You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 lines
8.6 KiB
195 lines
8.6 KiB
heat_template_version: wallaby |
|
|
|
description: > |
|
HAProxy deployment with TLS enabled, powered by certmonger |
|
|
|
parameters: |
|
ServiceData: |
|
default: {} |
|
description: Dictionary packing service data |
|
type: json |
|
ServiceNetMap: |
|
default: {} |
|
description: Mapping of service_name -> network name. Typically set |
|
via parameter_defaults in the resource registry. This |
|
mapping overrides those in ServiceNetMapDefaults. |
|
type: json |
|
RoleName: |
|
default: '' |
|
description: Role name on which the service is applied |
|
type: string |
|
RoleParameters: |
|
default: {} |
|
description: Parameters specific to the role |
|
type: json |
|
EndpointMap: |
|
default: {} |
|
description: Mapping of service endpoint -> protocol. Typically set |
|
via parameter_defaults in the resource registry. |
|
type: json |
|
HAProxyInternalTLSCertsDirectory: |
|
default: '/etc/pki/tls/certs/haproxy' |
|
type: string |
|
HAProxyInternalTLSKeysDirectory: |
|
default: '/etc/pki/tls/private/haproxy' |
|
type: string |
|
DeployedSSLCertificatePath: |
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem' |
|
description: > |
|
The filepath of the certificate as it will be stored in the controller. |
|
type: string |
|
CertificateKeySize: |
|
type: string |
|
default: '2048' |
|
description: Specifies the private key size used when creating the |
|
certificate. |
|
HAProxyCertificateKeySize: |
|
type: string |
|
default: '' |
|
description: Override the private key size used when creating the |
|
certificate for this service |
|
CertmongerCA: |
|
type: string |
|
default: '' |
|
description: CA to use for certmonger |
|
HAProxyCertificateDNSNames: |
|
type: comma_delimited_list |
|
default: [] |
|
description: Override the default HAProxy Certificate DNS Names |
|
HAProxyCertificatePrincipal: |
|
type: string |
|
default: '' |
|
description: Override the default HAProxy Certificate Principal |
|
|
|
conditions: |
|
|
|
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} |
|
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}} |
|
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}} |
|
|
|
outputs: |
|
role_data: |
|
description: Role data for the HAProxy public TLS via certmonger role. |
|
value: |
|
service_name: haproxy_public_tls_certmonger |
|
config_settings: |
|
tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} |
|
certificates_specs: |
|
haproxy-external: |
|
service_pem: {get_param: DeployedSSLCertificatePath} |
|
metadata_settings: |
|
- service: haproxy |
|
network: {get_param: [ServiceNetMap, PublicNetwork]} |
|
type: vip |
|
deploy_steps_tasks: |
|
- name: Certificate generation |
|
when: step|int == 1 |
|
vars: |
|
certmonger_ca: {get_param: CertmongerCA} |
|
block: |
|
- name: make sure certmonger is installed |
|
package: |
|
name: certmonger |
|
state: present |
|
- name: make sure certmonger service is started |
|
systemd: |
|
state: started |
|
enabled: true |
|
masked: false |
|
name: certmonger.service |
|
- name: Create dirs for certificates and keys |
|
file: |
|
path: "{{ item }}" |
|
state: directory |
|
serole: object_r |
|
setype: cert_t |
|
seuser: system_u |
|
with_items: |
|
- {get_param: HAProxyInternalTLSCertsDirectory} |
|
- {get_param: HAProxyInternalTLSKeysDirectory} |
|
- name: Extract and trust certmonger's local CA |
|
shell: | |
|
set -e |
|
ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' |
|
openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:'' |
|
chmod 0644 ${ca_pem} |
|
update-ca-trust extract |
|
test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem} |
|
retries: 5 |
|
delay: 1 |
|
until: result.rc == 0 |
|
when: certmonger_ca != 'IPA' and (ipa_realm is not defined) |
|
- include_role: |
|
name: linux-system-roles.certificate |
|
vars: |
|
certificate_requests: |
|
- name: haproxy-external-cert |
|
dns: |
|
if: |
|
- dnsnames_override_set |
|
- {get_param: HAProxyCertificateDNSNames} |
|
- str_replace: |
|
template: "{{cloud_names.cloud_name_NETWORK}}" |
|
params: |
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} |
|
ip: |
|
if: |
|
- dnsnames_override_set |
|
- str_replace: |
|
template: "{{DNSNAMES|ipaddr}}" |
|
params: |
|
DNSNAMES: {get_param: HAProxyCertificateDNSNames} |
|
- str_replace: |
|
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}" |
|
params: |
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} |
|
principal: |
|
if: |
|
- principal_override_set |
|
- {get_param: HAProxyCertificatePrincipal} |
|
- str_replace: |
|
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}" |
|
params: |
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} |
|
run_after: |
|
str_replace: |
|
template: | |
|
# Copy crt and key for backward compatibility |
|
cp "/etc/pki/tls/certs/haproxy-external-cert.crt" "CERTSDIR/overcloud-haproxy-external.crt" |
|
cp "/etc/pki/tls/private/haproxy-external-cert.key" "KEYSDIR/overcloud-haproxy-external.key" |
|
|
|
ca_path="/etc/ipa/ca.crt" |
|
service_crt="CERTSDIR/overcloud-haproxy-external.crt" |
|
service_key="KEYSDIR/overcloud-haproxy-external.key" |
|
service_pem="PEMPATH" |
|
|
|
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem" |
|
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?') |
|
# Inject the new pem into the running container |
|
if echo "$container_name" | grep -q "^haproxy-bundle"; then |
|
# lp#1917868: Do not use podman cp with HA containers as they get |
|
# frozen temporarily and that can make pacemaker operation fail. |
|
tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv |
|
# no need to update the mount point, because pacemaker |
|
# recreates the container when it's restarted |
|
else |
|
# Refresh the pem at the mount-point |
|
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem" |
|
# Copy the new pem from the mount-point to the real path |
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" |
|
fi |
|
# Set appropriate permissions |
|
{{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem" |
|
# Trigger a reload for HAProxy to read the new certificates |
|
{{container_cli}} kill --signal HUP "$container_name" |
|
params: |
|
CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory} |
|
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory} |
|
PEMPATH: {get_param: DeployedSSLCertificatePath} |
|
key_size: |
|
if: |
|
- key_size_override_unset |
|
- {get_param: CertificateKeySize} |
|
- {get_param: HAProxyCertificateKeySize} |
|
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"
|
|
|