aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-08-23 12:20:20 +0300
committerEmilien Macchi <emilien@redhat.com>2017-08-30 15:56:50 +0000
commiteae8fb5186369e53da3d9003cb0161c518f1188a (patch)
tree5af32dd9aa27d169528b937e7615e05104aee566 /manifests
parentaaeace8c72ad7e9ea540c7055f0e16e2ed797f58 (diff)
HAProxy: Make certmonger bundle the cert and key on renewal
the postsave command is ran by certmonger when a certificate is requested (which will happen on certificate renewal). The previous command given didn't take into account the file that haproxy expects, which is a bundled PEM file with both the certificate and the key. Thus, certmonger would have never generated a new bundle that haproxy would use, resulting in haproxy always having an old bundle after certificate expiration. This fixes that. Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62 Closes-Bug: #1712514 (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
Diffstat (limited to 'manifests')
-rw-r--r--manifests/certmonger/haproxy.pp15
1 files changed, 14 insertions, 1 deletions
diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 266054f..97efe59 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -74,7 +74,20 @@ define tripleo::certmonger::haproxy (
$dnsnames_real = $hostname
}
- $postsave_cmd_real = pick($postsave_cmd, 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi')
+ if $certmonger_ca == 'local' {
+ $ca_fragment = $ca_pem
+ } else {
+ $ca_fragment = ''
+ }
+
+ $concat_pem = "cat ${service_certificate} ${ca_fragment} ${service_key} > ${service_pem}"
+ if $postsave_cmd {
+ $postsave_cmd_real = "${concat_pem} && ${postsave_cmd}"
+ } else {
+ $reload_haproxy_cmd = 'if systemctl -q is-active haproxy; then systemctl reload haproxy; else true; fi'
+ $postsave_cmd_real = "${concat_pem} && ${reload_haproxy_cmd}"
+ }
+
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,