summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-13 14:09:36 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-13 15:15:33 +0200
commitbee651abcb5f604fc0c4e11e45da65412c9af023 (patch)
treed131482584139ea464640ba46ce67d4119afc2d6 /manifests
parent8a6e4c7b99437d8d358b2637dc4ed81b82bfdac5 (diff)
HAProxy: Refactor certificate retrieval bits
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/haproxy.pp13
-rw-r--r--manifests/profile/base/haproxy.pp22
2 files changed, 14 insertions, 21 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 3b8fd09..6668440 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
){
+ include ::certmonger
include ::haproxy::params
+ # This is only needed for certmonger's local CA. For any other CA this
+ # operation (trusting the CA) should be done by the deployer.
+ if $certmonger_ca == 'local' {
+ class { '::tripleo::certmonger::ca::local':
+ notify => Class['::tripleo::haproxy']
+ }
+ }
+
certmonger_certificate { "${title}-cert":
+ ensure => 'present',
+ ca => $certmonger_ca,
hostname => $hostname,
dnsname => $hostname,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal,
+ wait => true,
+ require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index f16ec1b..8568b28 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -32,10 +32,6 @@
# principal: "haproxy/<undercloud fqdn>"
# Defaults to {}.
#
-# [*certmonger_ca*]
-# (Optional) The CA that certmonger will use to generate the certificates.
-# Defaults to hiera('certmonger_ca', 'local').
-#
# [*enable_load_balancer*]
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
@@ -55,7 +51,6 @@
#
class tripleo::profile::base::haproxy (
$certificates_specs = {},
- $certmonger_ca = hiera('certmonger_ca', 'local'),
$enable_load_balancer = hiera('enable_load_balancer', true),
$generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
@@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy (
if $step >= 1 {
if $enable_load_balancer {
if str2bool($generate_service_certificates) {
- include ::certmonger
- # This is only needed for certmonger's local CA. For any other CA this
- # operation (trusting the CA) should be done by the deployer.
- if $certmonger_ca == 'local' {
- class { '::tripleo::certmonger::ca::local':
- notify => Class['::tripleo::haproxy']
- }
- }
-
- Certmonger_certificate {
- ca => $certmonger_ca,
- ensure => 'present',
- wait => true,
- require => Class['::certmonger'],
- }
- create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+ ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>