diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-07-13 12:27:23 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-10-19 17:37:32 +0300 |
| commit | 76bf2f532f9541eaf9cd7242ad2bf520f6788033 (patch) | |
| tree | a324b63a3e9de8e21ecc0c0e7b5368b1be726d19 /manifests/certmonger | |
| parent | e86706f0f6c589ed8baeb9616b128a738b330a94 (diff) | |
Enable TLS in the internal network for keystone
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
Diffstat (limited to 'manifests/certmonger')
| -rw-r--r-- | manifests/certmonger/httpd.pp | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp new file mode 100644 index 0000000..94b48b7 --- /dev/null +++ b/manifests/certmonger/httpd.pp @@ -0,0 +1,62 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::httpd +# +# Request a certificate for the httpd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# The haproxy service principal that is set for HAProxy in kerberos. +# +define tripleo::certmonger::httpd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::apache::params + + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |> +} |