From 6990da87c36158677d2c1f78405f45c86e915767 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 18 Apr 2017 15:48:02 +0300
Subject: Enable setting SubjectaltNames for haproxy and httpd certs

This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.

Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
---
 manifests/certmonger/haproxy.pp | 14 +++++++++++++-
 manifests/certmonger/httpd.pp   | 14 +++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

(limited to 'manifests/certmonger')

diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 6668440..a5d1bf8 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -40,6 +40,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*dnsnames*]
+#   (Optional) The DNS names that will be added for the SubjectAltNames entry
+#   in the certificate. If left unset, the value will be set to the $hostname.
+#   Defaults to undef
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -50,6 +55,7 @@ define tripleo::certmonger::haproxy (
   $hostname,
   $postsave_cmd,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $dnsnames      = undef,
   $principal     = undef,
 ){
     include ::certmonger
@@ -62,11 +68,17 @@ define tripleo::certmonger::haproxy (
       }
     }
 
+    if $dnsnames {
+      $dnsnames_real = $dnsnames
+    } else {
+      $dnsnames_real = $hostname
+    }
+
     certmonger_certificate { "${title}-cert":
       ensure       => 'present',
       ca           => $certmonger_ca,
       hostname     => $hostname,
-      dnsname      => $hostname,
+      dnsname      => $dnsnames_real,
       certfile     => $service_certificate,
       keyfile      => $service_key,
       postsave_cmd => $postsave_cmd,
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index 74c0b5a..e9754f7 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -31,6 +31,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*dnsnames*]
+#   (Optional) The DNS names that will be added for the SubjectAltNames entry
+#   in the certificate. If left unset, the value will be set to the $hostname.
+#   Defaults to undef
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -39,18 +44,25 @@ define tripleo::certmonger::httpd (
   $service_certificate,
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $dnsnames      = undef,
   $principal     = undef,
 ) {
   include ::certmonger
   include ::apache::params
 
+  if $dnsnames {
+    $dnsnames_real = $dnsnames
+  } else {
+    $dnsnames_real = $hostname
+  }
+
   $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
   certmonger_certificate { $name :
     ensure       => 'present',
     certfile     => $service_certificate,
     keyfile      => $service_key,
     hostname     => $hostname,
-    dnsname      => $hostname,
+    dnsname      => $dnsnames_real,
     principal    => $principal,
     postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,
-- 
cgit 1.2.3-korg