Run the SSL verification at step2
Run the SSL verification at step2 instead of host_prep as we need to have CACerts injected before being able to validate the SSL certificates. It looks like NodeTLSCerts is getting deprecated and CI has already moved away from taht method . Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466 Closes-bug: #1961056
This commit is contained in:
parent
a445fbd02b
commit
64a19091ab
|
@ -290,34 +290,7 @@ outputs:
|
|||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
|
||||
- - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
|
||||
when:
|
||||
- {get_param: EnablePublicTLS}
|
||||
vars:
|
||||
ssl_cert: {get_param: SSLCertificate}
|
||||
auto_gen: {get_param: PublicSSLCertificateAutogenerated}
|
||||
protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
|
||||
block:
|
||||
- name: Verify SSL certificate
|
||||
shell: |
|
||||
cat << EOF | openssl verify
|
||||
{{ssl_cert}}
|
||||
EOF
|
||||
register: openssl_output
|
||||
when:
|
||||
- ( ssl_cert | length ) > 512
|
||||
- protocol == "https"
|
||||
failed_when:
|
||||
( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
|
||||
- fail:
|
||||
msg: >
|
||||
SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
|
||||
is False and at least one endpoint is configured with https
|
||||
when:
|
||||
- ( ssl_cert | length ) < 512
|
||||
- not ( auto_gen | bool )
|
||||
- protocol == "https"
|
||||
- name: Run puppet on the host to apply IPtables rules
|
||||
- - name: Run puppet on the host to apply IPtables rules
|
||||
no_log: true
|
||||
shell: |
|
||||
puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
|
||||
|
@ -366,6 +339,34 @@ outputs:
|
|||
name: rsyslog
|
||||
state: restarted
|
||||
when: logconfig is changed
|
||||
- name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
|
||||
when:
|
||||
- {get_param: EnablePublicTLS}
|
||||
- step|int == 2
|
||||
vars:
|
||||
ssl_cert: {get_param: SSLCertificate}
|
||||
auto_gen: {get_param: PublicSSLCertificateAutogenerated}
|
||||
protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
|
||||
block:
|
||||
- name: Verify SSL certificate
|
||||
shell: |
|
||||
cat << EOF | openssl verify
|
||||
{{ssl_cert}}
|
||||
EOF
|
||||
register: openssl_output
|
||||
when:
|
||||
- ( ssl_cert | length ) > 512
|
||||
- protocol == "https"
|
||||
failed_when:
|
||||
( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
|
||||
- fail:
|
||||
msg: >
|
||||
SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
|
||||
is False and at least one endpoint is configured with https
|
||||
when:
|
||||
- ( ssl_cert | length ) < 512
|
||||
- not ( auto_gen | bool )
|
||||
- protocol == "https"
|
||||
- name: HAproxy tag container image for pacemaker
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
|
|
Loading…
Reference in New Issue