First commit.
parent
825a888782
commit
9f402fa94d
@ -1,2 +1,4 @@
|
||||
---
|
||||
# defaults file for ansible-role-template
|
||||
tripleo_haproxy_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem
|
||||
tripleo_letsencrypt_dns_provider: true
|
||||
tripleo_letsencrypt_cert_install_dir: '{{ tripleo_overcloud_hostname }}/{{ tripleo_overcloud_domain_name }}'
|
||||
|
@ -1,61 +1,29 @@
|
||||
---
|
||||
galaxy_info:
|
||||
author: your name
|
||||
description: your description
|
||||
author: Andrea Dell'Amico
|
||||
description: Systems Architect
|
||||
company: ISTI-CNR
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
|
||||
|
||||
# Some suggested licenses:
|
||||
# - BSD (default)
|
||||
# - MIT
|
||||
# - GPLv2
|
||||
# - GPLv3
|
||||
# - Apache
|
||||
# - CC-BY
|
||||
license: EUPL-1.2
|
||||
license: EUPL 1.2+
|
||||
|
||||
min_ansible_version: 2.8
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
# Optionally specify the branch Galaxy will use when accessing the GitHub
|
||||
# repo for this role. During role install, if no tags are available,
|
||||
# Galaxy will use this branch. During import Galaxy will access files on
|
||||
# this branch. If Travis integration is configured, only notifications for this
|
||||
# branch will be accepted. Otherwise, in all cases, the repo's default branch
|
||||
# (usually master) will be used.
|
||||
#github_branch:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 8
|
||||
|
||||
galaxy_tags:
|
||||
- letsencrypt
|
||||
- tripleo
|
||||
|
||||
dependencies:
|
||||
- name: letsencrypt-acme-sh-client
|
||||
src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
|
||||
version: master
|
||||
state: latest
|
||||
|
@ -1,2 +1,27 @@
|
||||
---
|
||||
# tasks file for ansible-role-template
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file:
|
||||
dest: '{{ letsencrypt_acme_sh_services_scripts_dir }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reloads the service
|
||||
template:
|
||||
src: letsencrypt-haproxy-refresh.sh.j2
|
||||
dest: '{{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 4555
|
||||
register: tripleo_haproxy_hook
|
||||
|
||||
- name: Run the letsencrypt hook once to create the certificate chain that haproxy will use
|
||||
shell: "{{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy"
|
||||
when: tripleo_haproxy_hook is changed
|
||||
|
||||
tags:
|
||||
- 'haproxy'
|
||||
- 'letsencrypt'
|
||||
- 'letsencrypt_acme_sh'
|
||||
- 'haproxy_letsencrypt'
|
||||
|
@ -0,0 +1,54 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This script is meant to reload HAProxy when letsencrypt triggers a certificate
|
||||
# renewal. It'll concatenate the needed certificates for the PEM file that
|
||||
# HAProxy reads.
|
||||
|
||||
die() { echo "$*" 1>&2 ; exit 1; }
|
||||
|
||||
H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}"
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||
|
||||
LE_ENV_FILE=/etc/default/acme_sh_request_env
|
||||
if [ -f "$LE_ENV_FILE" ] ; then
|
||||
. "$LE_ENV_FILE"
|
||||
else
|
||||
die "No letsencrypt client configuration available"
|
||||
fi
|
||||
|
||||
ACTION=reload
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
|
||||
|
||||
cat ${LE_CERTS_DIR}/{fullchain,privkey} > "$service_pem"
|
||||
chmod 0440 "$service_pem"
|
||||
|
||||
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
|
||||
if [ "$ACTION" == "reload" ]; then
|
||||
# Inject the new certificate into the running container
|
||||
if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the pem at the mount-point
|
||||
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
|
||||
fi
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
||||
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
$container_cli kill --signal HUP "$haproxy_container_name"
|
||||
elif [ "$ACTION" == "restart" ]; then
|
||||
# Copying the certificate and permissions will be handled by kolla's start
|
||||
# script.
|
||||
$container_cli restart "$haproxy_container_name"
|
||||
fi
|
@ -1,2 +1,4 @@
|
||||
---
|
||||
# vars file for ansible-role-template
|
||||
letsencrypt_acme_install: true
|
||||
letsencrypt_acme_sh_use_dns_provider: '{{ tripleo_letsencrypt_dns_provider }}'
|
||||
letsencrypt_acme_sh_certificates_install_dir: '{{ tripleo_letsencrypt_cert_install_dir }}'
|
||||
|
Loading…
Reference in New Issue