Generate HAProxy certificates in base profile

This gives the option to generate the service certificate(s) that
HAProxy will use. This will be used for both the overcloud and the
undercloud.

bp tls-via-certmonger

Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d

diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 31a5415..8e73ce3 100644 (file)
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -27,13 +27,59 @@
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
 #
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   HAProxy. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Note that this doesn't configure the certificates in haproxy, it merely
+#   creates the certificates.
+#   Defaults to hiera('generate_service_certificate', false).
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     tripleo::profile::base::haproxy::certificates_specs:
+#       undercloud-haproxy-public-cert:
+#         service_pem: <haproxy ready pem file>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         hostname: <undercloud fqdn>
+#         postsave_cmd: <command to update certificate on resubmit>
+#         principal: "haproxy/<undercloud fqdn>"
+#   Defaults to {}.
+#
 class tripleo::profile::base::haproxy (
-  $enable_load_balancer = hiera('enable_load_balancer', true),
-  $step                 = hiera('step'),
+  $enable_load_balancer          = hiera('enable_load_balancer', true),
+  $step                          = hiera('step'),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $certmonger_ca                 = hiera('certmonger_ca', 'local'),
+  $certificates_specs            = {},
 ) {
 
   if $step >= 1 {
     if $enable_load_balancer {
+      if str2bool($generate_service_certificates) {
+        include ::certmonger
+        # This is only needed for certmonger's local CA. For any other CA this
+        # operation (trusting the CA) should be done by the deployer.
+        if $certmonger_ca == 'local' {
+          include ::tripleo::certmonger::ca::local
+        }
+
+        Certmonger_certificate {
+          ca          => $certmonger_ca,
+          ensure      => 'present',
+          wait        => true,
+          require     => Class['::certmonger'],
+        }
+        create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+      }
+
       include ::tripleo::haproxy
     }
   }