Move HAProxy's public TLS logic from controller to service template

This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
2017-08-07 14:25:38 +03:00 · 2017-08-07 14:25:38 +03:00 · 74e7e67459
parent 5bf7d6582b
commit 74e7e67459
4 changed files with 25 additions and 6 deletions
--- a/puppet/controller-role.yaml
+++ b/puppet/controller-role.yaml
@ -563,7 +563,6 @@ resources:
          extraconfig: {get_param: ExtraConfig}
          controller:
            # Misc
-            tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
            tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
            fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]}
            fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]}
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@ -7,6 +7,7 @@ description: >
 parameters:
  # Can be overridden via parameter_defaults in the environment
  SSLCertificate:
+    default: ''
    description: >
      The content of the SSL certificate (without Key) in PEM format.
    type: string
--- a/puppet/role.role.j2.yaml
+++ b/puppet/role.role.j2.yaml
@ -513,9 +513,6 @@ resources:
            fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
            fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
            fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
-  {%- if 'primary' in role.tags and 'controller' in role.tags %}
-            tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
-  {%- endif -%}

  # Resource for site-specific injection of root certificate
  NodeTLSCAData:
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -57,6 +57,16 @@ parameters:
  MonitoringSubscriptionHaproxy:
    default: 'overcloud-haproxy'
    type: string
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
@ -68,6 +78,14 @@ parameters:
    description: Specifies the default CRL PEM file to use for revocation if
                 TLS is used for services in the internal network.

+conditions:
+
+  public_tls_enabled:
+    not:
+      equals:
+      - {get_param: SSLCertificate}
+      - ""
+
 resources:

  HAProxyPublicTLS:
@ -98,8 +116,6 @@ outputs:
      monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
      config_settings:
        map_merge:
-          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
-          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
          - tripleo.haproxy.firewall_rules:
              '107 haproxy stats':
                dport: 1993
@ -115,6 +131,12 @@ outputs:
              map_merge:
                - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
                - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
+          - if:
+              - public_tls_enabled
+              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
+              - {}
+          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
      step_config: |
        include ::tripleo::profile::base::haproxy
      upgrade_tasks: