openstack/puppet-tripleo
Code Issues Proposed changes

HAProxy: Refactor certificate retrieval bits

Browse Source 
This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.

This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.

Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
This commit is contained in:
Juan Antonio Osorio Robles 2017-03-13 14:09:36 +02:00
parent 8a6e4c7b99
commit bee651abcb
2 changed files with 14 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
manifests/certmonger/haproxy.pp
View File

@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy (
$certmonger_ca = hiera('certmonger_ca', 'local'), $certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef, $principal = undef,
){ ){
include ::certmonger
include ::haproxy::params include ::haproxy::params
# This is only needed for certmonger's local CA. For any other CA this
# operation (trusting the CA) should be done by the deployer.
if $certmonger_ca == 'local' {
class { '::tripleo::certmonger::ca::local':
notify => Class['::tripleo::haproxy']
}
}
certmonger_certificate { "${title}-cert": certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
hostname => $hostname, hostname => $hostname,
dnsname => $hostname, dnsname => $hostname,
certfile => $service_certificate, certfile => $service_certificate,
keyfile => $service_key, keyfile => $service_key,
postsave_cmd => $postsave_cmd, postsave_cmd => $postsave_cmd,
principal => $principal, principal => $principal,
wait => true,
require => Class['::certmonger'],
} }
concat { $service_pem : concat { $service_pem :
ensure => present, ensure => present,

22
manifests/profile/base/haproxy.pp
View File

@ -32,10 +32,6 @@
# principal: "haproxy/<undercloud fqdn>" # principal: "haproxy/<undercloud fqdn>"
# Defaults to {}. # Defaults to {}.
# #
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*enable_load_balancer*] # [*enable_load_balancer*]
# (Optional) Whether or not loadbalancer is enabled. # (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true). # Defaults to hiera('enable_load_balancer', true).
@ -55,7 +51,6 @@
# #
class tripleo::profile::base::haproxy ( class tripleo::profile::base::haproxy (
$certificates_specs = {}, $certificates_specs = {},
$certmonger_ca = hiera('certmonger_ca', 'local'),
$enable_load_balancer = hiera('enable_load_balancer', true), $enable_load_balancer = hiera('enable_load_balancer', true),
$generate_service_certificates = hiera('generate_service_certificates', false), $generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'), $step = hiera('step'),
@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy (
if $step >= 1 { if $step >= 1 {
if $enable_load_balancer { if $enable_load_balancer {
if str2bool($generate_service_certificates) { if str2bool($generate_service_certificates) {
include ::certmonger ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
# This is only needed for certmonger's local CA. For any other CA this
# operation (trusting the CA) should be done by the deployer.
if $certmonger_ca == 'local' {
class { '::tripleo::certmonger::ca::local':
notify => Class['::tripleo::haproxy']
}
}
Certmonger_certificate {
ca => $certmonger_ca,
ensure => 'present',
wait => true,
require => Class['::certmonger'],
}
create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate # The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed. # existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>