From 65e9ffa15fe7cbe7fa8c52ddadd913b3c282c867 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 7 Aug 2017 11:01:24 +0300
Subject: Create parameters for haproxy TLS certs and keys

this removes the hardcoded paths for the haproxy certs and keys and will
enable re-use. We'll use this in a further commit in the containterized
TLS work.

Change-Id: I602e5a569e2e7e60835deb80532abcedd7a1f63d
---
 .../services/haproxy-internal-tls-certmonger.yaml  | 30 +++++++++++++++---
 puppet/services/haproxy-public-tls-certmonger.yaml | 36 ++++++++++++++++++----
 2 files changed, 55 insertions(+), 11 deletions(-)

(limited to 'puppet')

diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml
index 3355a0d3..642685a8 100644
--- a/puppet/services/haproxy-internal-tls-certmonger.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxyInternalTLSCertsDirectory:
+    default: '/etc/pki/tls/certs/haproxy'
+    type: string
+  HAProxyInternalTLSKeysDirectory:
+    default: '/etc/pki/tls/private/haproxy'
+    type: string
 
 resources:
 
@@ -55,16 +61,30 @@ outputs:
       config_settings:
         generate_service_certificates: true
         tripleo::haproxy::use_internal_certificates: true
-        tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
-        tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+        tripleo::certmonger::haproxy_dirs::certificate_dir:
+          get_param: HAProxyInternalTLSCertsDirectory
+        tripleo::certmonger::haproxy_dirs::key_dir:
+          get_param: HAProxyInternalTLSKeysDirectory
       certificates_specs:
         map_merge:
           repeat:
             template:
               haproxy-NETWORK:
-                service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.pem'
-                service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-NETWORK.crt'
-                service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-NETWORK.key'
+                service_pem:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSCertsDirectory}
+                    - '/overcloud-haproxy-NETWORK.pem'
+                service_certificate:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSCertsDirectory}
+                    - '/overcloud-haproxy-NETWORK.crt'
+                service_key:
+                  list_join:
+                  - ''
+                  - - {get_param: HAProxyInternalTLSKeysDirectory}
+                    - '/overcloud-haproxy-NETWORK.key'
                 hostname: "%{hiera('cloud_name_NETWORK')}"
                 postsave_cmd: "" # TODO
                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml
index f1739f78..b2766c44 100644
--- a/puppet/services/haproxy-public-tls-certmonger.yaml
+++ b/puppet/services/haproxy-public-tls-certmonger.yaml
@@ -30,6 +30,12 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  HAProxyInternalTLSCertsDirectory:
+    default: '/etc/pki/tls/certs/haproxy'
+    type: string
+  HAProxyInternalTLSKeysDirectory:
+    default: '/etc/pki/tls/private/haproxy'
+    type: string
 
 outputs:
   role_data:
@@ -38,14 +44,32 @@ outputs:
       service_name: haproxy_public_tls_certmonger
       config_settings:
         generate_service_certificates: true
-        tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
-        tripleo::certmonger::haproxy_dirs::certificate_dir: '/etc/pki/tls/certs/haproxy'
-        tripleo::certmonger::haproxy_dirs::key_dir: '/etc/pki/tls/private/haproxy'
+        tripleo::haproxy::service_certificate:
+          list_join:
+          - ''
+          - - {get_param: HAProxyInternalTLSCertsDirectory}
+            - '/overcloud-haproxy-external.pem'
+        tripleo::certmonger::haproxy_dirs::certificate_dir:
+          get_param: HAProxyInternalTLSCertsDirectory
+        tripleo::certmonger::haproxy_dirs::key_dir:
+          get_param: HAProxyInternalTLSKeysDirectory
       certificates_specs:
         haproxy-external:
-          service_pem: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.pem'
-          service_certificate: '/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt'
-          service_key: '/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key'
+          service_pem:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSCertsDirectory}
+              - '/overcloud-haproxy-external.pem'
+          service_certificate:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSCertsDirectory}
+              - '/overcloud-haproxy-external.crt'
+          service_key:
+            list_join:
+            - ''
+            - - {get_param: HAProxyInternalTLSKeysDirectory}
+              - '/overcloud-haproxy-external.key'
           hostname: "%{hiera('cloud_name_external')}"
           postsave_cmd: "" # TODO
           principal: "haproxy/%{hiera('cloud_name_external')}"
-- 
cgit 1.2.3-korg