Include local CA in haproxy PEM

In order for the browser to trust the certificate served by HAProxy
we need to include the CA cert in the PEM file that the endpoints
serve.

Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
Closes-Bug: #1639807
(cherry picked from commit ffd7040a6d)
This commit is contained in:
Juan Antonio Osorio Robles 2016-11-08 09:05:12 +02:00 committed by Pradeep Kilambi
parent eed662fbcf
commit 57c4a52644
1 changed files with 18 additions and 2 deletions

View File

@ -36,6 +36,10 @@
# The post-save-command that certmonger will use once it renews the
# certificate.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
@ -45,7 +49,8 @@ define tripleo::certmonger::haproxy (
$service_key,
$hostname,
$postsave_cmd,
$principal = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
){
include ::haproxy::params
certmonger_certificate { "${title}-cert":
@ -69,10 +74,21 @@ define tripleo::certmonger::haproxy (
order => '01',
require => Certmonger_certificate["${title}-cert"],
}
if $certmonger_ca == 'local' {
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => $ca_pem,
order => '10',
require => Class['tripleo::certmonger::ca::local'],
}
}
concat::fragment { "${title}-key-fragment":
target => $service_pem,
source => $service_key,
order => 10,
order => 20,
require => Certmonger_certificate["${title}-cert"],
}
}