Fix tls for undercloud with ipa
We recently changed cert generation to use linux-system roles to generate certs instead of puppet-certmonger. However, this broke the ability to generate the haproxy cert on the undercloud using an IPA server, because we relied in the ability to specify the CertmongerCA and the hieradata to provide the correct ca, principals and dns entries. This patch restores this ability through THT template parameters. Change-Id: Ie2e181fcd9198ae5613fde7135230d4b4cf7343d
This commit is contained in:
parent
0dbcbd18ad
commit
26cd692ab7
|
@ -48,10 +48,24 @@ parameters:
|
||||||
default: ''
|
default: ''
|
||||||
description: Override the private key size used when creating the
|
description: Override the private key size used when creating the
|
||||||
certificate for this service
|
certificate for this service
|
||||||
|
CertmongerCA:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: CA to use for certmonger
|
||||||
|
HAProxyCertificateDNSNames:
|
||||||
|
type: comma_delimited_list
|
||||||
|
default: []
|
||||||
|
description: Override the default HAProxy Certificate DNS Names
|
||||||
|
HAProxyCertificatePrincipal:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: Override the default HAProxy Certificate Principal
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||||
|
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
|
||||||
|
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
|
@ -70,6 +84,8 @@ outputs:
|
||||||
deploy_steps_tasks:
|
deploy_steps_tasks:
|
||||||
- name: Certificate generation
|
- name: Certificate generation
|
||||||
when: step|int == 1
|
when: step|int == 1
|
||||||
|
vars:
|
||||||
|
certmonger_ca: {get_param: CertmongerCA}
|
||||||
block:
|
block:
|
||||||
- name: make sure certmonger is installed
|
- name: make sure certmonger is installed
|
||||||
package:
|
package:
|
||||||
|
@ -104,26 +120,39 @@ outputs:
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 1
|
delay: 1
|
||||||
until: result.rc == 0
|
until: result.rc == 0
|
||||||
|
when: certmonger_ca != 'IPA' and (ipa_realm is not defined)
|
||||||
- include_role:
|
- include_role:
|
||||||
name: linux-system-roles.certificate
|
name: linux-system-roles.certificate
|
||||||
vars:
|
vars:
|
||||||
certificate_requests:
|
certificate_requests:
|
||||||
- name: haproxy-external-cert
|
- name: haproxy-external-cert
|
||||||
dns:
|
dns:
|
||||||
str_replace:
|
if:
|
||||||
template: "{{cloud_names.cloud_name_NETWORK}}"
|
- dnsnames_override_set
|
||||||
params:
|
- {get_param: HAProxyCertificateDNSNames}
|
||||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
- str_replace:
|
||||||
|
template: "{{cloud_names.cloud_name_NETWORK}}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||||
ip:
|
ip:
|
||||||
str_replace:
|
if:
|
||||||
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
|
- dnsnames_override_set
|
||||||
params:
|
- str_replace:
|
||||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
template: "{{DNSNAMES|ipaddr}}"
|
||||||
|
params:
|
||||||
|
DNSNAMES: {get_param: HAProxyCertificateDNSNames}
|
||||||
|
- str_replace:
|
||||||
|
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||||
principal:
|
principal:
|
||||||
str_replace:
|
if:
|
||||||
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
|
- principal_override_set
|
||||||
params:
|
- {get_param: HAProxyCertificatePrincipal}
|
||||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
- str_replace:
|
||||||
|
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||||
run_after:
|
run_after:
|
||||||
str_replace:
|
str_replace:
|
||||||
template: |
|
template: |
|
||||||
|
@ -165,4 +194,4 @@ outputs:
|
||||||
- key_size_override_unset
|
- key_size_override_unset
|
||||||
- {get_param: CertificateKeySize}
|
- {get_param: CertificateKeySize}
|
||||||
- {get_param: HAProxyCertificateKeySize}
|
- {get_param: HAProxyCertificateKeySize}
|
||||||
ca: "{{idm_realm|default|ternary('ipa','self-sign')}}"
|
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"
|
||||||
|
|
Loading…
Reference in New Issue