diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
deleted file mode 100644
index 20759937cf..0000000000
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ /dev/null
@@ -1,140 +0,0 @@
-heat_template_version: rocky
-
-description: >
- This is a template which will build the TLS Certificates necessary
- for the load balancer using the given parameters.
-
-parameters:
- # Can be overridden via parameter_defaults in the environment
- SSLCertificate:
- default: ''
- description: >
- The content of the SSL certificate (without Key) in PEM format.
- type: string
- SSLIntermediateCertificate:
- default: ''
- description: >
- The content of an SSL intermediate CA certificate in PEM format.
- type: string
- # NOTE(jaosorior): Adding this default is only while we enable TLS by default
- # for the overcloud. It'll be removed in a subsequent patch.
- SSLKey:
- default: ''
- description: >
- The content of the SSL Key in PEM format.
- type: string
- hidden: true
-
- # Can be overridden by parameter_defaults if the user wants to try deploying
- # this in a distro that doesn't support this path.
- DeployedSSLCertificatePath:
- default: '/etc/pki/tls/private/overcloud_endpoint.pem'
- description: >
- The filepath of the certificate as it will be stored in the controller.
- type: string
-
- # Passed in by the controller
- NodeIndex:
- default: 0
- type: number
- server:
- description: ID of the controller node to apply this config to
- type: string
-
-resources:
- ControllerTLSConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- inputs:
- - name: cert_path
- - name: cert_chain_content
- outputs:
- - name: chain_md5sum
- - name: cert_modulus
- - name: key_modulus
- config: |
- #!/bin/sh
- # If the HAProxy container tried to load this, it'll be a directory and
- # will make this fail.
- if [ -d ${cert_path} ]; then
- rmdir ${cert_path}
- HAPROXY_TLS_UPDATE_NEEDED=1
- else
- HAPROXY_TLS_UPDATE_NEEDED=0
- fi
- cat > ${cert_path} << EOF
- ${cert_chain_content}
- EOF
- chmod 0440 ${cert_path}
- chown root:haproxy ${cert_path}
- md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
- openssl x509 -noout -modulus -in ${cert_path} \
- | openssl md5 | cut -c 10- \
- > ${heat_outputs_path}.cert_modulus
- openssl rsa -noout -modulus -in ${cert_path} \
- | openssl md5 | cut -c 10- \
- > ${heat_outputs_path}.key_modulus
- # We need to reload haproxy in case the certificate changed because
- # puppet doesn't know the contents of the cert file.
- haproxy_status=$(systemctl is-active haproxy)
- if [ "$haproxy_status" = "active" ]; then
- systemctl reload haproxy
- fi
- pacemaker_status=$(systemctl is-active pacemaker)
- # If we need an update and pacemaker is being used, we need to restart
- # the pacemaker resource on the bootstrap node. We don't support the update
- # in non-pacemaker cases.
- if [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 1 && "$pacemaker_status" == "active" ]]; then
- BOOTSTRAPNODE=$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)
- MY_HOSTNAME=$(hostname)
- if [[ "$BOOTSTRAPNODE" == "$MY_HOSTNAME" ]]; then
- # Triggers an update
- HAPROXY_RESOURCE_NAME=$(pcs status | grep container | grep haproxy | sed 's/^.*container.*: \(.*\) .*/\1/')
- if [[ -n "$HAPROXY_RESOURCE_NAME" ]]; then
- pcs resource restart "$HAPROXY_RESOURCE_NAME"
- fi
- fi
- elif [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 0 ]]; then
- # Handles reloading HAProxy and fetching a new certificate if
- # necessary
- HAPROXY_CONTAINER_ID=$(docker ps | grep '[[:space:]]haproxy' | awk '{print $1}')
- if [[ -n "$HAPROXY_CONTAINER_ID" ]]; then
- if [[ "$pacemaker_status" == "active" ]]; then
- # We copy the certificate from the mount point to the desired
- # path
- docker exec "$HAPROXY_CONTAINER_ID" cp /var/lib/kolla/config_files/src-tls${cert_path} ${cert_path}
- fi
- docker kill --signal=HUP "$HAPROXY_CONTAINER_ID"
- fi
- fi
-
-
- ControllerTLSDeployment:
- type: OS::Heat::SoftwareDeployment
- properties:
- name: ControllerTLSDeployment
- config: {get_resource: ControllerTLSConfig}
- server: {get_param: server}
- input_values:
- cert_path: {get_param: DeployedSSLCertificatePath}
- cert_chain_content:
- list_join:
- - ''
- - - {get_param: SSLCertificate}
- - {get_param: SSLIntermediateCertificate}
- - {get_param: SSLKey}
-
-outputs:
- deploy_stdout:
- description: Deployment reference
- value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
- deployed_ssl_certificate_path:
- description: The location that the TLS certificate was deployed to.
- value: {get_param: DeployedSSLCertificatePath}
- key_modulus_md5:
- description: MD5 checksum of the Key SSL Modulus
- value: {get_attr: [ControllerTLSDeployment, key_modulus]}
- cert_modulus_md5:
- description: MD5 checksum of the Certificate SSL Modulus
- value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
diff --git a/sample-env-generator/README.rst b/sample-env-generator/README.rst
index f9bbfaa5a0..21aed99a0c 100644
--- a/sample-env-generator/README.rst
+++ b/sample-env-generator/README.rst
@@ -38,7 +38,7 @@ Environment-specific:
- **files**: The Heat templates containing the parameter definitions
for the environment. Should be specified as a path relative to the
root of the ``tripleo-heat-templates`` project. For example:
- ``puppet/extraconfig/tls/tls-cert-inject.yaml:``. Each filename
+ ``puppet/extraconfig/tls/ca-inject.yaml:``. Each filename
should be a YAML dictionary that contains a ``parameters`` entry.
- **parameters**: There should be one ``parameters`` entry per file in the
``files`` section (see the example configuration below).
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index 3b622f8276..bf799b216b 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -288,7 +288,6 @@ ANSIBLE_TASKS_YAMLS = [
HEAT_OUTPUTS_EXCLUSIONS = [
'./puppet/extraconfig/tls/ca-inject.yaml',
- './puppet/extraconfig/tls/tls-cert-inject.yaml',
'./deployed-server/deployed-server.yaml',
'./extraconfig/tasks/ssh/host_public_key.yaml',
'./extraconfig/pre_network/host_config_and_reboot.yaml'