diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-07-22 11:24:31 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-07-22 11:37:57 +0300 |
commit | 4a88abb84422ffd871ac34d108cbb547d7343e4d (patch) | |
tree | ec7384a1cd547f1ed56fdad15f0f917adfb0a1df | |
parent | 964526ba48fb8135f283dcd29d0c8a1ae3bec364 (diff) |
Generate HAProxy certificates in base profile
This gives the option to generate the service certificate(s) that
HAProxy will use. This will be used for both the overcloud and the
undercloud.
bp tls-via-certmonger
Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d
-rw-r--r-- | manifests/profile/base/haproxy.pp | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 31a5415..8e73ce3 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -27,13 +27,59 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# tripleo::profile::base::haproxy::certificates_specs: +# undercloud-haproxy-public-cert: +# service_pem: <haproxy ready pem file> +# service_certificate: <service certificate path> +# service_key: <service key path> +# hostname: <undercloud fqdn> +# postsave_cmd: <command to update certificate on resubmit> +# principal: "haproxy/<undercloud fqdn>" +# Defaults to {}. +# class tripleo::profile::base::haproxy ( - $enable_load_balancer = hiera('enable_load_balancer', true), - $step = hiera('step'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $step = hiera('step'), + $generate_service_certificates = hiera('generate_service_certificates', false), + $certmonger_ca = hiera('certmonger_ca', 'local'), + $certificates_specs = {}, ) { if $step >= 1 { if $enable_load_balancer { + if str2bool($generate_service_certificates) { + include ::certmonger + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + include ::tripleo::certmonger::ca::local + } + + Certmonger_certificate { + ca => $certmonger_ca, + ensure => 'present', + wait => true, + require => Class['::certmonger'], + } + create_resources('::tripleo::certmonger::haproxy', $certificates_specs) + } + include ::tripleo::haproxy } } |