Include local CA in haproxy PEM

In order for the browser to trust the certificate served by HAProxy we need to include the CA cert in the PEM file that the endpoints serve. Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417 Closes-Bug: #1639807
2016-11-08 09:05:12 +02:00 · 2016-11-08 09:05:12 +02:00 · ffd7040a6d
commit ffd7040a6d
parent 8a4fc9c18e
1 changed files with 18 additions and 2 deletions
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -36,6 +36,10 @@
 #   The post-save-command that certmonger will use once it renews the
 #   certificate.
 #
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@ -45,7 +49,8 @@ define tripleo::certmonger::haproxy (
  $service_key,
  $hostname,
  $postsave_cmd,
-  $principal = undef,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
 ){
    include ::haproxy::params
    certmonger_certificate { "${title}-cert":
@ -69,10 +74,21 @@ define tripleo::certmonger::haproxy (
      order   => '01',
      require => Certmonger_certificate["${title}-cert"],
    }
+
+    if $certmonger_ca == 'local' {
+      $ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
+      concat::fragment { "${title}-ca-fragment":
+        target  => $service_pem,
+        source  => $ca_pem,
+        order   => '10',
+        require => Class['tripleo::certmonger::ca::local'],
+      }
+    }
+
    concat::fragment { "${title}-key-fragment":
      target  => $service_pem,
      source  => $service_key,
-      order   => 10,
+      order   => 20,
      require => Certmonger_certificate["${title}-cert"],
    }
 }