ISTI-ansible-roles
/
ansible-role-tripleo-haproxy-certificate
4
0
Fork 0
Code Pull Requests Releases Activity

First commit.

Browse Source
master
Andrea Dell'Amico 2 years ago
parent 825a888782
commit 9f402fa94d
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
6 changed files with 114 additions and 71 deletions
Show Stats Download Patch File Download Diff File

28
README.md
Unescape Escape View File

@ -1,31 +1,23 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs a Letsencrypt certificate and configures HAPROXY in the controller nodes to use it.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
tripleo_haproxy_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem
tripleo_letsencrypt_dns_provider: true
tripleo_letsencrypt_cert_install_dir: '{{ tripleo_overcloud_hostname }}/{{ tripleo_overcloud_domain_name }}'
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
letsencrypt-acme-sh-client
License
-------
@ -35,4 +27,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

4
defaults/main.yml
Unescape Escape View File

@ -1,2 +1,4 @@
---
# defaults file for ansible-role-template
tripleo_haproxy_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem
tripleo_letsencrypt_dns_provider: true
tripleo_letsencrypt_cert_install_dir: '{{ tripleo_overcloud_hostname }}/{{ tripleo_overcloud_domain_name }}'

68
meta/main.yml
Unescape Escape View File

@ -1,61 +1,29 @@
---
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
platforms:
- name: EL
versions:
- 8
galaxy_tags:
- letsencrypt
- tripleo
dependencies:
- name: letsencrypt-acme-sh-client
src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
version: master
state: latest

27
tasks/main.yml
Unescape Escape View File

@ -1,2 +1,27 @@
---
# tasks file for ansible-role-template
- block:
- name: Create the acme hooks directory if it does not yet exist
file:
dest: '{{ letsencrypt_acme_sh_services_scripts_dir }}'
state: directory
owner: root
group: root
- name: Install a script that fix the letsencrypt certificate for haproxy and then reloads the service
template:
src: letsencrypt-haproxy-refresh.sh.j2
dest: '{{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy'
owner: root
group: root
mode: 4555
register: tripleo_haproxy_hook
- name: Run the letsencrypt hook once to create the certificate chain that haproxy will use
shell: "{{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy"
when: tripleo_haproxy_hook is changed
tags:
- 'haproxy'
- 'letsencrypt'
- 'letsencrypt_acme_sh'
- 'haproxy_letsencrypt'

54
templates/letsencrypt-haproxy-refresh.sh.j2
Unescape Escape View File

@ -0,0 +1,54 @@
#!/bin/bash
# This script is meant to reload HAProxy when letsencrypt triggers a certificate
# renewal. It'll concatenate the needed certificates for the PEM file that
# HAProxy reads.
die() { echo "$*" 1>&2 ; exit 1; }
H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}"
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
LE_ENV_FILE=/etc/default/acme_sh_request_env
if [ -f "$LE_ENV_FILE" ] ; then
. "$LE_ENV_FILE"
else
die "No letsencrypt client configuration available"
fi
ACTION=reload
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
cat ${LE_CERTS_DIR}/{fullchain,privkey} > "$service_pem"
chmod 0440 "$service_pem"
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
if [ "$ACTION" == "reload" ]; then
# Inject the new certificate into the running container
if echo "$haproxy_container_name" | grep -q "^haproxy-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_pem" | $container_cli exec -i "$haproxy_container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the pem at the mount-point
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls${service_pem}"
# Copy the new pem from the mount-point to the real path
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls${service_pem}" "$service_pem"
fi
# Set appropriate permissions
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
# Trigger a reload for HAProxy to read the new certificates
$container_cli kill --signal HUP "$haproxy_container_name"
elif [ "$ACTION" == "restart" ]; then
# Copying the certificate and permissions will be handled by kolla's start
# script.
$container_cli restart "$haproxy_container_name"
fi

4
vars/main.yml
Unescape Escape View File

@ -1,2 +1,4 @@
---
# vars file for ansible-role-template
letsencrypt_acme_install: true
letsencrypt_acme_sh_use_dns_provider: '{{ tripleo_letsencrypt_dns_provider }}'
letsencrypt_acme_sh_certificates_install_dir: '{{ tripleo_letsencrypt_cert_install_dir }}'

Write Preview
Loading…
Cancel
Save