Merge "Validate SSLCertificate is defined"
This commit is contained in:
commit
a445fbd02b
|
@ -290,7 +290,34 @@ outputs:
|
|||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
|
||||
- - name: Run puppet on the host to apply IPtables rules
|
||||
- - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
|
||||
when:
|
||||
- {get_param: EnablePublicTLS}
|
||||
vars:
|
||||
ssl_cert: {get_param: SSLCertificate}
|
||||
auto_gen: {get_param: PublicSSLCertificateAutogenerated}
|
||||
protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
|
||||
block:
|
||||
- name: Verify SSL certificate
|
||||
shell: |
|
||||
cat << EOF | openssl verify
|
||||
{{ssl_cert}}
|
||||
EOF
|
||||
register: openssl_output
|
||||
when:
|
||||
- ( ssl_cert | length ) > 512
|
||||
- protocol == "https"
|
||||
failed_when:
|
||||
( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
|
||||
- fail:
|
||||
msg: >
|
||||
SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
|
||||
is False and at least one endpoint is configured with https
|
||||
when:
|
||||
- ( ssl_cert | length ) < 512
|
||||
- not ( auto_gen | bool )
|
||||
- protocol == "https"
|
||||
- name: Run puppet on the host to apply IPtables rules
|
||||
no_log: true
|
||||
shell: |
|
||||
puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Before this patch, invalid certificates would be detected close to the end
|
||||
of the deployment. In small environments, this comes fast but in an environment
|
||||
with a large number of nodes, failures would come really late after a few
|
||||
hours of deployment. With this validation, it now fails before step1 at
|
||||
host_prep_steps if the certificate is smaller than 512 bytes if UsePublicTLS
|
||||
is set to true and PublicSSLCertificateAutogenerated is set to false. It will
|
||||
also use openssl to verify the state of the certificate and fail if the certificate
|
||||
is invalid or expired.
|
Loading…
Reference in New Issue