Merge "Validate SSLCertificate is defined"

2022-02-16 01:59:19 +00:00 · 2022-02-16 01:59:19 +00:00 · a445fbd02b
parent 33121f95c8 d5701e6ceb
commit a445fbd02b
2 changed files with 39 additions and 1 deletions
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@ -290,7 +290,34 @@ outputs:
      host_prep_tasks:
        list_concat:
          - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
-          - - name: Run puppet on the host to apply IPtables rules
+          - - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
+              when:
+                - {get_param: EnablePublicTLS}
+              vars:
+                ssl_cert: {get_param: SSLCertificate}
+                auto_gen: {get_param: PublicSSLCertificateAutogenerated}
+                protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
+              block:
+                - name: Verify SSL certificate
+                  shell: |
+                    cat << EOF | openssl verify
+                    {{ssl_cert}}
+                    EOF
+                  register: openssl_output
+                  when:
+                    - ( ssl_cert | length ) > 512
+                    - protocol == "https"
+                  failed_when:
+                    ( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
+                - fail:
+                    msg: >
+                      SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
+                      is False and at least one endpoint is configured with https
+                  when:
+                    - ( ssl_cert | length ) < 512
+                    - not ( auto_gen | bool )
+                    - protocol == "https"
+            - name: Run puppet on the host to apply IPtables rules
              no_log: true
              shell: |
                puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
--- a/releasenotes/notes/certificiate-validation-1b08ab8cf40b7cad.yaml
+++ b/releasenotes/notes/certificiate-validation-1b08ab8cf40b7cad.yaml
@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    Before this patch, invalid certificates would be detected close to the end
+    of the deployment.  In small environments, this comes fast but in an environment
+    with a large number of nodes, failures would come really late after a few
+    hours of deployment.   With this validation, it now fails before step1 at
+    host_prep_steps if the certificate is smaller than 512 bytes if UsePublicTLS
+    is set to true and PublicSSLCertificateAutogenerated is set to false.  It will
+    also use openssl to verify the state of the certificate and fail if the certificate
+    is invalid or expired.