Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

195 lines
8.6 KiB

heat_template_version: wallaby
description: >
HAProxy deployment with TLS enabled, powered by certmonger
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
HAProxyInternalTLSCertsDirectory:
default: '/etc/pki/tls/certs/haproxy'
type: string
HAProxyInternalTLSKeysDirectory:
default: '/etc/pki/tls/private/haproxy'
type: string
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
CertmongerCA:
type: string
default: ''
description: CA to use for certmonger
HAProxyCertificateDNSNames:
type: comma_delimited_list
default: []
description: Override the default HAProxy Certificate DNS Names
HAProxyCertificatePrincipal:
type: string
default: ''
description: Override the default HAProxy Certificate Principal
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
outputs:
role_data:
description: Role data for the HAProxy public TLS via certmonger role.
value:
service_name: haproxy_public_tls_certmonger
config_settings:
tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
certificates_specs:
haproxy-external:
service_pem: {get_param: DeployedSSLCertificatePath}
metadata_settings:
- service: haproxy
network: {get_param: [ServiceNetMap, PublicNetwork]}
type: vip
deploy_steps_tasks:
- name: Certificate generation
when: step|int == 1
vars:
certmonger_ca: {get_param: CertmongerCA}
block:
- name: make sure certmonger is installed
package:
name: certmonger
state: present
- name: make sure certmonger service is started
systemd:
state: started
enabled: true
masked: false
name: certmonger.service
- name: Create dirs for certificates and keys
file:
path: "{{ item }}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- {get_param: HAProxyInternalTLSCertsDirectory}
- {get_param: HAProxyInternalTLSKeysDirectory}
- name: Extract and trust certmonger's local CA
shell: |
set -e
ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
chmod 0644 ${ca_pem}
update-ca-trust extract
test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}
retries: 5
delay: 1
until: result.rc == 0
when: certmonger_ca != 'IPA' and (ipa_realm is not defined)
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: haproxy-external-cert
dns:
if:
- dnsnames_override_set
- {get_param: HAProxyCertificateDNSNames}
- str_replace:
template: "{{cloud_names.cloud_name_NETWORK}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
ip:
if:
- dnsnames_override_set
- str_replace:
template: "{{DNSNAMES|ipaddr}}"
params:
DNSNAMES: {get_param: HAProxyCertificateDNSNames}
- str_replace:
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
principal:
if:
- principal_override_set
- {get_param: HAProxyCertificatePrincipal}
- str_replace:
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
run_after:
str_replace:
template: |
# Copy crt and key for backward compatibility
cp "/etc/pki/tls/certs/haproxy-external-cert.crt" "CERTSDIR/overcloud-haproxy-external.crt"
cp "/etc/pki/tls/private/haproxy-external-cert.key" "KEYSDIR/overcloud-haproxy-external.key"
ca_path="/etc/ipa/ca.crt"
service_crt="CERTSDIR/overcloud-haproxy-external.crt"
service_key="KEYSDIR/overcloud-haproxy-external.key"
service_pem="PEMPATH"
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
# Inject the new pem into the running container
if echo "$container_name" | grep -q "^haproxy-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the pem at the mount-point
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
# Copy the new pem from the mount-point to the real path
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
fi
# Set appropriate permissions
{{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
# Trigger a reload for HAProxy to read the new certificates
{{container_cli}} kill --signal HUP "$container_name"
params:
CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory}
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
PEMPATH: {get_param: DeployedSSLCertificatePath}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"