blob: 2a61afc072153a5960ad8ebe83b78aab7fcf6d24 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
heat_template_version: ocata
description: >
This is a template which will build the TLS Certificates necessary
for the load balancer using the given parameters.
parameters:
# Can be overridden via parameter_defaults in the environment
SSLCertificate:
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
SSLIntermediateCertificate:
default: ''
description: >
The content of an SSL intermediate CA certificate in PEM format.
type: string
SSLKey:
description: >
The content of the SSL Key in PEM format.
type: string
hidden: true
# Can be overridden by parameter_defaults if the user wants to try deploying
# this in a distro that doesn't support this path.
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
# Passed in by the controller
NodeIndex:
default: 0
type: number
server:
description: ID of the controller node to apply this config to
type: string
resources:
ControllerTLSConfig:
type: OS::Heat::SoftwareConfig
properties:
group: script
inputs:
- name: cert_path
- name: cert_chain_content
outputs:
- name: chain_md5sum
- name: cert_modulus
- name: key_modulus
config: |
#!/bin/sh
cat > ${cert_path} << EOF
${cert_chain_content}
EOF
chmod 0440 ${cert_path}
chown root:haproxy ${cert_path}
md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
openssl x509 -noout -modulus -in ${cert_path} \
| openssl md5 | cut -c 10- \
> ${heat_outputs_path}.cert_modulus
openssl rsa -noout -modulus -in ${cert_path} \
| openssl md5 | cut -c 10- \
> ${heat_outputs_path}.key_modulus
# We need to reload haproxy in case the certificate changed because
# puppet doesn't know the contents of the cert file.
haproxy_status=$(systemctl is-active haproxy)
if [ "$haproxy_status" = "active" ]; then
systemctl reload haproxy
fi
ControllerTLSDeployment:
type: OS::Heat::SoftwareDeployment
properties:
name: ControllerTLSDeployment
config: {get_resource: ControllerTLSConfig}
server: {get_param: server}
input_values:
cert_path: {get_param: DeployedSSLCertificatePath}
cert_chain_content:
list_join:
- ''
- - {get_param: SSLCertificate}
- {get_param: SSLIntermediateCertificate}
- {get_param: SSLKey}
outputs:
deploy_stdout:
description: Deployment reference
value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
deployed_ssl_certificate_path:
description: The location that the TLS certificate was deployed to.
value: {get_param: DeployedSSLCertificatePath}
key_modulus_md5:
description: MD5 checksum of the Key SSL Modulus
value: {get_attr: [ControllerTLSDeployment, key_modulus]}
cert_modulus_md5:
description: MD5 checksum of the Certificate SSL Modulus
value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
|
