Include local CA installation outside of HAProxy cert setup

It used to be the case that we would only do the local CA setup if we would require a certificate for HAProxy. This is no longer the case as we're trying to do TLS by default in the overcloud. So this instead moves that setup to the certmonger_user class which should always get used. Change-Id: I5b4dc0a60ccc988b1ffbbb04231e6688377dd0eb
2018-04-06 09:20:30 +03:00 · 2018-04-06 09:20:30 +03:00 · 4d08ec3978
parent 5db20541e9
commit 4d08ec3978
2 changed files with 12 additions and 3 deletions
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -60,10 +60,7 @@ define tripleo::certmonger::haproxy (
 ){
    include ::certmonger
    include ::haproxy::params
-    # This is only needed for certmonger's local CA. For any other CA this
-    # operation (trusting the CA) should be done by the deployer.
    if $certmonger_ca == 'local' {
-      include ::tripleo::certmonger::ca::local
      if defined(Class['::haproxy']) {
        Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy']
      }
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -12,6 +12,10 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 #
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
 # == class: tripleo::profile::base::certmonger_user
 #
 # Profile that ensures that the relevant certmonger certificates have been
@ -114,6 +118,7 @@
 #   Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}).
 #
 class tripleo::profile::base::certmonger_user (
+  $certmonger_ca              = hiera('certmonger_ca', 'local'),
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
  $apache_postsave_cmd        = undef,
  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
@ -131,6 +136,13 @@ class tripleo::profile::base::certmonger_user (
  $ovs_certificate_specs      = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
  $neutron_certificate_specs  = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
 ) {
+  include ::certmonger
+
+  # This is only needed for certmonger's local CA. For any other CA this
+  # operation (trusting the CA) should be done by the deployer.
+  if $certmonger_ca == 'local' {
+      include ::tripleo::certmonger::ca::local
+  }
  unless empty($haproxy_certificates_specs) {
    $reload_haproxy = ['systemctl reload haproxy']
    Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>