diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-03-13 14:21:17 +0200 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-03-14 12:17:44 +0200 |
| commit | f3c157318d7797a42a8ccb57e8d38be288c67fbf (patch) | |
| tree | af252d375a14a413a856f7b2ae6ff50b4d6b7f5f | |
| parent | bee651abcb5f604fc0c4e11e45da65412c9af023 (diff) | |
Create profile to request certificates for the services in the node
This profile will specifically be used to create all the certificates
required in the node. These are fetched from hiera and will be ran in
the first step of the overcloud deployment and in the undercloud.
The reasoning for this is that, with services moving to containers, we
can't yet do these requests for certificates within the containers for
the specific services. this is because the containers won't have
credentials to the CA, while the baremetal node does. So instead we
still do this on the baremetal node, and will subsequently bind mount
the certificates to the containers that need them. Also, this gives us
flexibility since this approach still works for the baremetal case.
There will be a subsequent commit removing the certificate requests from
the service-specific profiles.
Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp new file mode 100644 index 0000000..586c7e4 --- /dev/null +++ b/manifests/profile/base/certmonger_user.pp @@ -0,0 +1,77 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == class: tripleo::profile::base::certmonger_user +# +# Profile that ensures that the relevant certmonger certificates have been +# requested. The certificates come from the hiera set by the specific profiles +# and come in a pre-defined format. +# For a service that has several certificates (one per network name): +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "HTTP/<overcloud controller fqdn>" +# For a service that uses a single certificate: +# mysql_certificates_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# +# === Parameters +# +# [*apache_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*haproxy_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). +# +# [*mysql_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*rabbitmq_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). +# +class tripleo::profile::base::certmonger_user ( + $apache_certificates_specs = hiera('apache_certificates_specs', {}), + $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), + $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), +) { + unless empty($apache_certificates_specs) { + ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) + } + unless empty($haproxy_certificates_specs) { + ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) + # The haproxy fronends (or listen resources) depend on the certificate + # existing and need to be refreshed if it changed. + Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> + } + unless empty($mysql_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) + } + unless empty($rabbitmq_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) + } +} |