1 heat_template_version: pike
4 This is a template which will build the TLS Certificates necessary
5 for the load balancer using the given parameters.
8 # Can be overridden via parameter_defaults in the environment
12 The content of the SSL certificate (without Key) in PEM format.
14 SSLIntermediateCertificate:
17 The content of an SSL intermediate CA certificate in PEM format.
21 The content of the SSL Key in PEM format.
25 # Can be overridden by parameter_defaults if the user wants to try deploying
26 # this in a distro that doesn't support this path.
27 DeployedSSLCertificatePath:
28 default: '/etc/pki/tls/private/overcloud_endpoint.pem'
30 The filepath of the certificate as it will be stored in the controller.
33 # Passed in by the controller
38 description: ID of the controller node to apply this config to
43 type: OS::Heat::SoftwareConfig
48 - name: cert_chain_content
55 cat > ${cert_path} << EOF
58 chmod 0440 ${cert_path}
59 chown root:haproxy ${cert_path}
60 md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
61 openssl x509 -noout -modulus -in ${cert_path} \
62 | openssl md5 | cut -c 10- \
63 > ${heat_outputs_path}.cert_modulus
64 openssl rsa -noout -modulus -in ${cert_path} \
65 | openssl md5 | cut -c 10- \
66 > ${heat_outputs_path}.key_modulus
67 # We need to reload haproxy in case the certificate changed because
68 # puppet doesn't know the contents of the cert file.
69 haproxy_status=$(systemctl is-active haproxy)
70 if [ "$haproxy_status" = "active" ]; then
71 systemctl reload haproxy
74 ControllerTLSDeployment:
75 type: OS::Heat::SoftwareDeployment
77 name: ControllerTLSDeployment
78 config: {get_resource: ControllerTLSConfig}
79 server: {get_param: server}
81 cert_path: {get_param: DeployedSSLCertificatePath}
85 - - {get_param: SSLCertificate}
86 - {get_param: SSLIntermediateCertificate}
91 description: Deployment reference
92 value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
93 deployed_ssl_certificate_path:
94 description: The location that the TLS certificate was deployed to.
95 value: {get_param: DeployedSSLCertificatePath}
97 description: MD5 checksum of the Key SSL Modulus
98 value: {get_attr: [ControllerTLSDeployment, key_modulus]}
100 description: MD5 checksum of the Certificate SSL Modulus
101 value: {get_attr: [ControllerTLSDeployment, cert_modulus]}