From 26cd692ab7ddb10cadfdbc8df71c7a753cb7c5f7 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 31 Mar 2021 16:22:01 -0400 Subject: [PATCH] Fix tls for undercloud with ipa We recently changed cert generation to use linux-system roles to generate certs instead of puppet-certmonger. However, this broke the ability to generate the haproxy cert on the undercloud using an IPA server, because we relied in the ability to specify the CertmongerCA and the hieradata to provide the correct ca, principals and dns entries. This patch restores this ability through THT template parameters. Change-Id: Ie2e181fcd9198ae5613fde7135230d4b4cf7343d --- .../haproxy-public-tls-certmonger.yaml | 55 ++++++++++++++----- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index 3f902ec309..39e935ff9f 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -48,10 +48,24 @@ parameters: default: '' description: Override the private key size used when creating the certificate for this service + CertmongerCA: + type: string + default: '' + description: CA to use for certmonger + HAProxyCertificateDNSNames: + type: comma_delimited_list + default: [] + description: Override the default HAProxy Certificate DNS Names + HAProxyCertificatePrincipal: + type: string + default: '' + description: Override the default HAProxy Certificate Principal conditions: key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} + principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}} + dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}} outputs: role_data: @@ -70,6 +84,8 @@ outputs: deploy_steps_tasks: - name: Certificate generation when: step|int == 1 + vars: + certmonger_ca: {get_param: CertmongerCA} block: - name: make sure certmonger is installed package: @@ -104,26 +120,39 @@ outputs: retries: 5 delay: 1 until: result.rc == 0 + when: certmonger_ca != 'IPA' and (ipa_realm is not defined) - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: haproxy-external-cert dns: - str_replace: - template: "{{cloud_names.cloud_name_NETWORK}}" - params: - NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} + if: + - dnsnames_override_set + - {get_param: HAProxyCertificateDNSNames} + - str_replace: + template: "{{cloud_names.cloud_name_NETWORK}}" + params: + NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} ip: - str_replace: - template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}" - params: - NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} + if: + - dnsnames_override_set + - str_replace: + template: "{{DNSNAMES|ipaddr}}" + params: + DNSNAMES: {get_param: HAProxyCertificateDNSNames} + - str_replace: + template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}" + params: + NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} principal: - str_replace: - template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}" - params: - NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} + if: + - principal_override_set + - {get_param: HAProxyCertificatePrincipal} + - str_replace: + template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}" + params: + NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} run_after: str_replace: template: | @@ -165,4 +194,4 @@ outputs: - key_size_override_unset - {get_param: CertificateKeySize} - {get_param: HAProxyCertificateKeySize} - ca: "{{idm_realm|default|ternary('ipa','self-sign')}}" + ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"