HAProxy: Refactor certificate retrieval bits

This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2017-03-13 14:09:36 +02:00 · 2017-03-13 14:09:36 +02:00 · bee651abcb
commit bee651abcb
parent 8a6e4c7b99
2 changed files with 14 additions and 21 deletions
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $principal     = undef,
 ){
+    include ::certmonger
    include ::haproxy::params
+    # This is only needed for certmonger's local CA. For any other CA this
+    # operation (trusting the CA) should be done by the deployer.
+    if $certmonger_ca == 'local' {
+      class { '::tripleo::certmonger::ca::local':
+        notify => Class['::tripleo::haproxy']
+      }
+    }
+
    certmonger_certificate { "${title}-cert":
+      ensure       => 'present',
+      ca           => $certmonger_ca,
      hostname     => $hostname,
      dnsname      => $hostname,
      certfile     => $service_certificate,
      keyfile      => $service_key,
      postsave_cmd => $postsave_cmd,
      principal    => $principal,
+      wait         => true,
+      require      => Class['::certmonger'],
    }
    concat { $service_pem :
      ensure  => present,
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@ -32,10 +32,6 @@
 #         principal: "haproxy/<undercloud fqdn>"
 #   Defaults to {}.
 #
-# [*certmonger_ca*]
-#   (Optional) The CA that certmonger will use to generate the certificates.
-#   Defaults to hiera('certmonger_ca', 'local').
-#
 # [*enable_load_balancer*]
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
@ -55,7 +51,6 @@
 #
 class tripleo::profile::base::haproxy (
  $certificates_specs            = {},
-  $certmonger_ca                 = hiera('certmonger_ca', 'local'),
  $enable_load_balancer          = hiera('enable_load_balancer', true),
  $generate_service_certificates = hiera('generate_service_certificates', false),
  $step                          = hiera('step'),
@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy (
  if $step >= 1 {
    if $enable_load_balancer {
      if str2bool($generate_service_certificates) {
-        include ::certmonger
-        # This is only needed for certmonger's local CA. For any other CA this
-        # operation (trusting the CA) should be done by the deployer.
-        if $certmonger_ca == 'local' {
-          class { '::tripleo::certmonger::ca::local':
-            notify => Class['::tripleo::haproxy']
-          }
-        }
-
-        Certmonger_certificate {
-          ca          => $certmonger_ca,
-          ensure      => 'present',
-          wait        => true,
-          require     => Class['::certmonger'],
-        }
-        create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+        ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
        # The haproxy fronends (or listen resources) depend on the certificate
        # existing and need to be refreshed if it changed.
        Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>