927495fe3d
The new master branch should point now to queens instead of pike. So, HOT templates should specify that they might contain features for queens release [1] [1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
107 lines
3.4 KiB
YAML
107 lines
3.4 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
This is a template which will build the TLS Certificates necessary
|
|
for the load balancer using the given parameters.
|
|
|
|
parameters:
|
|
# Can be overridden via parameter_defaults in the environment
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
SSLIntermediateCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of an SSL intermediate CA certificate in PEM format.
|
|
type: string
|
|
SSLKey:
|
|
description: >
|
|
The content of the SSL Key in PEM format.
|
|
type: string
|
|
hidden: true
|
|
|
|
# Can be overridden by parameter_defaults if the user wants to try deploying
|
|
# this in a distro that doesn't support this path.
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
|
|
# Passed in by the controller
|
|
NodeIndex:
|
|
default: 0
|
|
type: number
|
|
server:
|
|
description: ID of the controller node to apply this config to
|
|
type: string
|
|
|
|
resources:
|
|
ControllerTLSConfig:
|
|
type: OS::Heat::SoftwareConfig
|
|
properties:
|
|
group: script
|
|
inputs:
|
|
- name: cert_path
|
|
- name: cert_chain_content
|
|
outputs:
|
|
- name: chain_md5sum
|
|
- name: cert_modulus
|
|
- name: key_modulus
|
|
config: |
|
|
#!/bin/sh
|
|
# If the HAProxy container tried to load this, it'll be a directory and
|
|
# will make this fail.
|
|
if [ -d ${cert_path} ]; then
|
|
rm -rf ${cert_path}
|
|
fi
|
|
cat > ${cert_path} << EOF
|
|
${cert_chain_content}
|
|
EOF
|
|
chmod 0440 ${cert_path}
|
|
chown root:haproxy ${cert_path}
|
|
md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
|
|
openssl x509 -noout -modulus -in ${cert_path} \
|
|
| openssl md5 | cut -c 10- \
|
|
> ${heat_outputs_path}.cert_modulus
|
|
openssl rsa -noout -modulus -in ${cert_path} \
|
|
| openssl md5 | cut -c 10- \
|
|
> ${heat_outputs_path}.key_modulus
|
|
# We need to reload haproxy in case the certificate changed because
|
|
# puppet doesn't know the contents of the cert file.
|
|
haproxy_status=$(systemctl is-active haproxy)
|
|
if [ "$haproxy_status" = "active" ]; then
|
|
systemctl reload haproxy
|
|
fi
|
|
|
|
ControllerTLSDeployment:
|
|
type: OS::Heat::SoftwareDeployment
|
|
properties:
|
|
name: ControllerTLSDeployment
|
|
config: {get_resource: ControllerTLSConfig}
|
|
server: {get_param: server}
|
|
input_values:
|
|
cert_path: {get_param: DeployedSSLCertificatePath}
|
|
cert_chain_content:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: SSLCertificate}
|
|
- {get_param: SSLIntermediateCertificate}
|
|
- {get_param: SSLKey}
|
|
|
|
outputs:
|
|
deploy_stdout:
|
|
description: Deployment reference
|
|
value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
|
|
deployed_ssl_certificate_path:
|
|
description: The location that the TLS certificate was deployed to.
|
|
value: {get_param: DeployedSSLCertificatePath}
|
|
key_modulus_md5:
|
|
description: MD5 checksum of the Key SSL Modulus
|
|
value: {get_attr: [ControllerTLSDeployment, key_modulus]}
|
|
cert_modulus_md5:
|
|
description: MD5 checksum of the Certificate SSL Modulus
|
|
value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
|