From 74e7e674591ec7a9a90ca8ee035576438271d7ff Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 7 Aug 2017 14:25:38 +0300
Subject: Move HAProxy's public TLS logic from controller to service template

This de-couples public TLS from controllers to now run wherever HAProxy
is deployed.

Partially-Implements: blueprint composable-networks
Change-Id: I9e84a25a363899acf103015527787bdd8248949f
---
 puppet/services/haproxy.yaml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

(limited to 'puppet/services')

diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index a37135da..6b2d028f 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -57,6 +57,16 @@ parameters:
   MonitoringSubscriptionHaproxy:
     default: 'overcloud-haproxy'
     type: string
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -68,6 +78,14 @@ parameters:
     description: Specifies the default CRL PEM file to use for revocation if
                  TLS is used for services in the internal network.
 
+conditions:
+
+  public_tls_enabled:
+    not:
+      equals:
+      - {get_param: SSLCertificate}
+      - ""
+
 resources:
 
   HAProxyPublicTLS:
@@ -98,8 +116,6 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
       config_settings:
         map_merge:
-          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
-          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
           - tripleo.haproxy.firewall_rules:
               '107 haproxy stats':
                 dport: 1993
@@ -115,6 +131,12 @@ outputs:
               map_merge:
                 - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
                 - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
+          - if:
+              - public_tls_enabled
+              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
+              - {}
+          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
       step_config: |
         include ::tripleo::profile::base::haproxy
       upgrade_tasks:
-- 
cgit 1.2.3-korg