Autodiscover SSL cert after uc upgrade

SSL is enabled on uc by default starting from R,
so here is a way how ssl cert path is resolved:
  1. If undercloud_service_certificate configured in undercloud.conf
      use it
  2. Check if generate_service_certificate is specified and
      set to 'true' in undercloud.conf, or not present in undercloud.conf
     (defaults to 'true')
  3. Find autogenerated file in format:
     /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem

Change-Id: I014474001882874d84c4a60f35bd33db77baf55a
(cherry picked from commit 96b4bec38d)
This commit is contained in:
Yurii Prokulevych 2018-12-03 16:05:26 +01:00 committed by Lukas Bezdicka
parent 92a77495e7
commit 2d32930020
1 changed files with 52 additions and 6 deletions

View File

@ -18,16 +18,62 @@
ignore_errors: true
- block:
- name: register ssl certificate location
#
# SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
# 1. If undercloud_service_certificate configured in undercloud.conf
# use it
# 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
# or not present in undercloud.conf (defaults to 'true')
# 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
#
- name: get ssl certificate location from undercloud.conf
shell: |
grep 13000 /etc/haproxy/haproxy.cfg | awk {'print $6'}
become: true
become_user: root
register: undercloudcert
awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
register: uc_undercloud_service_certificate
changed_when: uc_undercloud_service_certificate.stdout|length > 0
- name: get generate_service_certificate option from undercloud.conf
shell: |
awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
register: uc_generate_service_certificate
changed_when: uc_generate_service_certificate.stdout|length > 0
- name: get undercloud_public_host option from undercloud.conf
shell: |
awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
register: uc_undercloud_public_host
changed_when: uc_undercloud_public_host.stdout|length > 0
- name: get undercloud_public_vip option from undercloud.conf
# undercloud_public_vip is deprecated name of undercloud_public_host
shell: |
awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
register: uc_undercloud_public_vip
changed_when: uc_undercloud_public_vip.stdout|length > 0
- name: find autogenerated SSL cert
vars:
uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
find:
path: /etc/pki/tls/certs/
patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
use_regex: true
register: autogenerated_ssl_cert
- name: fail if SSL cert for undercloud not found
fail:
msg: cannot determine SSL cert for undercloud
when:
- uc_undercloud_service_certificate.stdout|length == 0
- autogenerated_ssl_cert.files|length == 0
- name: set undercloud ssl cert fact
set_fact:
undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
- name: make a local copy of the certificate
copy:
src: "{{ undercloudcert.stdout }}"
src: "{{ undercloud_cert }}"
dest: "{{ working_dir }}/undercloud.pem"
owner: stack
remote_src: true