From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 18 Apr 2017 12:48:02 +0000 (+0300)
Subject: Enable setting SubjectaltNames for haproxy and httpd certs
X-Git-Tag: opnfv-6.0.0~219^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=6990da87c36158677d2c1f78405f45c86e915767;p=apex-puppet-tripleo.git

Enable setting SubjectaltNames for haproxy and httpd certs

This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.

Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
---

diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp
index 6668440..a5d1bf8 100644
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@@ -40,6 +40,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*dnsnames*]
+#   (Optional) The DNS names that will be added for the SubjectAltNames entry
+#   in the certificate. If left unset, the value will be set to the $hostname.
+#   Defaults to undef
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -50,6 +55,7 @@ define tripleo::certmonger::haproxy (
   $hostname,
   $postsave_cmd,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $dnsnames      = undef,
   $principal     = undef,
 ){
     include ::certmonger
@@ -62,11 +68,17 @@ define tripleo::certmonger::haproxy (
       }
     }
 
+    if $dnsnames {
+      $dnsnames_real = $dnsnames
+    } else {
+      $dnsnames_real = $hostname
+    }
+
     certmonger_certificate { "${title}-cert":
       ensure       => 'present',
       ca           => $certmonger_ca,
       hostname     => $hostname,
-      dnsname      => $hostname,
+      dnsname      => $dnsnames_real,
       certfile     => $service_certificate,
       keyfile      => $service_key,
       postsave_cmd => $postsave_cmd,
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index 74c0b5a..e9754f7 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -31,6 +31,11 @@
 #   (Optional) The CA that certmonger will use to generate the certificates.
 #   Defaults to hiera('certmonger_ca', 'local').
 #
+# [*dnsnames*]
+#   (Optional) The DNS names that will be added for the SubjectAltNames entry
+#   in the certificate. If left unset, the value will be set to the $hostname.
+#   Defaults to undef
+#
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
@@ -39,18 +44,25 @@ define tripleo::certmonger::httpd (
   $service_certificate,
   $service_key,
   $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $dnsnames      = undef,
   $principal     = undef,
 ) {
   include ::certmonger
   include ::apache::params
 
+  if $dnsnames {
+    $dnsnames_real = $dnsnames
+  } else {
+    $dnsnames_real = $hostname
+  }
+
   $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
   certmonger_certificate { $name :
     ensure       => 'present',
     certfile     => $service_certificate,
     keyfile      => $service_key,
     hostname     => $hostname,
-    dnsname      => $hostname,
+    dnsname      => $dnsnames_real,
     principal    => $principal,
     postsave_cmd => $postsave_cmd,
     ca           => $certmonger_ca,