| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The haproxy certmonger resource (which requests the HAProxy certs)
expected the haproxy puppet manifests to run alongside if we're using a
local CA. This is no longer the case in containerized environments, e.g.
the containerized undercloud. This makes that optional.
Change-Id: I2764ca1674dcd5ecd7886233bb5e9795ee697be3
(cherry picked from commit abd7a9486d8fb5cad7f6f0b48a466597f1d1bf71)
|
|
the postsave command is ran by certmonger when a certificate is
requested (which will happen on certificate renewal). The previous
command given didn't take into account the file that haproxy expects,
which is a bundled PEM file with both the certificate and the key. Thus,
certmonger would have never generated a new bundle that haproxy would
use, resulting in haproxy always having an old bundle after certificate
expiration.
This fixes that.
Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #1712514
(cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
|
|
Previously, certmonger tried to reload haproxy every time after a
certificate is requested. This is useful for certificate resubmits or
renewals. However, it turned out problematic on installation, when
haproxy is not yet active, as it would try many times and end up having
a race-condition with puppet.
This checks if haproxy is active and only then will it attempt to reload
it.
Change-Id: I51f9cccb5d1518a9647778e7bf6f9426a02ceb60
Closes-Bug: #1712377
(cherry picked from commit 351ab932514f13d7a139b0b41fdc4f6f7e990c8f)
|
|
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.
This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.
bp tls-via-certmonger-containers
Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
|
|
In a containerized environment the haproxy class might not be defined,
so this was made optional. On the other hand, this also retrieves the
CRL before any certmonger_certificate resources are created.
bp tls-via-certmonger-containers
Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
|
|
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
|
|
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.
Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
|
|
This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.
This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.
Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
|
|
In order for the browser to trust the certificate served by HAProxy
we need to include the CA cert in the PEM file that the endpoints
serve.
Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
Closes-Bug: #1639807
|
|
Installing the undercloud with generate_service_certificate=True
fails if HAProxy is not pre-installed. This is due to missing
dependency setting on our puppet manifests. We need to specify that
the PEM file needs to be written only if the haproxy user and group
exist (which comes from the package) and that the haproxy frontend
configuration needs to be notified if there are changes in the
certificates.
Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b
Closes-Bug: #1623805
|
|
This sets the subject alt name field for the certificates we
auto-generate, which will remove the security warnings we constantly
see in the undercloud. This is the proper way to set certificates,
since the usage of the CN as a replacement for the subjectAltName is
being deprecated (very slowly).
Change-Id: I475cbffd47425e850902838eec06bf461df2acd0
Closes-Bug: #1622446
|
|
The principal is needed for kerberos-based solutions like FreeIPA.
bp tls-via-certmonger
Change-Id: Ie27848f522d11135b061aef766de2b696c77fcb9
|
|
This resource will be used in both the overcloud and the undercloud,
and can be called in several instances (for public-facing or
internal-facing certificates).
bp tls-via-certmonger
Change-Id: I0410fe0dbbed97d16909e911f7318d78a5bd7d7b
|
Juan Antonio Osorio Robles