HAProxy: Refactor certificate retrieval bits

This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.

This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.

Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92

diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 3b8fd09..6668440 100644 (file)
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -52,14 +52,27 @@ define tripleo::certmonger::haproxy (
   $certmonger_ca = hiera('certmonger_ca', 'local'),
   $principal     = undef,
 ){
+    include ::certmonger
     include ::haproxy::params
+    # This is only needed for certmonger's local CA. For any other CA this
+    # operation (trusting the CA) should be done by the deployer.
+    if $certmonger_ca == 'local' {
+      class { '::tripleo::certmonger::ca::local':
+        notify => Class['::tripleo::haproxy']
+      }
+    }
+
     certmonger_certificate { "${title}-cert":
+      ensure       => 'present',
+      ca           => $certmonger_ca,
       hostname     => $hostname,
       dnsname      => $hostname,
       certfile     => $service_certificate,
       keyfile      => $service_key,
       postsave_cmd => $postsave_cmd,
       principal    => $principal,
+      wait         => true,
+      require      => Class['::certmonger'],
     }
     concat { $service_pem :
       ensure  => present,

diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index f16ec1b..8568b28 100644 (file)
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -32,10 +32,6 @@
 #         principal: "haproxy/<undercloud fqdn>"
 #   Defaults to {}.
 #
-# [*certmonger_ca*]
-#   (Optional) The CA that certmonger will use to generate the certificates.
-#   Defaults to hiera('certmonger_ca', 'local').
-#
 # [*enable_load_balancer*]
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
@@ -55,7 +51,6 @@
 #
 class tripleo::profile::base::haproxy (
   $certificates_specs            = {},
-  $certmonger_ca                 = hiera('certmonger_ca', 'local'),
   $enable_load_balancer          = hiera('enable_load_balancer', true),
   $generate_service_certificates = hiera('generate_service_certificates', false),
   $step                          = hiera('step'),
@@ -63,22 +58,7 @@ class tripleo::profile::base::haproxy (
   if $step >= 1 {
     if $enable_load_balancer {
       if str2bool($generate_service_certificates) {
-        include ::certmonger
-        # This is only needed for certmonger's local CA. For any other CA this
-        # operation (trusting the CA) should be done by the deployer.
-        if $certmonger_ca == 'local' {
-          class { '::tripleo::certmonger::ca::local':
-            notify => Class['::tripleo::haproxy']
-          }
-        }
-
-        Certmonger_certificate {
-          ca          => $certmonger_ca,
-          ensure      => 'present',
-          wait        => true,
-          require     => Class['::certmonger'],
-        }
-        create_resources('::tripleo::certmonger::haproxy', $certificates_specs)
+        ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
         # The haproxy fronends (or listen resources) depend on the certificate
         # existing and need to be refreshed if it changed.
         Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>