summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-08-21 11:42:06 +0000
committerGerrit Code Review <review@openstack.org>2017-08-21 11:42:06 +0000
commit1dc48e6b9443f8433862901ba328d043ac1d1fbf (patch)
treeeecd349005bb657693f67bfcac56ec13eab34d21
parent207b1ea97b572aefad0a567a978e6bd6172e2b89 (diff)
parent095d130f9dbadb698c2c349819e754a907455ee0 (diff)
Merge "Certmonger: Make postsave command configurable"
-rw-r--r--manifests/certmonger/haproxy.pp13
-rw-r--r--manifests/certmonger/httpd.pp10
-rw-r--r--manifests/certmonger/mongodb.pp10
-rw-r--r--manifests/certmonger/mysql.pp10
-rw-r--r--manifests/certmonger/rabbitmq.pp10
-rw-r--r--manifests/profile/base/certmonger_user.pp18
6 files changed, 55 insertions, 16 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index d4f4ad2..819348d 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -32,10 +32,6 @@
# The hostname that certmonger will use as the common name for the
# certificate.
#
-# [*postsave_cmd*]
-# The post-save-command that certmonger will use once it renews the
-# certificate.
-#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
@@ -48,15 +44,19 @@
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
+# [*postsave_cmd*]
+# The post-save-command that certmonger will use once it renews the
+# certificate.
+#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
$service_key,
$hostname,
- $postsave_cmd,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$principal = undef,
+ $postsave_cmd = undef,
){
include ::certmonger
include ::haproxy::params
@@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy (
$dnsnames_real = $hostname
}
+ $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy')
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
@@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy (
dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
principal => $principal,
wait => true,
tag => 'haproxy-cert',
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index e9754f7..1b57984 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -36,6 +36,11 @@
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
@@ -45,6 +50,7 @@ define tripleo::certmonger::httpd (
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
@@ -56,7 +62,7 @@ define tripleo::certmonger::httpd (
$dnsnames_real = $hostname
}
- $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
@@ -64,7 +70,7 @@ define tripleo::certmonger::httpd (
hostname => $hostname,
dnsname => $dnsnames_real,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
tag => 'apache-cert',
diff --git a/manifests/certmonger/mongodb.pp b/manifests/certmonger/mongodb.pp
index 0b2dd6a..37af82c 100644
--- a/manifests/certmonger/mongodb.pp
+++ b/manifests/certmonger/mongodb.pp
@@ -34,6 +34,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
@@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb (
$service_key,
$service_pem,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::mongodb::params
- $postsave_cmd = "systemctl restart ${::mongodb::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}")
certmonger_certificate { 'mongodb' :
ensure => 'present',
certfile => $service_certificate,
@@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb (
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index 0988c55..ae408b6 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -37,6 +37,11 @@
# This parameter can take both a string or an array of strings.
# Defaults to $hostname
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
@@ -47,12 +52,13 @@ class tripleo::certmonger::mysql (
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::mysql::params
- $postsave_cmd = "systemctl reload ${::mysql::params::server_service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}")
certmonger_certificate { 'mysql' :
ensure => 'present',
certfile => $service_certificate,
@@ -60,7 +66,7 @@ class tripleo::certmonger::mysql (
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 4a47938..15b1fc3 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,6 +31,11 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*postsave_cmd*]
+# (Optional) Specifies the command to execute after requesting a certificate.
+# If nothing is given, it will default to: "systemctl restart ${service name}"
+# Defaults to undef.
+#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
@@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq (
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
include ::rabbitmq::params
- $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}"
+ $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
certmonger_certificate { 'rabbitmq' :
ensure => 'present',
certfile => $service_certificate,
@@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq (
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
- postsave_cmd => $postsave_cmd,
+ postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 2ac4b6e..c3dde96 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
# it will create.
# Defaults to hiera('apache_certificate_specs', {}).
#
+# [*apache_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart apache when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*haproxy_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
+# [*haproxy_postsave_cmd*]
+# (Optional) If set, it overrides the default way to restart haproxy when the
+# certificate is renewed.
+# Defaults to undef
+#
# [*libvirt_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -70,7 +80,9 @@
#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $apache_postsave_cmd = undef,
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $haproxy_postsave_cmd = undef,
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user (
unless empty($apache_certificates_specs) {
include ::tripleo::certmonger::apache_dirs
- ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+ {'postsave_cmd' => $apache_postsave_cmd})
}
unless empty($libvirt_certificates_specs) {
include ::tripleo::certmonger::libvirt_dirs
@@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
- ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+ {'postsave_cmd' => $haproxy_postsave_cmd})
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>