aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-07-22 11:24:31 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-07-22 11:37:57 +0300
commit4a88abb84422ffd871ac34d108cbb547d7343e4d (patch)
treeec7384a1cd547f1ed56fdad15f0f917adfb0a1df
parent964526ba48fb8135f283dcd29d0c8a1ae3bec364 (diff)
Generate HAProxy certificates in base profile
This gives the option to generate the service certificate(s) that HAProxy will use. This will be used for both the overcloud and the undercloud. bp tls-via-certmonger Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d
-rw-r--r--manifests/profile/base/haproxy.pp50
1 files changed, 48 insertions, 2 deletions
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 31a5415..8e73ce3 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -27,13 +27,59 @@
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# tripleo::profile::base::haproxy::certificates_specs:
+# undercloud-haproxy-public-cert:
+# service_pem: <haproxy ready pem file>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# hostname: <undercloud fqdn>
+# postsave_cmd: <command to update certificate on resubmit>
+# principal: "haproxy/<undercloud fqdn>"
+# Defaults to {}.
+#
class tripleo::profile::base::haproxy (
- $enable_load_balancer = hiera('enable_load_balancer', true),
- $step = hiera('step'),
+ $enable_load_balancer = hiera('enable_load_balancer', true),
+ $step = hiera('step'),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $certificates_specs = {},
) {
if $step >= 1 {
if $enable_load_balancer {
+ if str2bool($generate_service_certificates) {
+ include ::certmonger
+ # This is only needed for certmonger's local CA. For any other CA this
+ # operation (trusting the CA) should be done by the deployer.
+ if $certmonger_ca == 'local' {
+ include ::tripleo::certmonger::ca::local
+ }
+
+ Certmonger_certificate {
+ ca => $certmonger_ca,
+ ensure => 'present',
+ wait => true,
+ require => Class['::certmonger'],
+ }
+ create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+ }
+
include ::tripleo::haproxy
}
}