy ansible/validate) than this, and only from site.yml so doesn't run during build.
2 participants
No description provided.