openstack
/
puppet-tripleo
Code Issues Proposed changes

Only request certs in step 1 

The certmonger-user service used to run in every step. This limits it to
only step 1.

Change-Id: I572d53bb6977e16d1deffe0127e17e48a8cda29c
This commit is contained in:
Juan Antonio Osorio Robles 2019-01-30 15:39:23 +02:00
parent 7acd72e0f2
commit 98e9879fd5
1 changed files with 82 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
manifests/profile/base/certmonger_user.pp
View File

@ -37,6 +37,11 @@
#
# === Parameters
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
# [*apache_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@ -135,6 +140,7 @@
# Defaults to undef
#
class tripleo::profile::base::certmonger_user (
$step = Integer(hiera('step')),
$certmonger_ca = hiera('certmonger_ca', 'local'),
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
@ -159,81 +165,83 @@ class tripleo::profile::base::certmonger_user (
) {
include ::certmonger
# This is only needed for certmonger's local CA. For any other CA this
# operation (trusting the CA) should be done by the deployer.
if $certmonger_ca == 'local' {
include ::tripleo::certmonger::ca::local
}
unless empty($haproxy_certificates_specs) {
$reload_haproxy = ['systemctl reload haproxy']
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
if defined(Class['::haproxy']) {
Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
if $step == 1 {
# This is only needed for certmonger's local CA. For any other CA this
# operation (trusting the CA) should be done by the deployer.
if $certmonger_ca == 'local' {
include ::tripleo::certmonger::ca::local
}
} else {
$reload_haproxy = []
}
class { '::tripleo::certmonger::ca::crl' :
reload_cmds => $reload_haproxy,
}
Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
include ::tripleo::certmonger::ca::libvirt
include ::tripleo::certmonger::ca::libvirt_vnc
include ::tripleo::certmonger::ca::qemu
unless empty($haproxy_certificates_specs) {
$reload_haproxy = ['systemctl reload haproxy']
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
if defined(Class['::haproxy']) {
Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
}
} else {
$reload_haproxy = []
}
class { '::tripleo::certmonger::ca::crl' :
reload_cmds => $reload_haproxy,
}
Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
include ::tripleo::certmonger::ca::libvirt
include ::tripleo::certmonger::ca::libvirt_vnc
include ::tripleo::certmonger::ca::qemu
# Remove apache_certificates_specs where hostname is empty.
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207
$apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
unless empty($apache_certificates_specs_filtered) {
include ::tripleo::certmonger::apache_dirs
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered)
}
unless empty($libvirt_certificates_specs) {
include ::tripleo::certmonger::libvirt_dirs
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
{'postsave_cmd' => $libvirt_postsave_cmd})
}
unless empty($libvirt_vnc_certificates_specs) {
include ::tripleo::certmonger::libvirt_vnc_dirs
ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
{'postsave_cmd' => $libvirt_vnc_postsave_cmd})
}
unless empty($qemu_certificates_specs) {
include ::tripleo::certmonger::qemu_dirs
include ::tripleo::certmonger::qemu_nbd_dirs
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
{'postsave_cmd' => $qemu_postsave_cmd})
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
}
unless empty($mysql_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
}
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
unless empty($redis_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
}
unless empty($etcd_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
}
unless empty($odl_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::opendaylight', $odl_certificate_specs)
}
unless empty($ovs_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::openvswitch', $ovs_certificate_specs)
}
unless empty($neutron_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
}
unless empty($novnc_proxy_certificates_specs) {
ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
{'postsave_cmd' => $novnc_proxy_postsave_cmd})
# Remove apache_certificates_specs where hostname is empty.
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207
$apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
unless empty($apache_certificates_specs_filtered) {
include ::tripleo::certmonger::apache_dirs
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered)
}
unless empty($libvirt_certificates_specs) {
include ::tripleo::certmonger::libvirt_dirs
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
{'postsave_cmd' => $libvirt_postsave_cmd})
}
unless empty($libvirt_vnc_certificates_specs) {
include ::tripleo::certmonger::libvirt_vnc_dirs
ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
{'postsave_cmd' => $libvirt_vnc_postsave_cmd})
}
unless empty($qemu_certificates_specs) {
include ::tripleo::certmonger::qemu_dirs
include ::tripleo::certmonger::qemu_nbd_dirs
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
{'postsave_cmd' => $qemu_postsave_cmd})
}
unless empty($haproxy_certificates_specs) {
include ::tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
}
unless empty($mysql_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
}
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
unless empty($redis_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
}
unless empty($etcd_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
}
unless empty($odl_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::opendaylight', $odl_certificate_specs)
}
unless empty($ovs_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::openvswitch', $ovs_certificate_specs)
}
unless empty($neutron_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
}
unless empty($novnc_proxy_certificates_specs) {
ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
{'postsave_cmd' => $novnc_proxy_postsave_cmd})
}
}
}