Adds the ability to provide user certificates to HAProxy

This change brings similar changes as this one targeting horizon:

i.e.:
* The server key/certificate (and optionally a CA cert) are
  distributed to all haproxy containers.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - haproxy_user_ssl_cert: <path to cert on deployment host>
  - haproxy_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, then the missing cert/key
  will be self generated on each container. No distribution
  of the self generated certificates accross all the hosts
  is planned.

* A new variable has been implemented for a user-provided CA
  certificate:
  - haproxy_user_ssl_ca_cert: <path to cert on deployment host>

* The 'haproxy_cert_regen' variable has been renamed
  to 'haproxy_ssl_self_signed_regen' to have the same
  naming convention as horizon.

* A change of certificates, whether user dropped
  or role generated, triggers pem generation and server restart

DocImpact
Closes-Bug: #1487380

Change-Id: I0c88d197d8ede820ac4e0388e67a2da06b003c2b

defaults/main.yml

@@ -71,8 +71,9 @@ haproxy_bind_on_non_local: False
 
 ## haproxy SSL
 haproxy_ssl: no
-haproxy_cert_regen: no
+haproxy_ssl_self_signed_regen: no
 haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
 haproxy_ssl_key: /etc/ssl/private/haproxy.key
 haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
+haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
 haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

handlers/main.yml

@@ -13,6 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: regen pem
+  shell: >
+    cat {{ haproxy_user_ssl_ca_cert is defined | ternary(haproxy_ssl_ca_cert,'') }} {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }}
+  notify: Restart haproxy
+
 - name: Restart haproxy
   service:
     name: "haproxy"

tasks/haproxy_ssl_configuration.yml

@@ -0,0 +1,69 @@
+---
+# Copyright 2015, Jean-Philippe Evrard <jean-philippe.evrard@belnet.be>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Drop user provided ssl cert and key
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "{{ haproxy_user_ssl_cert }}", dest: "{{ haproxy_ssl_cert }}", mode: "0644" }
+    - { src: "{{ haproxy_user_ssl_key }}", dest: "{{ haproxy_ssl_key }}", mode: "0640" }
+  when: haproxy_user_ssl_cert is defined and haproxy_user_ssl_key is defined
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl
+
+- name: Drop user provided ssl CA cert
+  copy:
+    src: "{{ haproxy_user_ssl_ca_cert }}"
+    dest: "{{ haproxy_ssl_ca_cert }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: haproxy_user_ssl_ca_cert is defined
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl
+
+- name: Remove signed certs and keys for regen
+  file:
+    dest: "{{ haproxy_ssl_cert }}"
+    state: "absent"
+  with_items:
+    - "{{ haproxy_ssl_pem }}"
+    - "{{ haproxy_ssl_key }}"
+    - "{{ haproxy_ssl_cert }}"
+  when: haproxy_ssl_self_signed_regen | bool
+  tags:
+    - haproxy-ssl
+
+- name: Create self-signed ssl cert if no certificate exists
+  command: >
+    openssl req -new -nodes -sha256 -x509 -subj
+    "{{ haproxy_ssl_self_signed_subject }}"
+    -days 3650
+    -keyout {{ haproxy_ssl_key }}
+    -out {{ haproxy_ssl_cert }}
+    -extensions v3_ca
+    creates={{ haproxy_ssl_cert }}
+  notify:
+    - regen pem
+  tags:
+    - haproxy-ssl

tasks/haproxy_ssl_key_create.yml

@@ -1,43 +0,0 @@
----
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- name: Remove self signed cert for regen
-  file:
-    dest: "{{ haproxy_ssl_cert }}"
-    state: "absent"
-  with_items:
-    - "{{ haproxy_ssl_pem }}"
-    - "{{ haproxy_ssl_key }}"
-    - "{{ haproxy_ssl_cert }}"
-  when: haproxy_cert_regen | bool
-
-- name: Create self-signed ssl cert
-  command: >
-    openssl req -new -nodes -sha256 -x509 -subj
-    "{{ haproxy_ssl_self_signed_subject }}"
-    -days 3650
-    -keyout {{ haproxy_ssl_key }}
-    -out {{ haproxy_ssl_cert }}
-    -extensions v3_ca
-    creates={{ haproxy_ssl_cert }}
-  notify: Restart haproxy
-  tags:
-    - haproxy-ssl
-
-- name: Create a .pem certificate file
-  shell: >
-    cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }}
-  args:
-    creates: "{{ haproxy_ssl_pem }}"

tasks/main.yml

@@ -18,7 +18,7 @@
 
 - include: haproxy_install.yml
 
-- include: haproxy_ssl_key_create.yml
+- include: haproxy_ssl_configuration.yml
   when: haproxy_ssl | bool
 
 - include: haproxy_post_install.yml