3c6ec654b4
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
101 lines
3.2 KiB
YAML
101 lines
3.2 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: >
|
|
This is a template which will build the TLS Certificates necessary
|
|
for the load balancer using the given parameters.
|
|
|
|
parameters:
|
|
# Can be overridden via parameter_defaults in the environment
|
|
SSLCertificate:
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
SSLIntermediateCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of an SSL intermediate CA certificate in PEM format.
|
|
type: string
|
|
SSLKey:
|
|
description: >
|
|
The content of the SSL Key in PEM format.
|
|
type: string
|
|
hidden: true
|
|
|
|
# Can be overridden by parameter_defaults if the user wants to try deploying
|
|
# this in a distro that doesn't support this path.
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
|
|
# Passed in by the controller
|
|
NodeIndex:
|
|
default: 0
|
|
type: number
|
|
server:
|
|
description: ID of the controller node to apply this config to
|
|
type: string
|
|
|
|
resources:
|
|
ControllerTLSConfig:
|
|
type: OS::Heat::SoftwareConfig
|
|
properties:
|
|
group: script
|
|
inputs:
|
|
- name: cert_path
|
|
- name: cert_chain_content
|
|
outputs:
|
|
- name: chain_md5sum
|
|
- name: cert_modulus
|
|
- name: key_modulus
|
|
config: |
|
|
#!/bin/sh
|
|
cat > ${cert_path} << EOF
|
|
${cert_chain_content}
|
|
EOF
|
|
chmod 0440 ${cert_path}
|
|
chown root:haproxy ${cert_path}
|
|
md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
|
|
openssl x509 -noout -modulus -in ${cert_path} \
|
|
| openssl md5 | cut -c 10- \
|
|
> ${heat_outputs_path}.cert_modulus
|
|
openssl rsa -noout -modulus -in ${cert_path} \
|
|
| openssl md5 | cut -c 10- \
|
|
> ${heat_outputs_path}.key_modulus
|
|
# We need to reload haproxy in case the certificate changed because
|
|
# puppet doesn't know the contents of the cert file.
|
|
haproxy_status=$(systemctl is-active haproxy)
|
|
if [ "$haproxy_status" = "active" ]; then
|
|
systemctl reload haproxy
|
|
fi
|
|
|
|
ControllerTLSDeployment:
|
|
type: OS::Heat::SoftwareDeployment
|
|
properties:
|
|
name: ControllerTLSDeployment
|
|
config: {get_resource: ControllerTLSConfig}
|
|
server: {get_param: server}
|
|
input_values:
|
|
cert_path: {get_param: DeployedSSLCertificatePath}
|
|
cert_chain_content:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: SSLCertificate}
|
|
- {get_param: SSLIntermediateCertificate}
|
|
- {get_param: SSLKey}
|
|
|
|
outputs:
|
|
deploy_stdout:
|
|
description: Deployment reference
|
|
value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
|
|
deployed_ssl_certificate_path:
|
|
description: The location that the TLS certificate was deployed to.
|
|
value: {get_param: DeployedSSLCertificatePath}
|
|
key_modulus_md5:
|
|
description: MD5 checksum of the Key SSL Modulus
|
|
value: {get_attr: [ControllerTLSDeployment, key_modulus]}
|
|
cert_modulus_md5:
|
|
description: MD5 checksum of the Certificate SSL Modulus
|
|
value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
|