summaryrefslogtreecommitdiffstats
path: root/puppet/services/haproxy-internal-tls-certmonger.yaml
blob: 1866bb97b95deda8f5733a561ed0813e9889dc69 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

heat_template_version: pike

description: >
  HAProxy deployment with TLS enabled, powered by certmonger

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json

resources:

  HAProxyNetworks:
    type: OS::Heat::Value
    properties:
      value:
        # NOTE(jaosorior) Get unique network names to create
        # certificates for those. We skip the tenant network since
        # we don't need a certificate for that, and the external
        # network will be handled in another template.
        yaql:
          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
          data:
            map:
              get_param: ServiceNetMap

outputs:
  role_data:
    description: Role data for the HAProxy internal TLS via certmonger role.
    value:
      service_name: haproxy_internal_tls_certmonger
      config_settings:
        generate_service_certificates: true
        tripleo::haproxy::use_internal_certificates: true
      certificates_specs:
        map_merge:
          repeat:
            template:
              haproxy-NETWORK:
                service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
                service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
                service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
                hostname: "%{hiera('cloud_name_NETWORK')}"
                postsave_cmd: "" # TODO
                principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
            for_each:
              NETWORK: {get_attr: [HAProxyNetworks, value]}
      metadata_settings:
        repeat:
          template:
          - service: haproxy
            network: $NETWORK
            type: vip
          for_each:
            $NETWORK: {get_attr: [HAProxyNetworks, value]}
ementing reference counts * @new: a blank task context (NOT NULL) * @old: the task context to copy (NOT NULL) */ void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old) { *new = *old; aa_get_profile(new->profile); aa_get_profile(new->previous); aa_get_profile(new->onexec); } /** * aa_get_task_profile - Get another task's profile * @task: task to query (NOT NULL) * * Returns: counted reference to @task's profile */ struct aa_profile *aa_get_task_profile(struct task_struct *task) { struct aa_profile *p; rcu_read_lock(); p = aa_get_profile(__aa_task_profile(task)); rcu_read_unlock(); return p; } /** * aa_replace_current_profile - replace the current tasks profiles * @profile: new profile (NOT NULL) * * Returns: 0 or error on failure */ int aa_replace_current_profile(struct aa_profile *profile) { struct aa_task_cxt *cxt = current_cxt(); struct cred *new; BUG_ON(!profile); if (cxt->profile == profile) return 0; new = prepare_creds(); if (!new) return -ENOMEM; cxt = cred_cxt(new); if (unconfined(profile) || (cxt->profile->ns != profile->ns)) /* if switching to unconfined or a different profile namespace * clear out context state */ aa_clear_task_cxt_trans(cxt); /* be careful switching cxt->profile, when racing replacement it * is possible that cxt->profile->replacedby->profile is the reference * keeping @profile valid, so make sure to get its reference before * dropping the reference on cxt->profile */ aa_get_profile(profile); aa_put_profile(cxt->profile); cxt->profile = profile; commit_creds(new); return 0; } /** * aa_set_current_onexec - set the tasks change_profile to happen onexec * @profile: system profile to set at exec (MAYBE NULL to clear value) * * Returns: 0 or error on failure */ int aa_set_current_onexec(struct aa_profile *profile) { struct aa_task_cxt *cxt; struct cred *new = prepare_creds(); if (!new) return -ENOMEM; cxt = cred_cxt(new); aa_get_profile(profile); aa_put_profile(cxt->onexec); cxt->onexec = profile; commit_creds(new); return 0; } /** * aa_set_current_hat - set the current tasks hat * @profile: profile to set as the current hat (NOT NULL) * @token: token value that must be specified to change from the hat * * Do switch of tasks hat. If the task is currently in a hat * validate the token to match. * * Returns: 0 or error on failure */ int aa_set_current_hat(struct aa_profile *profile, u64 token) { struct aa_task_cxt *cxt; struct cred *new = prepare_creds(); if (!new) return -ENOMEM; BUG_ON(!profile); cxt = cred_cxt(new); if (!cxt->previous) { /* transfer refcount */ cxt->previous = cxt->profile; cxt->token = token; } else if (cxt->token == token) { aa_put_profile(cxt->profile); } else { /* previous_profile && cxt->token != token */ abort_creds(new); return -EACCES; } cxt->profile = aa_get_newest_profile(profile); /* clear exec on switching context */ aa_put_profile(cxt->onexec); cxt->onexec = NULL; commit_creds(new); return 0; } /** * aa_restore_previous_profile - exit from hat context restoring the profile * @token: the token that must be matched to exit hat context * * Attempt to return out of a hat to the previous profile. The token * must match the stored token value. * * Returns: 0 or error of failure */ int aa_restore_previous_profile(u64 token) { struct aa_task_cxt *cxt; struct cred *new = prepare_creds(); if (!new) return -ENOMEM; cxt = cred_cxt(new); if (cxt->token != token) { abort_creds(new); return -EACCES; } /* ignore restores when there is no saved profile */ if (!cxt->previous) { abort_creds(new); return 0; } aa_put_profile(cxt->profile); cxt->profile = aa_get_newest_profile(cxt->previous); BUG_ON(!cxt->profile); /* clear exec && prev information when restoring to previous context */ aa_clear_task_cxt_trans(cxt); commit_creds(new); return 0; }