diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-03-13 14:09:36 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-03-13 15:15:33 +0200 |
commit | bee651abcb5f604fc0c4e11e45da65412c9af023 (patch) | |
tree | d131482584139ea464640ba46ce67d4119afc2d6 /manifests | |
parent | 8a6e4c7b99437d8d358b2637dc4ed81b82bfdac5 (diff) |
HAProxy: Refactor certificate retrieval bits
This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.
This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.
Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/certmonger/haproxy.pp | 13 | ||||
-rw-r--r-- | manifests/profile/base/haproxy.pp | 22 |
2 files changed, 14 insertions, 21 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 3b8fd09..6668440 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy ( $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, ){ + include ::certmonger include ::haproxy::params + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + class { '::tripleo::certmonger::ca::local': + notify => Class['::tripleo::haproxy'] + } + } + certmonger_certificate { "${title}-cert": + ensure => 'present', + ca => $certmonger_ca, hostname => $hostname, dnsname => $hostname, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal, + wait => true, + require => Class['::certmonger'], } concat { $service_pem : ensure => present, diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index f16ec1b..8568b28 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -32,10 +32,6 @@ # principal: "haproxy/<undercloud fqdn>" # Defaults to {}. # -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# # [*enable_load_balancer*] # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). @@ -55,7 +51,6 @@ # class tripleo::profile::base::haproxy ( $certificates_specs = {}, - $certmonger_ca = hiera('certmonger_ca', 'local'), $enable_load_balancer = hiera('enable_load_balancer', true), $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), @@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy ( if $step >= 1 { if $enable_load_balancer { if str2bool($generate_service_certificates) { - include ::certmonger - # This is only needed for certmonger's local CA. For any other CA this - # operation (trusting the CA) should be done by the deployer. - if $certmonger_ca == 'local' { - class { '::tripleo::certmonger::ca::local': - notify => Class['::tripleo::haproxy'] - } - } - - Certmonger_certificate { - ca => $certmonger_ca, - ensure => 'present', - wait => true, - require => Class['::certmonger'], - } - create_resources('::tripleo::certmonger::haproxy', $certificates_specs) + ensure_resources('tripleo::certmonger::haproxy', $certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> |