Filter haproxy_certificate_specs if hostname is empty
The HAProxy tripleo service currently attempts to generate certificate specs for all enabled networks which failes on roles that omit some networks. For now workaround it by filtering out the bad certificate specs in puppet-tripleo. A similar workaround was implemented for apache in I651919488cb68b0b9878b4e21ab376bfc6e3f0fe. Closes-bug: #1905604 Change-Id: I6f165491228f05539193f2e762b1b10320f52c36
This commit is contained in:
parent
1ac4048dbc
commit
eaca38aa67
|
@ -219,7 +219,11 @@ class tripleo::profile::base::certmonger_user (
|
|||
if $certmonger_ca == 'local' {
|
||||
include tripleo::certmonger::ca::local
|
||||
}
|
||||
unless empty($haproxy_certificates_specs) {
|
||||
|
||||
# Remove haproxy_certificates_specs where hostname is empty.
|
||||
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604
|
||||
$haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
|
||||
unless empty($haproxy_certificates_specs_filtered) {
|
||||
$reload_haproxy = ['systemctl reload tripleo_haproxy']
|
||||
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
|
||||
if defined(Class['::haproxy']) {
|
||||
|
@ -258,9 +262,9 @@ class tripleo::profile::base::certmonger_user (
|
|||
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
|
||||
{'postsave_cmd' => $qemu_postsave_cmd})
|
||||
}
|
||||
unless empty($haproxy_certificates_specs) {
|
||||
unless empty($haproxy_certificates_specs_filtered) {
|
||||
include tripleo::certmonger::haproxy_dirs
|
||||
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
|
||||
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered)
|
||||
# The haproxy fronends (or listen resources) depend on the certificate
|
||||
# existing and need to be refreshed if it changed.
|
||||
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
|
||||
|
|
Loading…
Reference in New Issue