summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-13 14:21:17 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-14 12:17:44 +0200
commitf3c157318d7797a42a8ccb57e8d38be288c67fbf (patch)
treeaf252d375a14a413a856f7b2ae6ff50b4d6b7f5f
parentbee651abcb5f604fc0c4e11e45da65412c9af023 (diff)
Create profile to request certificates for the services in the node
This profile will specifically be used to create all the certificates required in the node. These are fetched from hiera and will be ran in the first step of the overcloud deployment and in the undercloud. The reasoning for this is that, with services moving to containers, we can't yet do these requests for certificates within the containers for the specific services. this is because the containers won't have credentials to the CA, while the baremetal node does. So instead we still do this on the baremetal node, and will subsequently bind mount the certificates to the containers that need them. Also, this gives us flexibility since this approach still works for the baremetal case. There will be a subsequent commit removing the certificate requests from the service-specific profiles. Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
-rw-r--r--manifests/profile/base/certmonger_user.pp77
1 files changed, 77 insertions, 0 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
new file mode 100644
index 0000000..586c7e4
--- /dev/null
+++ b/manifests/profile/base/certmonger_user.pp
@@ -0,0 +1,77 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == class: tripleo::profile::base::certmonger_user
+#
+# Profile that ensures that the relevant certmonger certificates have been
+# requested. The certificates come from the hiera set by the specific profiles
+# and come in a pre-defined format.
+# For a service that has several certificates (one per network name):
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "HTTP/<overcloud controller fqdn>"
+# For a service that uses a single certificate:
+# mysql_certificates_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+#
+# === Parameters
+#
+# [*apache_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*haproxy_certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
+#
+# [*mysql_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*rabbitmq_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
+#
+class tripleo::profile::base::certmonger_user (
+ $apache_certificates_specs = hiera('apache_certificates_specs', {}),
+ $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+ $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+) {
+ unless empty($apache_certificates_specs) {
+ ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+ }
+ unless empty($haproxy_certificates_specs) {
+ ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+ # The haproxy fronends (or listen resources) depend on the certificate
+ # existing and need to be refreshed if it changed.
+ Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
+ }
+ unless empty($mysql_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
+ }
+ unless empty($rabbitmq_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
+ }
+}