heat_template_version: wallaby description: > HAProxy deployment with TLS enabled, powered by certmonger parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json HAProxyInternalTLSCertsDirectory: default: '/etc/pki/tls/certs/haproxy' type: string HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string DeployedSSLCertificatePath: default: '/etc/pki/tls/private/overcloud_endpoint.pem' description: > The filepath of the certificate as it will be stored in the controller. type: string CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. HAProxyCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service CertmongerCA: type: string default: '' description: CA to use for certmonger HAProxyCertificateDNSNames: type: comma_delimited_list default: [] description: Override the default HAProxy Certificate DNS Names HAProxyCertificatePrincipal: type: string default: '' description: Override the default HAProxy Certificate Principal conditions: key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}} dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}} outputs: role_data: description: Role data for the HAProxy public TLS via certmonger role. value: service_name: haproxy_public_tls_certmonger config_settings: tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} certificates_specs: haproxy-external: service_pem: {get_param: DeployedSSLCertificatePath} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} type: vip deploy_steps_tasks: - name: Certificate generation when: step|int == 1 vars: certmonger_ca: {get_param: CertmongerCA} block: - name: make sure certmonger is installed package: name: certmonger state: present - name: make sure certmonger service is started systemd: state: started enabled: true masked: false name: certmonger.service - name: Create dirs for certificates and keys file: path: "{{ item }}" state: directory serole: object_r setype: cert_t seuser: system_u with_items: - {get_param: HAProxyInternalTLSCertsDirectory} - {get_param: HAProxyInternalTLSKeysDirectory} - name: Extract and trust certmonger's local CA shell: | set -e ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:'' chmod 0644 ${ca_pem} update-ca-trust extract test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem} retries: 5 delay: 1 until: result.rc == 0 when: certmonger_ca != 'IPA' and (ipa_realm is not defined) - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: haproxy-external-cert dns: if: - dnsnames_override_set - {get_param: HAProxyCertificateDNSNames} - str_replace: template: "{{cloud_names.cloud_name_NETWORK}}" params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} ip: if: - dnsnames_override_set - str_replace: template: "{{DNSNAMES|ipaddr}}" params: DNSNAMES: {get_param: HAProxyCertificateDNSNames} - str_replace: template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}" params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} principal: if: - principal_override_set - {get_param: HAProxyCertificatePrincipal} - str_replace: template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}" params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} run_after: str_replace: template: | # Copy crt and key for backward compatibility cp "/etc/pki/tls/certs/haproxy-external-cert.crt" "CERTSDIR/overcloud-haproxy-external.crt" cp "/etc/pki/tls/private/haproxy-external-cert.key" "KEYSDIR/overcloud-haproxy-external.key" ca_path="/etc/ipa/ca.crt" service_crt="CERTSDIR/overcloud-haproxy-external.crt" service_key="KEYSDIR/overcloud-haproxy-external.key" service_pem="PEMPATH" cat "$service_crt" "$ca_path" "$service_key" > "$service_pem" container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?') # Inject the new pem into the running container if echo "$container_name" | grep -q "^haproxy-bundle"; then # lp#1917868: Do not use podman cp with HA containers as they get # frozen temporarily and that can make pacemaker operation fail. tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv # no need to update the mount point, because pacemaker # recreates the container when it's restarted else # Refresh the pem at the mount-point {{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem" # Copy the new pem from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" fi # Set appropriate permissions {{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem" # Trigger a reload for HAProxy to read the new certificates {{container_cli}} kill --signal HUP "$container_name" params: CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory} KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory} PEMPATH: {get_param: DeployedSSLCertificatePath} key_size: if: - key_size_override_unset - {get_param: CertificateKeySize} - {get_param: HAProxyCertificateKeySize} ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"