diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-23 12:20:20 +0300 |
---|---|---|
committer | Emilien Macchi <emilien@redhat.com> | 2017-08-30 15:56:50 +0000 |
commit | eae8fb5186369e53da3d9003cb0161c518f1188a (patch) | |
tree | 5af32dd9aa27d169528b937e7615e05104aee566 /manifests | |
parent | aaeace8c72ad7e9ea540c7055f0e16e2ed797f58 (diff) |
HAProxy: Make certmonger bundle the cert and key on renewal
the postsave command is ran by certmonger when a certificate is
requested (which will happen on certificate renewal). The previous
command given didn't take into account the file that haproxy expects,
which is a bundled PEM file with both the certificate and the key. Thus,
certmonger would have never generated a new bundle that haproxy would
use, resulting in haproxy always having an old bundle after certificate
expiration.
This fixes that.
Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #1712514
(cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/certmonger/haproxy.pp | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 266054f..97efe59 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -74,7 +74,20 @@ define tripleo::certmonger::haproxy ( $dnsnames_real = $hostname } - $postsave_cmd_real = pick($postsave_cmd, 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi') + if $certmonger_ca == 'local' { + $ca_fragment = $ca_pem + } else { + $ca_fragment = '' + } + + $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}" + if $postsave_cmd { + $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}" + } else { + $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi' + $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}" + } + certmonger_certificate { "${title}-cert": ensure => 'present', ca => $certmonger_ca, |