Autodiscover SSL cert after uc upgrade
SSL is enabled on uc by default starting from R, so here is a way how ssl cert path is resolved: 1. If undercloud_service_certificate configured in undercloud.conf use it 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf, or not present in undercloud.conf (defaults to 'true') 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem Change-Id: I014474001882874d84c4a60f35bd33db77baf55a
This commit is contained in:
parent
59e3d8b1b2
commit
96b4bec38d
|
@ -19,16 +19,62 @@
|
||||||
ignore_errors: True
|
ignore_errors: True
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: register ssl certificate location
|
#
|
||||||
|
# SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
|
||||||
|
# 1. If undercloud_service_certificate configured in undercloud.conf
|
||||||
|
# use it
|
||||||
|
# 2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
|
||||||
|
# or not present in undercloud.conf (defaults to 'true')
|
||||||
|
# 3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
|
||||||
|
#
|
||||||
|
- name: get ssl certificate location from undercloud.conf
|
||||||
shell: |
|
shell: |
|
||||||
grep 13000 /etc/haproxy/haproxy.cfg | awk {'print $6'}
|
awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
|
||||||
become: true
|
register: uc_undercloud_service_certificate
|
||||||
become_user: root
|
changed_when: uc_undercloud_service_certificate.stdout|length > 0
|
||||||
register: undercloudcert
|
|
||||||
|
- name: get generate_service_certificate option from undercloud.conf
|
||||||
|
shell: |
|
||||||
|
awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
|
||||||
|
register: uc_generate_service_certificate
|
||||||
|
changed_when: uc_generate_service_certificate.stdout|length > 0
|
||||||
|
|
||||||
|
- name: get undercloud_public_host option from undercloud.conf
|
||||||
|
shell: |
|
||||||
|
awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
||||||
|
register: uc_undercloud_public_host
|
||||||
|
changed_when: uc_undercloud_public_host.stdout|length > 0
|
||||||
|
|
||||||
|
- name: get undercloud_public_vip option from undercloud.conf
|
||||||
|
# undercloud_public_vip is deprecated name of undercloud_public_host
|
||||||
|
shell: |
|
||||||
|
awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
|
||||||
|
register: uc_undercloud_public_vip
|
||||||
|
changed_when: uc_undercloud_public_vip.stdout|length > 0
|
||||||
|
|
||||||
|
- name: find autogenerated SSL cert
|
||||||
|
vars:
|
||||||
|
uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
|
||||||
|
find:
|
||||||
|
path: /etc/pki/tls/certs/
|
||||||
|
patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
|
||||||
|
use_regex: true
|
||||||
|
register: autogenerated_ssl_cert
|
||||||
|
|
||||||
|
- name: fail if SSL cert for undercloud not found
|
||||||
|
fail:
|
||||||
|
msg: cannot determine SSL cert for undercloud
|
||||||
|
when:
|
||||||
|
- uc_undercloud_service_certificate.stdout|length == 0
|
||||||
|
- autogenerated_ssl_cert.files|length == 0
|
||||||
|
|
||||||
|
- name: set undercloud ssl cert fact
|
||||||
|
set_fact:
|
||||||
|
undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
|
||||||
|
|
||||||
- name: make a local copy of the certificate
|
- name: make a local copy of the certificate
|
||||||
copy:
|
copy:
|
||||||
src: "{{ undercloudcert.stdout }}"
|
src: "{{ undercloud_cert }}"
|
||||||
dest: "{{ working_dir }}/undercloud.pem"
|
dest: "{{ working_dir }}/undercloud.pem"
|
||||||
owner: stack
|
owner: stack
|
||||||
remote_src: true
|
remote_src: true
|
||||||
|
|
Loading…
Reference in New Issue