Browse Source

Fix tls for undercloud with ipa

We recently changed cert generation to use linux-system roles
to generate certs instead of puppet-certmonger.  However, this broke
the ability to generate the haproxy cert on the undercloud using an
IPA server, because we relied in the ability to specify the CertmongerCA
and the hieradata to provide the correct ca, principals and dns entries.

This patch restores this ability through THT template parameters.

Change-Id: Ie2e181fcd9198ae5613fde7135230d4b4cf7343d
changes/70/784170/5
Ade Lee 1 year ago
parent
commit
26cd692ab7
  1. 55
      deployment/haproxy/haproxy-public-tls-certmonger.yaml

55
deployment/haproxy/haproxy-public-tls-certmonger.yaml

@ -48,10 +48,24 @@ parameters:
default: ''
description: Override the private key size used when creating the
certificate for this service
CertmongerCA:
type: string
default: ''
description: CA to use for certmonger
HAProxyCertificateDNSNames:
type: comma_delimited_list
default: []
description: Override the default HAProxy Certificate DNS Names
HAProxyCertificatePrincipal:
type: string
default: ''
description: Override the default HAProxy Certificate Principal
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
outputs:
role_data:
@ -70,6 +84,8 @@ outputs:
deploy_steps_tasks:
- name: Certificate generation
when: step|int == 1
vars:
certmonger_ca: {get_param: CertmongerCA}
block:
- name: make sure certmonger is installed
package:
@ -104,26 +120,39 @@ outputs:
retries: 5
delay: 1
until: result.rc == 0
when: certmonger_ca != 'IPA' and (ipa_realm is not defined)
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: haproxy-external-cert
dns:
str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
if:
- dnsnames_override_set
- {get_param: HAProxyCertificateDNSNames}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
ip:
str_replace:
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
if:
- dnsnames_override_set
- str_replace:
template: "{{DNSNAMES|ipaddr}}"
params:
DNSNAMES: {get_param: HAProxyCertificateDNSNames}
- str_replace:
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
principal:
str_replace:
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
if:
- principal_override_set
- {get_param: HAProxyCertificatePrincipal}
- str_replace:
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
run_after:
str_replace:
template: |
@ -165,4 +194,4 @@ outputs:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
ca: "{{idm_realm|default|ternary('ipa','self-sign')}}"
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"

Loading…
Cancel
Save