path: root/manifests/certmonger
AgeCommit message (Collapse)AuthorFilesLines
2017-11-04Certmonger: Only notify haproxy class if it's definedJuan Antonio Osorio Robles1-2/+3
The haproxy certmonger resource (which requests the HAProxy certs) expected the haproxy puppet manifests to run alongside if we're using a local CA. This is no longer the case in containerized environments, e.g. the containerized undercloud. This makes that optional. Change-Id: I2764ca1674dcd5ecd7886233bb5e9795ee697be3 (cherry picked from commit abd7a9486d8fb5cad7f6f0b48a466597f1d1bf71)
2017-09-05Use TLS proxy for Redis' internal TLSMartin André1-0/+72
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
2017-08-30HAProxy: Make certmonger bundle the cert and key on renewalJuan Antonio Osorio Robles1-1/+14
the postsave command is ran by certmonger when a certificate is requested (which will happen on certificate renewal). The previous command given didn't take into account the file that haproxy expects, which is a bundled PEM file with both the certificate and the key. Thus, certmonger would have never generated a new bundle that haproxy would use, resulting in haproxy always having an old bundle after certificate expiration. This fixes that. Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62 Closes-Bug: #1712514 (cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
2017-08-30Certmonger: Only attempt to reload haproxy is it's activeJuan Antonio Osorio Robles1-1/+1
Previously, certmonger tried to reload haproxy every time after a certificate is requested. This is useful for certificate resubmits or renewals. However, it turned out problematic on installation, when haproxy is not yet active, as it would try many times and end up having a race-condition with puppet. This checks if haproxy is active and only then will it attempt to reload it. Change-Id: I51f9cccb5d1518a9647778e7bf6f9426a02ceb60 Closes-Bug: #1712377 (cherry picked from commit 351ab932514f13d7a139b0b41fdc4f6f7e990c8f)
2017-08-25Add /bin to PATH for CRL cronjobJuan Antonio Osorio Robles1-1/+1
Checking the root's mail (/var/mail/root) I finally saw the root cause of the CRL cronjob not working. /bin/sh: curl: command not found now, curl, (and most commands used by that cronjob) is in the /bin bash, so we need to add it to the environment's PATH for the cronjob. Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2 Closes-Bug: #1712404 (cherry picked from commit 139ac85028947f476a085e89bd54f3dfacd886cf)
2017-08-24Merge "TLS-everywhere/libvirt: Make postsave command configurable"Jenkins1-2/+8
2017-08-24TLS-everywhere/libvirt: Make postsave command configurableJuan Antonio Osorio Robles1-2/+8
This is requires for when libvirt is running over a container, since we shouldn't try to restart the libvirt process, but the container itself. bp tls-via-certmonger-containers Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
2017-08-22Add -s (silent) to curl command for CRL refreshJuan Antonio Osorio Robles1-1/+1
Without it, it doesn't reload the services it should. Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45 Closes-Bug: #1712404
2017-08-18Certmonger: Make postsave command configurableJuan Antonio Osorio Robles5-14/+39
We need to make it configurable since these commands don't apply for containerized environments. This way we can restart containers or disable restarting and rely on other means. This stems from the issue that some services get accidentally started by certmonger on containerized environments, which makes the container initialization fail. bp tls-via-certmonger-containers Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles1-6/+7
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-02Ensure directory exists for certificates for haproxyJuan Antonio Osorio Robles2-0/+60
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
2017-07-15Update resource references for dependenciesEmilien Macchi1-1/+1
The latest version of puppet now reports these as catalog failures so this change removes the unnecessary references and the references should be updated. Closes-Bug: #1702964 Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
2017-06-27Merge "Change CRL refresh to run every 2 hours"Jenkins1-3/+3
2017-06-26Change CRL refresh to run every 2 hoursJuan Antonio Osorio Robles1-3/+3
The default CA issues CRLs for 4 hours by default. So we need to change these values to reflect this, else we'll get verification issues due to the CRL having expired before its refreshed. However, the nextupdate value for the CRLs might not be aligned with the cron job. And getting this alignment is not entirely trivial. So I opted for updating every 2 hours to address this. Change-Id: I732b400462c5cabd7c6c18c007fc9e8c87b700d3
2017-06-21Allow certmonger mysql resource to use several DNS namesJuan Antonio Osorio Robles1-1/+8
This allows for several SubjectAltNames which will subsequently be used for the replication traffic as well. bp tls-via-certmonger Change-Id: Ic68266eaf39d6803f7c3e299095578bbcfd63b88
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+149
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-05-17TLS everywhere: Add resources for mongodb's TLS configurationJuan Antonio Osorio Robles1-0/+87
bp tls-via-certmonger Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+73
2017-04-18Enable setting SubjectaltNames for haproxy and httpd certsJuan Antonio Osorio Robles2-2/+26
This enables setting the subjectAltNames for HAProxy and httpd certs. These will eventually replace the usage of many certs, to have instead just one that has several subjectAltNames. Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+73
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Ensure directory exists for certificates for httpdJuan Antonio Osorio Robles2-0/+56
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-07TLS-everywhere: Add resources for libvirt's cert for live migrationJuan Antonio Osorio Robles3-0/+180
This merely requests the certificates that will be used for libvirt's live migration if TLS-everywhere is enabled. bp tls-via-certmonger Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2017-04-05Certmonger/rabbitmq: Remove parameter doc for unexisting parameterJuan Antonio Osorio Robles1-4/+0
This parameter was used at some point in the implementation but ended up not being needed in favor of getting this information from the puppet manifest. So it's removed as the parameter doesn't actually exist. Change-Id: I09f4091ee7a2221b26249959ea2927090d36ba0f
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles1-0/+13
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2017-03-09Add tests for tripleo::certmonger::rabbitmq classJuan Antonio Osorio Robles1-1/+1
Change-Id: I1668b749779bf812d8f55b695dd138cde7eb09d6
2017-03-09Enable TLS in the internal network for RabbitMQJuan Antonio Osorio Robles1-0/+79
This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2017-01-27Fix MySQL service name parameterJuan Antonio Osorio Robles1-3/+3
This was wrongly set to service_name while it should have been server_service_name. Change-Id: Ia802857cc585bb9b057a02f6a13c16981baa5b76
2016-12-09Remove unused variable in certmonger/mysql manifestJuan Antonio Osorio Robles1-10/+0
This was initially meant to select the CN/SubjectAltName based on the network, but this is now instead done in t-h-t. So this ended up being unused. Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e Change-Id: I58c3aee0506469125a7837a27271c2fe18e1dd60
2016-11-29Merge "Include local CA in haproxy PEM"Jenkins1-2/+18
2016-11-25Enable internal TLS for MySQLJuan Antonio Osorio Robles1-0/+84
this adds the necessary code in the manfiest to configure TLS if internal TLS is enabled. this also adds the capability of auto-generating the certificate via certmonger. bp tls-via-certmonger Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-08Include local CA in haproxy PEMJuan Antonio Osorio Robles1-2/+18
In order for the browser to trust the certificate served by HAProxy we need to include the CA cert in the PEM file that the endpoints serve. Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417 Closes-Bug: #1639807
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-0/+62
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-09-20certmonger: improve orchestration for puppet4Emilien Macchi1-4/+6
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds file to be created, which is created when certmonger is started, not when package is installed. This patch change the exec dependency to run it only when service is started. Also, since the service create the file, let's relax the Exec a little bit by allowing to retry 5 times after 1s break in case the Exec fails, for example if service takes more than 5 seconds to create this file. It will avoid us some race condition in the deployment. Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b
2016-09-15Fix dependencies for HAProxy when certmonger is usedJuan Antonio Osorio Robles1-4/+6
Installing the undercloud with generate_service_certificate=True fails if HAProxy is not pre-installed. This is due to missing dependency setting on our puppet manifests. We need to specify that the PEM file needs to be written only if the haproxy user and group exist (which comes from the package) and that the haproxy frontend configuration needs to be notified if there are changes in the certificates. Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b Closes-Bug: #1623805
2016-09-12Fill DNS name for haproxy certificatesJuan Antonio Osorio Robles1-0/+1
This sets the subject alt name field for the certificates we auto-generate, which will remove the security warnings we constantly see in the undercloud. This is the proper way to set certificates, since the usage of the CN as a replacement for the subjectAltName is being deprecated (very slowly). Change-Id: I475cbffd47425e850902838eec06bf461df2acd0 Closes-Bug: #1622446
2016-07-21Add class to use certmonger's local CAJuan Antonio Osorio Robles1-0/+37
This class extracts the certificate and adds it to the trusted certs. bp tls-via-certmonger Change-Id: I6dc1e0469cd7dbbb51659c8f29975d25b2941ec3
2016-07-18Add principal to certmonger's haproxy helperJuan Antonio Osorio Robles1-0/+5
The principal is needed for kerberos-based solutions like FreeIPA. bp tls-via-certmonger Change-Id: Ie27848f522d11135b061aef766de2b696c77fcb9
2016-07-13Add resource for requesting certificates for HAProxyJuan Antonio Osorio Robles1-0/+70
This resource will be used in both the overcloud and the undercloud, and can be called in several instances (for public-facing or internal-facing certificates). bp tls-via-certmonger Change-Id: I0410fe0dbbed97d16909e911f7318d78a5bd7d7b