Include local CA in haproxy PEM
In order for the browser to trust the certificate served by HAProxy
we need to include the CA cert in the PEM file that the endpoints
serve.
Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
Closes-Bug: #1639807
(cherry picked from commit ffd7040a6d
)
This commit is contained in:
parent
eed662fbcf
commit
57c4a52644
|
@ -36,6 +36,10 @@
|
|||
# The post-save-command that certmonger will use once it renews the
|
||||
# certificate.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*principal*]
|
||||
# The haproxy service principal that is set for HAProxy in kerberos.
|
||||
#
|
||||
|
@ -45,7 +49,8 @@ define tripleo::certmonger::haproxy (
|
|||
$service_key,
|
||||
$hostname,
|
||||
$postsave_cmd,
|
||||
$principal = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$principal = undef,
|
||||
){
|
||||
include ::haproxy::params
|
||||
certmonger_certificate { "${title}-cert":
|
||||
|
@ -69,10 +74,21 @@ define tripleo::certmonger::haproxy (
|
|||
order => '01',
|
||||
require => Certmonger_certificate["${title}-cert"],
|
||||
}
|
||||
|
||||
if $certmonger_ca == 'local' {
|
||||
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
|
||||
concat::fragment { "${title}-ca-fragment":
|
||||
target => $service_pem,
|
||||
source => $ca_pem,
|
||||
order => '10',
|
||||
require => Class['tripleo::certmonger::ca::local'],
|
||||
}
|
||||
}
|
||||
|
||||
concat::fragment { "${title}-key-fragment":
|
||||
target => $service_pem,
|
||||
source => $service_key,
|
||||
order => 10,
|
||||
order => 20,
|
||||
require => Certmonger_certificate["${title}-cert"],
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue