1 heat_template_version: 2015-04-30
4 This is a template which will build the TLS Certificates necessary
5 for the load balancer using the given parameters.
8 # Can be overridden via parameter_defaults in the environment
11 The content of the SSL certificate (without Key) in PEM format.
13 SSLIntermediateCertificate:
16 The content of an SSL intermediate CA certificate in PEM format.
20 The content of the SSL Key in PEM format.
24 # Can be overridden by parameter_defaults if the user wants to try deploying
25 # this in a distro that doesn't support this path.
26 DeployedSSLCertificatePath:
27 default: '/etc/pki/tls/private/overcloud_endpoint.pem'
29 The filepath of the certificate as it will be stored in the controller.
32 # Passed in by the controller
37 description: ID of the controller node to apply this config to
42 type: OS::Heat::SoftwareConfig
47 - name: cert_chain_content
54 cat > ${cert_path} << EOF
57 chmod 0440 ${cert_path}
58 chown root:haproxy ${cert_path}
59 md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
60 openssl x509 -noout -modulus -in ${cert_path} \
61 | openssl md5 | cut -c 10- \
62 > ${heat_outputs_path}.cert_modulus
63 openssl rsa -noout -modulus -in ${cert_path} \
64 | openssl md5 | cut -c 10- \
65 > ${heat_outputs_path}.key_modulus
66 # We need to reload haproxy in case the certificate changed because
67 # puppet doesn't know the contents of the cert file. The pacemaker
68 # case is handled separately in a pacemaker-specific resource.
69 pacemaker_status=$(systemctl is-active pacemaker)
70 haproxy_status=$(systemctl is-active haproxy)
71 if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
72 systemctl reload haproxy
75 ControllerTLSDeployment:
76 type: OS::Heat::SoftwareDeployment
78 name: ControllerTLSDeployment
79 config: {get_resource: ControllerTLSConfig}
80 server: {get_param: server}
82 cert_path: {get_param: DeployedSSLCertificatePath}
86 - - {get_param: SSLCertificate}
87 - {get_param: SSLIntermediateCertificate}
92 description: Deployment reference
93 value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
94 deployed_ssl_certificate_path:
95 description: The location that the TLS certificate was deployed to.
96 value: {get_param: DeployedSSLCertificatePath}
98 description: MD5 checksum of the Key SSL Modulus
99 value: {get_attr: [ControllerTLSDeployment, key_modulus]}
101 description: MD5 checksum of the Certificate SSL Modulus
102 value: {get_attr: [ControllerTLSDeployment, cert_modulus]}