From bee651abcb5f604fc0c4e11e45da65412c9af023 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 13 Mar 2017 14:09:36 +0200 Subject: [PATCH] HAProxy: Refactor certificate retrieval bits This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92 --- manifests/certmonger/haproxy.pp | 13 +++++++++++++ manifests/profile/base/haproxy.pp | 22 +--------------------- 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 3b8fd09b9..666844082 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy ( $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, ){ + include ::certmonger include ::haproxy::params + # This is only needed for certmonger's local CA. For any other CA this + # operation (trusting the CA) should be done by the deployer. + if $certmonger_ca == 'local' { + class { '::tripleo::certmonger::ca::local': + notify => Class['::tripleo::haproxy'] + } + } + certmonger_certificate { "${title}-cert": + ensure => 'present', + ca => $certmonger_ca, hostname => $hostname, dnsname => $hostname, certfile => $service_certificate, keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal, + wait => true, + require => Class['::certmonger'], } concat { $service_pem : ensure => present, diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index f16ec1b4c..8568b2854 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -32,10 +32,6 @@ # principal: "haproxy/" # Defaults to {}. # -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# # [*enable_load_balancer*] # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). @@ -55,7 +51,6 @@ # class tripleo::profile::base::haproxy ( $certificates_specs = {}, - $certmonger_ca = hiera('certmonger_ca', 'local'), $enable_load_balancer = hiera('enable_load_balancer', true), $generate_service_certificates = hiera('generate_service_certificates', false), $step = hiera('step'), @@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy ( if $step >= 1 { if $enable_load_balancer { if str2bool($generate_service_certificates) { - include ::certmonger - # This is only needed for certmonger's local CA. For any other CA this - # operation (trusting the CA) should be done by the deployer. - if $certmonger_ca == 'local' { - class { '::tripleo::certmonger::ca::local': - notify => Class['::tripleo::haproxy'] - } - } - - Certmonger_certificate { - ca => $certmonger_ca, - ensure => 'present', - wait => true, - require => Class['::certmonger'], - } - create_resources('::tripleo::certmonger::haproxy', $certificates_specs) + ensure_resources('tripleo::certmonger::haproxy', $certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>