Add DNS name change opportunity
When change DNS hostname in TLS certificate for OpenStack endpoints, make additional conditions to allow services use new certificate. Change-Id: Ia2724eb397962f569b8360e684b599c472a891e2 Closes-Bug: #1649886
This commit is contained in:
parent
6e8686fdd0
commit
924bdc1fee
|
@ -0,0 +1,15 @@
|
|||
class osnailyfacter::cluster_haproxy::restart_haproxy {
|
||||
|
||||
notice('MODULAR: cluster_haproxy/restart_haproxy.pp')
|
||||
|
||||
notify { 'Haproxy service will be restarted': } ~>
|
||||
|
||||
service { 'haproxy' :
|
||||
ensure => 'running',
|
||||
name => 'p_haproxy',
|
||||
provider => 'pacemaker',
|
||||
enable => true,
|
||||
hasstatus => true,
|
||||
hasrestart => true,
|
||||
}
|
||||
}
|
|
@ -22,12 +22,8 @@ generate_open_ssl_keys () {
|
|||
local key_path="$dir_path/public_$i.key"
|
||||
local crt_path="$dir_path/public_$i.crt"
|
||||
mkdir -p $dir_path
|
||||
if [ ! -f $key_path ]; then
|
||||
env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf -extensions v3_req 2>&1"
|
||||
cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
|
||||
else
|
||||
echo "Key $key_path already exists"
|
||||
fi
|
||||
env SSL_CN_NAME="$cn_name" bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -out $crt_path -config $CONF_PATH/openssl.cnf -extensions v3_req 2>&1"
|
||||
cat "$crt_path" "$key_path" > "$dir_path/public_$i.pem"
|
||||
done
|
||||
}
|
||||
|
||||
|
|
|
@ -243,7 +243,8 @@
|
|||
requires: [pre_deployment_start]
|
||||
condition:
|
||||
yaql_exp: &public_ssl >
|
||||
(changedAny($.public_ssl.horizon, $.public_ssl.services)) and
|
||||
(changedAny($.public_ssl.horizon, $.public_ssl.services,
|
||||
$.public_ssl.hostname)) and
|
||||
($.public_ssl.horizon or $.public_ssl.services) and
|
||||
$.public_ssl.cert_source = 'self_signed'
|
||||
required_for: [copy_haproxy_keys]
|
||||
|
@ -257,11 +258,13 @@
|
|||
role: ['/.*/']
|
||||
condition:
|
||||
yaql_exp: >
|
||||
(((changedAny($.public_ssl.horizon, $.public_ssl.services)) and
|
||||
(((changedAny($.public_ssl.horizon, $.public_ssl.services,
|
||||
$.public_ssl.hostname)) and
|
||||
($.public_ssl.horizon or $.public_ssl.services) and
|
||||
(not (old($.public_ssl.horizon) or old($.public_ssl.services)))) or
|
||||
(($.public_ssl.horizon or $.public_ssl.services) and
|
||||
($.uid in added($.network_metadata.nodes.values()).uid))) and
|
||||
(($.uid in added($.network_metadata.nodes.values()).uid) or (
|
||||
changed($.public_ssl.hostname))))) and
|
||||
$.public_ssl.cert_source = 'self_signed'
|
||||
required_for: [pre_deployment_end]
|
||||
requires: [generate_haproxy_keys]
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
include ::osnailyfacter::cluster_haproxy::restart_haproxy
|
||||
include ::osnailyfacter::upgrade::restart_services
|
||||
include ::osnailyfacter::override_resources
|
|
@ -42,3 +42,20 @@
|
|||
yaql_exp: *haproxy_strategy
|
||||
test_post:
|
||||
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/cluster-haproxy/cluster-haproxy_post.rb
|
||||
|
||||
- id: restart-haproxy
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller]
|
||||
required_for: [deploy_end]
|
||||
requires: [deploy_start, virtual_ips, cluster]
|
||||
condition:
|
||||
yaql_exp: 'changed($.public_ssl.hostname) and old($)'
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/cluster-haproxy/restart-haproxy.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 120
|
||||
strategy:
|
||||
type: parallel
|
||||
amount:
|
||||
yaql_exp: *haproxy_strategy
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
version: 2.0.0
|
||||
groups: [primary-controller, controller]
|
||||
required_for: [deploy_end]
|
||||
requires: [deploy_start, openstack-haproxy-ceilometer, openstack-haproxy-aodh, openstack-haproxy-cinder, openstack-haproxy-glance, openstack-haproxy-heat, openstack-haproxy-horizon, openstack-haproxy-keystone, openstack-haproxy-murano, openstack-haproxy-mysqld, openstack-haproxy-neutron, openstack-haproxy-nova, openstack-haproxy-radosgw, openstack-haproxy-sahara, openstack-haproxy-swift, openstack-haproxy-stats, openstack-haproxy-ironic]
|
||||
requires: [deploy_start, openstack-haproxy-ceilometer, openstack-haproxy-aodh, openstack-haproxy-cinder, openstack-haproxy-glance, openstack-haproxy-heat, openstack-haproxy-horizon, openstack-haproxy-keystone, openstack-haproxy-murano, openstack-haproxy-mysqld, openstack-haproxy-neutron, openstack-haproxy-nova, openstack-haproxy-radosgw, openstack-haproxy-sahara, openstack-haproxy-swift, openstack-haproxy-stats, openstack-haproxy-ironic, restart-haproxy]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/openstack-haproxy/openstack-haproxy.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
# ROLE: primary-controller
|
||||
# ROLE: controller
|
||||
|
||||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'cluster-haproxy/restart-haproxy.pp'
|
||||
|
||||
describe manifest do
|
||||
|
||||
shared_examples 'catalog' do
|
||||
|
||||
it "should declare haproxy service with correct other_networks" do
|
||||
expect(subject).to contain_service('haproxy').with(
|
||||
'ensure' => 'running',
|
||||
'name' => 'p_haproxy',
|
||||
'provider' => 'pacemaker',
|
||||
'enable' => 'true',
|
||||
'hasstatus' => 'true',
|
||||
'hasrestart' => 'true',
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
test_ubuntu_and_centos manifest
|
||||
end
|
Loading…
Reference in New Issue