diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml deleted file mode 100644 index 20759937cf..0000000000 --- a/puppet/extraconfig/tls/tls-cert-inject.yaml +++ /dev/null @@ -1,140 +0,0 @@ -heat_template_version: rocky - -description: > - This is a template which will build the TLS Certificates necessary - for the load balancer using the given parameters. - -parameters: - # Can be overridden via parameter_defaults in the environment - SSLCertificate: - default: '' - description: > - The content of the SSL certificate (without Key) in PEM format. - type: string - SSLIntermediateCertificate: - default: '' - description: > - The content of an SSL intermediate CA certificate in PEM format. - type: string - # NOTE(jaosorior): Adding this default is only while we enable TLS by default - # for the overcloud. It'll be removed in a subsequent patch. - SSLKey: - default: '' - description: > - The content of the SSL Key in PEM format. - type: string - hidden: true - - # Can be overridden by parameter_defaults if the user wants to try deploying - # this in a distro that doesn't support this path. - DeployedSSLCertificatePath: - default: '/etc/pki/tls/private/overcloud_endpoint.pem' - description: > - The filepath of the certificate as it will be stored in the controller. - type: string - - # Passed in by the controller - NodeIndex: - default: 0 - type: number - server: - description: ID of the controller node to apply this config to - type: string - -resources: - ControllerTLSConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - inputs: - - name: cert_path - - name: cert_chain_content - outputs: - - name: chain_md5sum - - name: cert_modulus - - name: key_modulus - config: | - #!/bin/sh - # If the HAProxy container tried to load this, it'll be a directory and - # will make this fail. - if [ -d ${cert_path} ]; then - rmdir ${cert_path} - HAPROXY_TLS_UPDATE_NEEDED=1 - else - HAPROXY_TLS_UPDATE_NEEDED=0 - fi - cat > ${cert_path} << EOF - ${cert_chain_content} - EOF - chmod 0440 ${cert_path} - chown root:haproxy ${cert_path} - md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum - openssl x509 -noout -modulus -in ${cert_path} \ - | openssl md5 | cut -c 10- \ - > ${heat_outputs_path}.cert_modulus - openssl rsa -noout -modulus -in ${cert_path} \ - | openssl md5 | cut -c 10- \ - > ${heat_outputs_path}.key_modulus - # We need to reload haproxy in case the certificate changed because - # puppet doesn't know the contents of the cert file. - haproxy_status=$(systemctl is-active haproxy) - if [ "$haproxy_status" = "active" ]; then - systemctl reload haproxy - fi - pacemaker_status=$(systemctl is-active pacemaker) - # If we need an update and pacemaker is being used, we need to restart - # the pacemaker resource on the bootstrap node. We don't support the update - # in non-pacemaker cases. - if [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 1 && "$pacemaker_status" == "active" ]]; then - BOOTSTRAPNODE=$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid) - MY_HOSTNAME=$(hostname) - if [[ "$BOOTSTRAPNODE" == "$MY_HOSTNAME" ]]; then - # Triggers an update - HAPROXY_RESOURCE_NAME=$(pcs status | grep container | grep haproxy | sed 's/^.*container.*: \(.*\) .*/\1/') - if [[ -n "$HAPROXY_RESOURCE_NAME" ]]; then - pcs resource restart "$HAPROXY_RESOURCE_NAME" - fi - fi - elif [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 0 ]]; then - # Handles reloading HAProxy and fetching a new certificate if - # necessary - HAPROXY_CONTAINER_ID=$(docker ps | grep '[[:space:]]haproxy' | awk '{print $1}') - if [[ -n "$HAPROXY_CONTAINER_ID" ]]; then - if [[ "$pacemaker_status" == "active" ]]; then - # We copy the certificate from the mount point to the desired - # path - docker exec "$HAPROXY_CONTAINER_ID" cp /var/lib/kolla/config_files/src-tls${cert_path} ${cert_path} - fi - docker kill --signal=HUP "$HAPROXY_CONTAINER_ID" - fi - fi - - - ControllerTLSDeployment: - type: OS::Heat::SoftwareDeployment - properties: - name: ControllerTLSDeployment - config: {get_resource: ControllerTLSConfig} - server: {get_param: server} - input_values: - cert_path: {get_param: DeployedSSLCertificatePath} - cert_chain_content: - list_join: - - '' - - - {get_param: SSLCertificate} - - {get_param: SSLIntermediateCertificate} - - {get_param: SSLKey} - -outputs: - deploy_stdout: - description: Deployment reference - value: {get_attr: [ControllerTLSDeployment, chain_md5sum]} - deployed_ssl_certificate_path: - description: The location that the TLS certificate was deployed to. - value: {get_param: DeployedSSLCertificatePath} - key_modulus_md5: - description: MD5 checksum of the Key SSL Modulus - value: {get_attr: [ControllerTLSDeployment, key_modulus]} - cert_modulus_md5: - description: MD5 checksum of the Certificate SSL Modulus - value: {get_attr: [ControllerTLSDeployment, cert_modulus]} diff --git a/sample-env-generator/README.rst b/sample-env-generator/README.rst index f9bbfaa5a0..21aed99a0c 100644 --- a/sample-env-generator/README.rst +++ b/sample-env-generator/README.rst @@ -38,7 +38,7 @@ Environment-specific: - **files**: The Heat templates containing the parameter definitions for the environment. Should be specified as a path relative to the root of the ``tripleo-heat-templates`` project. For example: - ``puppet/extraconfig/tls/tls-cert-inject.yaml:``. Each filename + ``puppet/extraconfig/tls/ca-inject.yaml:``. Each filename should be a YAML dictionary that contains a ``parameters`` entry. - **parameters**: There should be one ``parameters`` entry per file in the ``files`` section (see the example configuration below). diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 3b622f8276..bf799b216b 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -288,7 +288,6 @@ ANSIBLE_TASKS_YAMLS = [ HEAT_OUTPUTS_EXCLUSIONS = [ './puppet/extraconfig/tls/ca-inject.yaml', - './puppet/extraconfig/tls/tls-cert-inject.yaml', './deployed-server/deployed-server.yaml', './extraconfig/tasks/ssh/host_public_key.yaml', './extraconfig/pre_network/host_config_and_reboot.yaml'