Autodiscover SSL cert after uc upgrade
SSL is enabled on uc by default starting from R,
so here is a way how ssl cert path is resolved:
1. If undercloud_service_certificate configured in undercloud.conf
use it
2. Check if generate_service_certificate is specified and
set to 'true' in undercloud.conf, or not present in undercloud.conf
(defaults to 'true')
3. Find autogenerated file in format:
/etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
Change-Id: I014474001882874d84c4a60f35bd33db77baf55a
(cherry picked from commit 96b4bec38d
)
This commit is contained in:
parent
92a77495e7
commit
2d32930020
|
@ -18,16 +18,62 @@
|
|||
ignore_errors: true
|
||||
|
||||
- block:
|
||||
- name: register ssl certificate location
|
||||
#
|
||||
# SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
|
||||
# 1. If undercloud_service_certificate configured in undercloud.conf
|
||||
# use it
|
||||
# 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
|
||||
# or not present in undercloud.conf (defaults to 'true')
|
||||
# 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
|
||||
#
|
||||
- name: get ssl certificate location from undercloud.conf
|
||||
shell: |
|
||||
grep 13000 /etc/haproxy/haproxy.cfg | awk {'print $6'}
|
||||
become: true
|
||||
become_user: root
|
||||
register: undercloudcert
|
||||
awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
|
||||
register: uc_undercloud_service_certificate
|
||||
changed_when: uc_undercloud_service_certificate.stdout|length > 0
|
||||
|
||||
- name: get generate_service_certificate option from undercloud.conf
|
||||
shell: |
|
||||
awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
|
||||
register: uc_generate_service_certificate
|
||||
changed_when: uc_generate_service_certificate.stdout|length > 0
|
||||
|
||||
- name: get undercloud_public_host option from undercloud.conf
|
||||
shell: |
|
||||
awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
||||
register: uc_undercloud_public_host
|
||||
changed_when: uc_undercloud_public_host.stdout|length > 0
|
||||
|
||||
- name: get undercloud_public_vip option from undercloud.conf
|
||||
# undercloud_public_vip is deprecated name of undercloud_public_host
|
||||
shell: |
|
||||
awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
||||
register: uc_undercloud_public_vip
|
||||
changed_when: uc_undercloud_public_vip.stdout|length > 0
|
||||
|
||||
- name: find autogenerated SSL cert
|
||||
vars:
|
||||
uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
|
||||
find:
|
||||
path: /etc/pki/tls/certs/
|
||||
patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
|
||||
use_regex: true
|
||||
register: autogenerated_ssl_cert
|
||||
|
||||
- name: fail if SSL cert for undercloud not found
|
||||
fail:
|
||||
msg: cannot determine SSL cert for undercloud
|
||||
when:
|
||||
- uc_undercloud_service_certificate.stdout|length == 0
|
||||
- autogenerated_ssl_cert.files|length == 0
|
||||
|
||||
- name: set undercloud ssl cert fact
|
||||
set_fact:
|
||||
undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
|
||||
|
||||
- name: make a local copy of the certificate
|
||||
copy:
|
||||
src: "{{ undercloudcert.stdout }}"
|
||||
src: "{{ undercloud_cert }}"
|
||||
dest: "{{ working_dir }}/undercloud.pem"
|
||||
owner: stack
|
||||
remote_src: true
|
||||
|
|
Loading…
Reference in New Issue