Set default external Let's Encrypt cert server

Currently, unless users set either external or internal cert server by
themselves, enabling Let's Encrypt with ``enable_letsencrypt`` does
nothing.

This change makes the external certificate get managed by Let's Encrypt
by default when Let's Encrypt is enabled.
The server address is default Let's Encrypt ACME server [1]
which was the former default before change [2].

[1] https://acme-v02.api.letsencrypt.org/directory
[2] https://review.opendev.org/c/openstack/kolla-ansible/+/925971

Closes-bug: #2120451
Change-Id: I10e800aede5966e030ed8e661e2eb45b126ff678
Signed-off-by: Seunghun Lee <[email protected]>
(cherry picked from commit 15dc0d0)

Author: seunghun1ee

ansible/group_vars/all.yml

@@ -503,7 +503,7 @@ kuryr_port: "23750"
 
 letsencrypt_webserver_port: "8081"
 letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
-letsencrypt_external_cert_server: ""
+letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
 letsencrypt_internal_cert_server: ""
 
 magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"

doc/source/admin/tls.rst

@@ -316,19 +316,26 @@ to the HAProxy containers using SSH.
   with HAProxy.
 
 You can configure separate ACME servers for internal and external
-certificate requests.
-
-.. code-block:: yaml
-
-  letsencrypt_external_cert_server: "<ACME server URL for external cert>"
-  letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
-
-.. note::
-
-  The ``letsencrypt_external_cert_server`` has a default value of
-  ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
-  ``letsencrypt_internal_cert_server`` is reachable from the controller
-  if you configure it for internal certificate requests.
+certificate requests by setting server URL on
+``letsencrypt_internal_cert_server`` and
+``letsencrypt_external_cert_server`` respectively.
+The default is external certificate ACME server set to
+``https://acme-v02.api.letsencrypt.org/directory``.
+
+.. list-table:: Let's Encrypt management
+   :widths: 28 72
+   :header-rows: 1
+
+   * - Desired outcome
+     - Settings
+   * - External only (default)
+     - Enable Let's Encrypt; no further changes.
+   * - External + internal
+     - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable
+       from the controller.
+   * - Internal only
+     - Set ``letsencrypt_external_cert_server: ""`` and set
+       ``letsencrypt_internal_cert_server``.
 
 .. _admin-tls-generating-a-private-ca:
 

releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml

@@ -0,0 +1,13 @@
+---
+fixes:
+  - |
+    Restore the default Let's Encrypt ACME server for external certificates
+    so that enabling ``enable_letsencrypt`` works out of the box again
+    without explicitly setting ``letsencrypt_external_cert_server``. The
+    default is ``https://acme-v02.api.letsencrypt.org/directory``.
+upgrade:
+  - |
+    Deployments using a file-based external certificate and Let's Encrypt for
+    the internal certificate (separate VIPs) default to managing the external
+    certificate with Let's Encrypt. To retain a file-based external
+    certificate, set ``letsencrypt_external_cert_server: ""``.