diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-18 15:48:02 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-18 15:48:02 +0300 |
| commit | 6990da87c36158677d2c1f78405f45c86e915767 (patch) | |
| tree | 019023f50dd505a58f9aa73fad0d17d6dc79766d /manifests | |
| parent | 7567c71e4780b3508b752efe99f5215094f2c141 (diff) | |
Enable setting SubjectaltNames for haproxy and httpd certs
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/certmonger/haproxy.pp | 14 | ||||
| -rw-r--r-- | manifests/certmonger/httpd.pp | 14 |
2 files changed, 26 insertions, 2 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 6668440..a5d1bf8 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -40,6 +40,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# Defaults to undef +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -50,6 +55,7 @@ define tripleo::certmonger::haproxy ( $hostname, $postsave_cmd, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = undef, $principal = undef, ){ include ::certmonger @@ -62,11 +68,17 @@ define tripleo::certmonger::haproxy ( } } + if $dnsnames { + $dnsnames_real = $dnsnames + } else { + $dnsnames_real = $hostname + } + certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames_real, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 74c0b5a..e9754f7 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -31,6 +31,11 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# Defaults to undef +# # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # @@ -39,18 +44,25 @@ define tripleo::certmonger::httpd ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = undef, $principal = undef, ) { include ::certmonger include ::apache::params + if $dnsnames { + $dnsnames_real = $dnsnames + } else { + $dnsnames_real = $hostname + } + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" certmonger_certificate { $name : ensure => 'present', certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames_real, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, |