summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/controller-role.yaml1
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml1
-rw-r--r--puppet/role.role.j2.yaml3
-rw-r--r--puppet/services/haproxy.yaml26
4 files changed, 25 insertions, 6 deletions
diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml
index 38589a4e..ab81d1aa 100644
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@@ -563,7 +563,6 @@ resources:
extraconfig: {get_param: ExtraConfig}
controller:
# Misc
- tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]}
fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]}
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index 8cba4351..e81b1142 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -7,6 +7,7 @@ description: >
parameters:
# Can be overridden via parameter_defaults in the environment
SSLCertificate:
+ default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml
index 23d8896e..f1abf8dd 100644
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@@ -513,9 +513,6 @@ resources:
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
- {%- if 'primary' in role.tags and 'controller' in role.tags %}
- tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
- {%- endif -%}
# Resource for site-specific injection of root certificate
NodeTLSCAData:
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index a37135da..6b2d028f 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -57,6 +57,16 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@@ -68,6 +78,14 @@ parameters:
description: Specifies the default CRL PEM file to use for revocation if
TLS is used for services in the internal network.
+conditions:
+
+ public_tls_enabled:
+ not:
+ equals:
+ - {get_param: SSLCertificate}
+ - ""
+
resources:
HAProxyPublicTLS:
@@ -98,8 +116,6 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
- - get_attr: [HAProxyPublicTLS, role_data, config_settings]
- - get_attr: [HAProxyInternalTLS, role_data, config_settings]
- tripleo.haproxy.firewall_rules:
'107 haproxy stats':
dport: 1993
@@ -115,6 +131,12 @@ outputs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
+ - if:
+ - public_tls_enabled
+ - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
+ - {}
+ - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+ - get_attr: [HAProxyInternalTLS, role_data, config_settings]
step_config: |
include ::tripleo::profile::base::haproxy
upgrade_tasks: