let's encrypt recert

[danseo-reisys]

This script set has been very useful for me. Thanks! i have few questions.

1. Could you share the steps to kick off playbook for let's encrypt recertification?
2. how can i retrieve the master inventory file that gets created?
3. would it work for the latest release of v3.11.xxx?
4. is there a way to modify the script to make it work for version 4.2?

[jaredhocutt]

This script set has been very useful for me. Thanks! i have few questions.

That's awesome! I'm glad it's been helpful.

1. Could you share the steps to kick off playbook for let's encrypt recertification?

The command that I run to generate the LetsEncrypt certificates is:

docker run --rm --name certbot
    -v "/etc/letsencrypt:/etc/letsencrypt:z"
    -v "/var/lib/letsencrypt:/var/lib/letsencrypt:z"
    -e AWS_ACCESS_KEY_ID={{ lookup('env', 'AWS_ACCESS_KEY_ID') }}
    -e AWS_SECRET_ACCESS_KEY={{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}
    certbot/dns-route53 certonly
    --non-interactive
    --agree-tos
    --email "{{ cert_email_address }}"
    --dns-route53
    --dns-route53-propagation-seconds 45
    --server https://acme-v02.api.letsencrypt.org/directory
    --domain "{{ openshift_public_hostname }}"
    --domain "*.apps.{{ openshift_public_hostname }}"

You should be able to run that command from the master to update the certificates on disk. Be sure to update the variables in that command to match your environment.

From there, you can use the OpenShift documentation on how to apply those updated certificates to the cluster: https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html

2. how can i retrieve the master inventory file that gets created?

The inventory file is on the master at /etc/ansible/hosts.

3. would it work for the latest release of v3.11.xxx?

I haven't specifically tested every single z-stream of v3.11, but it should work with all of them.

4. is there a way to modify the script to make it work for version 4.2?

OpenShift 4.x is deployed in a very different way. Unfortunately, very little of the code in this repository is re-usable for OpenShift 4.x. I have it on my to do list to work on some automation for deploying OpenShift 4.x bare metal (the generic version of the install) that I may incorporate into this tool eventually, but I don't have a timeline for it.

I would recommend checking out the automated provisioning built into OpenShift 4.x for most uses as it should give you a similar experience to how this tool works.

[danseo-reisys]

Hi Jared,
have you tested your script in us-west-2?
i could not get it to work in us-west-2 region.
Thanks,

[danseo-reisys]

This error only in west-2. east-1,2 and west-1 is fine.

TASK [provision_aws : Create DNS entry for bastion] ****************************
Saturday 01 February 2020 00:20:49 +0000 (0:00:00.061) 0:02:12.711 *****
fatal: [localhost]: FAILED! => {}

MSG:

The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'openshift_role_master'

The error appears to have been in '/app/playbooks/roles/provision_aws/tasks/route53.yml': line 16, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

• name: Create DNS entry for bastion
  ^ here

[jaredhocutt]

This is an unfortunate artifact of the inventory/inventory.aws_ec2.yml file having to be hard coded for the regions and cannot use variables.

I have the defaults set to the following due to this tool originally being built for use in an AWS account where only those regions were allowed.

• us-east-1
• us-east-2
• us-west-2

One way to fix it would be to have the startup of the container that runs the playbooks to automatically edit the file with the specified region so that it's always correct.

I can try to take a stab at in at some point in the future, but it's likely to be a while as I'm focused on getting a tool to help deploy OpenShift 4.