b253d564f7
This simplifies the ServiceNetMap/VipSubnetMap interfaces to use parameter merge strategy and removes the *Defaults interfaces. Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
197 lines
8.7 KiB
YAML
197 lines
8.7 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
HAProxy deployment with TLS enabled, powered by certmonger
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HAProxyInternalTLSCertsDirectory:
|
|
default: '/etc/pki/tls/certs/haproxy'
|
|
type: string
|
|
HAProxyInternalTLSKeysDirectory:
|
|
default: '/etc/pki/tls/private/haproxy'
|
|
type: string
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
HAProxyCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
CertmongerCA:
|
|
type: string
|
|
default: ''
|
|
description: CA to use for certmonger
|
|
HAProxyCertificateDNSNames:
|
|
type: comma_delimited_list
|
|
default: []
|
|
description: Override the default HAProxy Certificate DNS Names
|
|
HAProxyCertificatePrincipal:
|
|
type: string
|
|
default: ''
|
|
description: Override the default HAProxy Certificate Principal
|
|
|
|
conditions:
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
|
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
|
|
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAProxy public TLS via certmonger role.
|
|
value:
|
|
service_name: haproxy_public_tls_certmonger
|
|
config_settings:
|
|
tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
|
certificates_specs:
|
|
haproxy-external:
|
|
service_pem: {get_param: DeployedSSLCertificatePath}
|
|
metadata_settings:
|
|
- service: haproxy
|
|
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
type: vip
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when: step|int == 1
|
|
vars:
|
|
certmonger_ca: {get_param: CertmongerCA}
|
|
block:
|
|
- name: make sure certmonger is installed
|
|
package:
|
|
name: certmonger
|
|
state: present
|
|
- name: make sure certmonger service is started
|
|
systemd:
|
|
state: started
|
|
enabled: true
|
|
masked: false
|
|
name: certmonger.service
|
|
- name: Create dirs for certificates and keys
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
serole: object_r
|
|
setype: cert_t
|
|
seuser: system_u
|
|
with_items:
|
|
- {get_param: HAProxyInternalTLSCertsDirectory}
|
|
- {get_param: HAProxyInternalTLSKeysDirectory}
|
|
- name: Extract and trust certmonger's local CA
|
|
shell: |
|
|
set -e
|
|
ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
|
openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
|
|
chmod 0644 ${ca_pem}
|
|
update-ca-trust extract
|
|
test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}
|
|
retries: 5
|
|
delay: 1
|
|
register: local_ca_extract_result
|
|
until: local_ca_extract_result.rc == 0
|
|
when: certmonger_ca != 'IPA' and (ipa_realm is not defined)
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
- name: haproxy-external-cert
|
|
dns:
|
|
if:
|
|
- dnsnames_override_set
|
|
- {get_param: HAProxyCertificateDNSNames}
|
|
- str_replace:
|
|
template: "{{cloud_names.cloud_name_NETWORK}}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
ip:
|
|
if:
|
|
- dnsnames_override_set
|
|
- str_replace:
|
|
template: "{{DNSNAMES|ipaddr}}"
|
|
params:
|
|
DNSNAMES: {get_param: HAProxyCertificateDNSNames}
|
|
- str_replace:
|
|
template: "{{[cloud_names.cloud_name_NETWORK]|ipaddr}}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
principal:
|
|
if:
|
|
- principal_override_set
|
|
- {get_param: HAProxyCertificatePrincipal}
|
|
- str_replace:
|
|
template: "haproxy/{{cloud_names.cloud_name_NETWORK}}@{{idm_realm|default('UNDERCLOUD')}}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
run_after:
|
|
str_replace:
|
|
template: |
|
|
# Copy crt and key for backward compatibility
|
|
cp "/etc/pki/tls/certs/haproxy-external-cert.crt" "CERTSDIR/overcloud-haproxy-external.crt"
|
|
cp "/etc/pki/tls/private/haproxy-external-cert.key" "KEYSDIR/overcloud-haproxy-external.key"
|
|
|
|
ca_path="/etc/ipa/ca.crt"
|
|
service_crt="CERTSDIR/overcloud-haproxy-external.crt"
|
|
service_key="KEYSDIR/overcloud-haproxy-external.key"
|
|
service_pem="PEMPATH"
|
|
|
|
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
|
|
|
|
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
|
# Inject the new pem into the running container
|
|
if echo "$container_name" | grep -q "^haproxy-bundle"; then
|
|
# lp#1917868: Do not use podman cp with HA containers as they get
|
|
# frozen temporarily and that can make pacemaker operation fail.
|
|
tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
|
# no need to update the mount point, because pacemaker
|
|
# recreates the container when it's restarted
|
|
else
|
|
# Refresh the pem at the mount-point
|
|
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
|
# Copy the new pem from the mount-point to the real path
|
|
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
|
fi
|
|
# Set appropriate permissions
|
|
{{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
|
|
# Trigger a reload for HAProxy to read the new certificates
|
|
{{container_cli}} kill --signal HUP "$container_name"
|
|
params:
|
|
CERTSDIR: {get_param: HAProxyInternalTLSCertsDirectory}
|
|
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
|
|
PEMPATH: {get_param: DeployedSSLCertificatePath}
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: HAProxyCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"
|