Merge "Certmonger: Make postsave command configurable"

2017-08-21 11:42:06 +00:00
parent 207b1ea97b 095d130f9d
commit 1dc48e6b94
6 changed files with 55 additions and 16 deletions
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -32,10 +32,6 @@
 #   The hostname that certmonger will use as the common name for the
 #   certificate.
 #
-# [*postsave_cmd*]
-#   The post-save-command that certmonger will use once it renews the
-#   certificate.
-#
 # [*certmonger_ca*]
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
@@ -48,15 +44,19 @@
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
+# [*postsave_cmd*]
+#   The post-save-command that certmonger will use once it renews the
+#   certificate.
+#
 define tripleo::certmonger::haproxy (
  $service_pem,
  $service_certificate,
  $service_key,
  $hostname,
-  $postsave_cmd,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $dnsnames      = undef,
  $principal     = undef,
+  $postsave_cmd  = undef,
 ){
    include ::certmonger
    include ::haproxy::params
@@ -74,6 +74,7 @@ define tripleo::certmonger::haproxy (
      $dnsnames_real = $hostname
    }

+    $postsave_cmd_real = pick($postsave_cmd, 'systemctl reload haproxy')
    certmonger_certificate { "${title}-cert":
      ensure       => 'present',
      ca           => $certmonger_ca,
@@ -81,7 +82,7 @@ define tripleo::certmonger::haproxy (
      dnsname      => $dnsnames_real,
      certfile     => $service_certificate,
      keyfile      => $service_key,
-      postsave_cmd => $postsave_cmd,
+      postsave_cmd => $postsave_cmd_real,
      principal    => $principal,
      wait         => true,
      tag          => 'haproxy-cert',
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -36,6 +36,11 @@
 #   in the certificate. If left unset, the value will be set to the $hostname.
 #   Defaults to undef
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -45,6 +50,7 @@ define tripleo::certmonger::httpd (
  $service_key,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $dnsnames      = undef,
+  $postsave_cmd  = undef,
  $principal     = undef,
 ) {
  include ::certmonger
@@ -56,7 +62,7 @@ define tripleo::certmonger::httpd (
    $dnsnames_real = $hostname
  }

-  $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::apache::params::service_name}")
  certmonger_certificate { $name :
    ensure       => 'present',
    certfile     => $service_certificate,
@@ -64,7 +70,7 @@ define tripleo::certmonger::httpd (
    hostname     => $hostname,
    dnsname      => $dnsnames_real,
    principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
    wait         => true,
    tag          => 'apache-cert',
--- a/manifests/certmonger/mongodb.pp
+++ b/manifests/certmonger/mongodb.pp
@@ -34,6 +34,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
@@ -44,12 +49,13 @@ class tripleo::certmonger::mongodb (
  $service_key,
  $service_pem,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
  $principal     = undef,
 ) {
  include ::certmonger
  include ::mongodb::params

-  $postsave_cmd  = "systemctl restart ${::mongodb::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::mongodb::params::service_name}")
  certmonger_certificate { 'mongodb' :
    ensure       => 'present',
    certfile     => $service_certificate,
@@ -57,7 +63,7 @@ class tripleo::certmonger::mongodb (
    hostname     => $hostname,
    dnsname      => $hostname,
    principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
    wait         => true,
    require      => Class['::certmonger'],
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -37,6 +37,11 @@
 #   This parameter can take both a string or an array of strings.
 #   Defaults to $hostname
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The haproxy service principal that is set for MySQL in kerberos.
 #   Defaults to undef
@@ -47,12 +52,13 @@ class tripleo::certmonger::mysql (
  $service_key,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $dnsnames      = $hostname,
+  $postsave_cmd  = undef,
  $principal     = undef,
 ) {
  include ::certmonger
  include ::mysql::params

-  $postsave_cmd        = "systemctl reload ${::mysql::params::server_service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::mysql::params::server_service_name}")
  certmonger_certificate { 'mysql' :
    ensure       => 'present',
    certfile     => $service_certificate,
@@ -60,7 +66,7 @@ class tripleo::certmonger::mysql (
    hostname     => $hostname,
    dnsname      => $dnsnames,
    principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
    wait         => true,
    require      => Class['::certmonger'],
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,6 +31,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
 # [*principal*]
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
@@ -40,12 +45,13 @@ class tripleo::certmonger::rabbitmq (
  $service_certificate,
  $service_key,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
  $principal     = undef,
 ) {
  include ::certmonger
  include ::rabbitmq::params

-  $postsave_cmd  = "systemctl restart ${::rabbitmq::params::service_name}"
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::rabbitmq::params::service_name}")
  certmonger_certificate { 'rabbitmq' :
    ensure       => 'present',
    certfile     => $service_certificate,
@@ -53,7 +59,7 @@ class tripleo::certmonger::rabbitmq (
    hostname     => $hostname,
    dnsname      => $hostname,
    principal    => $principal,
-    postsave_cmd => $postsave_cmd,
+    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
    wait         => true,
    require      => Class['::certmonger'],
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -38,11 +38,21 @@
 #   it will create.
 #   Defaults to hiera('apache_certificate_specs', {}).
 #
+# [*apache_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart apache when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*haproxy_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
 #
+# [*haproxy_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart haproxy when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*libvirt_certificates_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -70,7 +80,9 @@
 #
 class tripleo::profile::base::certmonger_user (
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
+  $apache_postsave_cmd        = undef,
  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+  $haproxy_postsave_cmd       = undef,
  $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
  $mongodb_certificate_specs  = hiera('mongodb_certificate_specs',{}),
  $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
@@ -94,7 +106,8 @@ class tripleo::profile::base::certmonger_user (

  unless empty($apache_certificates_specs) {
    include ::tripleo::certmonger::apache_dirs
-    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
+    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs,
+                      {'postsave_cmd' => $apache_postsave_cmd})
  }
  unless empty($libvirt_certificates_specs) {
    include ::tripleo::certmonger::libvirt_dirs
@@ -102,7 +115,8 @@ class tripleo::profile::base::certmonger_user (
  }
  unless empty($haproxy_certificates_specs) {
    include ::tripleo::certmonger::haproxy_dirs
-    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
+    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,
+                      {'postsave_cmd' => $haproxy_postsave_cmd})
    # The haproxy fronends (or listen resources) depend on the certificate
    # existing and need to be refreshed if it changed.
    Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>