Code Review / apex-tripleo-heat-templates.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Merge "Add missing ManagementIpSubnet"
[apex-tripleo-heat-templates.git] / puppet / extraconfig / tls / tls-cert-inject.yaml
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index b4564fc..e281ef5 100644 (file)
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -5,9 +5,8 @@ description: >
   for the load balancer using the given parameters.
 
 parameters:
-  # Can be overriden via parameter_defaults in the environment
+  # Can be overridden via parameter_defaults in the environment
   SSLCertificate:
-    default: ''
     description: >
       The content of the SSL certificate (without Key) in PEM format.
     type: string
@@ -17,13 +16,12 @@ parameters:
       The content of an SSL intermediate CA certificate in PEM format.
     type: string
   SSLKey:
-    default: ''
     description: >
       The content of the SSL Key in PEM format.
     type: string
     hidden: true
 
-  # Can be overriden by parameter_defaults if the user wants to try deploying
+  # Can be overridden by parameter_defaults if the user wants to try deploying
   # this in a distro that doesn't support this path.
   DeployedSSLCertificatePath:
     default: '/etc/pki/tls/private/overcloud_endpoint.pem'
@@ -49,18 +47,35 @@ resources:
         - name: cert_chain_content
       outputs:
         - name: chain_md5sum
+        - name: cert_modulus
+        - name: key_modulus
       config: |
         #!/bin/sh
-        cat << EOF | tee ${cert_path} > /dev/null
+        cat > ${cert_path} << EOF
         ${cert_chain_content}
         EOF
         chmod 0440 ${cert_path}
         chown root:haproxy ${cert_path}
         md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+        openssl x509 -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.cert_modulus
+        openssl rsa -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.key_modulus
+        # We need to reload haproxy in case the certificate changed because
+        # puppet doesn't know the contents of the cert file.  The pacemaker
+        # case is handled separately in a pacemaker-specific resource.
+        pacemaker_status=$(systemctl is-active pacemaker)
+        haproxy_status=$(systemctl is-active haproxy)
+        if [ "$pacemaker_status" != "active" -a "$haproxy_status" = "active"]; then
+            systemctl reload haproxy
+        fi
 
   ControllerTLSDeployment:
     type: OS::Heat::SoftwareDeployment
     properties:
+      name: ControllerTLSDeployment
       config: {get_resource: ControllerTLSConfig}
       server: {get_param: server}
       input_values:
@@ -79,3 +94,9 @@ outputs:
   deployed_ssl_certificate_path:
     description: The location that the TLS certificate was deployed to.
     value: {get_param: DeployedSSLCertificatePath}
+  key_modulus_md5:
+    description: MD5 checksum of the Key SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+  cert_modulus_md5:
+    description: MD5 checksum of the Certificate SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, cert_modulus]}