Handle NodeTLSData resources for controller roles

In ocata (and newton), a custom role in place of the default controller didn't work, b/c not all of the controller specific resources were represented in role.role.j2.yaml. This patch makes it so that at least overcloud SSL configuration is handled by checking to see if the string "controller" is in the role name. This fixes the issue of using deployed-server with ssl for ocata. Change-Id: I7e8487208cc71a0780abc167d06902b9f3d3c983 Closes-Bug: #1751179
2018-02-22 21:16:07 -05:00 · 2018-02-22 21:16:07 -05:00 · eb8de76ad0
parent f9ded9307b
commit eb8de76ad0
2 changed files with 33 additions and 2 deletions
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@ -454,14 +454,27 @@ resources:
            fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
            fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
            fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
+  {%- if 'controller' in role.lower() %}
+            tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
+  {%- endif -%}

  # Resource for site-specific injection of root certificate
  NodeTLSCAData:
-    depends_on: {{role}}Deployment
+    depends_on: NetworkDeployment
    type: OS::TripleO::NodeTLSCAData
    properties:
      server: {get_resource: {{role}}}

+  {%- if 'controller' in role.lower() %}
+  # Resource for site-specific passing of private keys/certificates
+  NodeTLSData:
+    depends_on: NodeTLSCAData
+    type: OS::TripleO::NodeTLSData
+    properties:
+      server: {get_resource: {{role}}}
+      NodeIndex: {get_param: NodeIndex}
+  {%- endif -%}
+
  # Hook for site-specific additional pre-deployment config, e.g extra hieradata
  {{role}}ExtraConfigPre:
    depends_on: {{role}}Deployment
@ -472,7 +485,13 @@ resources:
  # Hook for site-specific additional pre-deployment config,
  # applying to all nodes, e.g node registration/unregistration
  NodeExtraConfig:
-    depends_on: [{{role}}ExtraConfigPre, NodeTLSCAData]
+    depends_on:
+      - {{role}}ExtraConfigPre
+  {%- if 'controller' in role.lower() %}
+      - NodeTLSData
+  {%- else %}
+      - NodeTLSCAData
+  {%- endif %}
    type: OS::TripleO::NodeExtraConfig
    properties:
        server: {get_resource: {{role}}}
@ -596,3 +615,11 @@ CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
  management_ip_address:
    description: IP address of the server in the management network
    value: {get_attr: [ManagementPort, ip_address]}
+  {%- if 'controller' in role.lower() %}
+  tls_key_modulus_md5:
+    description: MD5 checksum of the TLS Key Modulus
+    value: {get_attr: [NodeTLSData, key_modulus_md5]}
+  tls_cert_modulus_md5:
+    description: MD5 checksum of the TLS Certificate Modulus
+    value: {get_attr: [NodeTLSData, cert_modulus_md5]}
+  {%- endif %}
--- a/releasenotes/notes/deployed-server-ssl-c33d6810b889045c.yaml
+++ b/releasenotes/notes/deployed-server-ssl-c33d6810b889045c.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - The custom roles for deployed-server in deployed-server-roles-data.yaml
+    will now work when configuring overcloud SSL.