diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-08-21 11:42:06 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-08-21 11:42:06 +0000 |
commit | 1dc48e6b9443f8433862901ba328d043ac1d1fbf (patch) | |
tree | eecd349005bb657693f67bfcac56ec13eab34d21 | |
parent | 207b1ea97b572aefad0a567a978e6bd6172e2b89 (diff) | |
parent | 095d130f9dbadb698c2c349819e754a907455ee0 (diff) |
Merge "Certmonger: Make postsave command configurable"
-rw-r--r-- | manifests/certmonger/haproxy.pp | 13 | ||||
-rw-r--r-- | manifests/certmonger/httpd.pp | 10 | ||||
-rw-r--r-- | manifests/certmonger/mongodb.pp | 10 | ||||
-rw-r--r-- | manifests/certmonger/mysql.pp | 10 | ||||
-rw-r--r-- | manifests/certmonger/rabbitmq.pp | 10 | ||||
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 18 |
6 files changed, 55 insertions, 16 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index d4f4ad2..819348d 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -32,10 +32,6 @@ # The hostname that certmonger will use as the common name for the # certificate. # -# [*postsave_cmd*] -# The post-save-command that certmonger will use once it renews the -# certificate. -# # [*certmonger_ca*] # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). @@ -48,15 +44,19 @@ # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # +# [*postsave_cmd*] +# The post-save-command that certmonger will use once it renews the +# certificate. +# define tripleo::certmonger::haproxy ( $service_pem, $service_certificate, $service_key, $hostname, - $postsave_cmd, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = undef, $principal = undef, + $postsave_cmd = undef, ){ include ::certmonger include ::haproxy::params @@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy ( $dnsnames_real = $hostname } + $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy') certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, @@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy ( dnsname => $dnsnames_real, certfile => $service_certificate, keyfile => $service_key, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, principal => $principal, wait => true, tag => 'haproxy-cert', diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index e9754f7..1b57984 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -36,6 +36,11 @@ # in the certificate. If left unset, the value will be set to the $hostname. # Defaults to undef # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -45,6 +50,7 @@ define tripleo::certmonger::httpd ( $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = undef, + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger @@ -56,7 +62,7 @@ define tripleo::certmonger::httpd ( $dnsnames_real = $hostname } - $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}") certmonger_certificate { $name : ensure => 'present', certfile => $service_certificate, @@ -64,7 +70,7 @@ define tripleo::certmonger::httpd ( hostname => $hostname, dnsname => $dnsnames_real, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, tag => 'apache-cert', diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp index 0b2dd6a..37af82c 100644 --- a/manifests/certmonger/mongodb.pp +++ b/manifests/certmonger/mongodb.pp @@ -34,6 +34,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef @@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb ( $service_key, $service_pem, $certmonger_ca = hiera('certmonger_ca', 'local'), + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::mongodb::params - $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}") certmonger_certificate { 'mongodb' : ensure => 'present', certfile => $service_certificate, @@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb ( hostname => $hostname, dnsname => $hostname, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index 0988c55..ae408b6 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -37,6 +37,11 @@ # This parameter can take both a string or an array of strings. # Defaults to $hostname # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -47,12 +52,13 @@ class tripleo::certmonger::mysql ( $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), $dnsnames = $hostname, + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::mysql::params - $postsave_cmd = "systemctl reload ${::mysql::params::server_service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}") certmonger_certificate { 'mysql' : ensure => 'present', certfile => $service_certificate, @@ -60,7 +66,7 @@ class tripleo::certmonger::mysql ( hostname => $hostname, dnsname => $dnsnames, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 4a47938..15b1fc3 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,6 +31,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef @@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $postsave_cmd = undef, $principal = undef, ) { include ::certmonger include ::rabbitmq::params - $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}" + $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}") certmonger_certificate { 'rabbitmq' : ensure => 'present', certfile => $service_certificate, @@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq ( hostname => $hostname, dnsname => $hostname, principal => $principal, - postsave_cmd => $postsave_cmd, + postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 2ac4b6e..c3dde96 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -38,11 +38,21 @@ # it will create. # Defaults to hiera('apache_certificate_specs', {}). # +# [*apache_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart apache when the +# certificate is renewed. +# Defaults to undef +# # [*haproxy_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. # Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). # +# [*haproxy_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart haproxy when the +# certificate is renewed. +# Defaults to undef +# # [*libvirt_certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -70,7 +80,9 @@ # class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $apache_postsave_cmd = undef, $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $haproxy_postsave_cmd = undef, $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), @@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user ( unless empty($apache_certificates_specs) { include ::tripleo::certmonger::apache_dirs - ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs, + {'postsave_cmd' => $apache_postsave_cmd}) } unless empty($libvirt_certificates_specs) { include ::tripleo::certmonger::libvirt_dirs @@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user ( } unless empty($haproxy_certificates_specs) { include ::tripleo::certmonger::haproxy_dirs - ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs, + {'postsave_cmd' => $haproxy_postsave_cmd}) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> |