From b278f6c4760e7803fd243e946233921399b403f5 Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Wed, 26 Sep 2018 15:24:55 +0100
Subject: [PATCH] Remove unused tls-cert-inject.yaml template
This is no longer handled as the TLS handling tasks were converted
to ansible, and in the context of this series we need to remove it
because it references bootstrap_nodeid
Partial-Bug: #1792613
Change-Id: Ib32177b116f148f007574847320566e32240cf96
---
puppet/extraconfig/tls/tls-cert-inject.yaml | 140 --------------------
sample-env-generator/README.rst | 2 +-
tools/yaml-validate.py | 1 -
3 files changed, 1 insertion(+), 142 deletions(-)
delete mode 100644 puppet/extraconfig/tls/tls-cert-inject.yaml
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
deleted file mode 100644
index 20759937cf..0000000000
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ /dev/null
@@ -1,140 +0,0 @@
-heat_template_version: rocky
-
-description: >
- This is a template which will build the TLS Certificates necessary
- for the load balancer using the given parameters.
-
-parameters:
- # Can be overridden via parameter_defaults in the environment
- SSLCertificate:
- default: ''
- description: >
- The content of the SSL certificate (without Key) in PEM format.
- type: string
- SSLIntermediateCertificate:
- default: ''
- description: >
- The content of an SSL intermediate CA certificate in PEM format.
- type: string
- # NOTE(jaosorior): Adding this default is only while we enable TLS by default
- # for the overcloud. It'll be removed in a subsequent patch.
- SSLKey:
- default: ''
- description: >
- The content of the SSL Key in PEM format.
- type: string
- hidden: true
-
- # Can be overridden by parameter_defaults if the user wants to try deploying
- # this in a distro that doesn't support this path.
- DeployedSSLCertificatePath:
- default: '/etc/pki/tls/private/overcloud_endpoint.pem'
- description: >
- The filepath of the certificate as it will be stored in the controller.
- type: string
-
- # Passed in by the controller
- NodeIndex:
- default: 0
- type: number
- server:
- description: ID of the controller node to apply this config to
- type: string
-
-resources:
- ControllerTLSConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- inputs:
- - name: cert_path
- - name: cert_chain_content
- outputs:
- - name: chain_md5sum
- - name: cert_modulus
- - name: key_modulus
- config: |
- #!/bin/sh
- # If the HAProxy container tried to load this, it'll be a directory and
- # will make this fail.
- if [ -d ${cert_path} ]; then
- rmdir ${cert_path}
- HAPROXY_TLS_UPDATE_NEEDED=1
- else
- HAPROXY_TLS_UPDATE_NEEDED=0
- fi
- cat > ${cert_path} << EOF
- ${cert_chain_content}
- EOF
- chmod 0440 ${cert_path}
- chown root:haproxy ${cert_path}
- md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
- openssl x509 -noout -modulus -in ${cert_path} \
- | openssl md5 | cut -c 10- \
- > ${heat_outputs_path}.cert_modulus
- openssl rsa -noout -modulus -in ${cert_path} \
- | openssl md5 | cut -c 10- \
- > ${heat_outputs_path}.key_modulus
- # We need to reload haproxy in case the certificate changed because
- # puppet doesn't know the contents of the cert file.
- haproxy_status=$(systemctl is-active haproxy)
- if [ "$haproxy_status" = "active" ]; then
- systemctl reload haproxy
- fi
- pacemaker_status=$(systemctl is-active pacemaker)
- # If we need an update and pacemaker is being used, we need to restart
- # the pacemaker resource on the bootstrap node. We don't support the update
- # in non-pacemaker cases.
- if [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 1 && "$pacemaker_status" == "active" ]]; then
- BOOTSTRAPNODE=$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)
- MY_HOSTNAME=$(hostname)
- if [[ "$BOOTSTRAPNODE" == "$MY_HOSTNAME" ]]; then
- # Triggers an update
- HAPROXY_RESOURCE_NAME=$(pcs status | grep container | grep haproxy | sed 's/^.*container.*: \(.*\) .*/\1/')
- if [[ -n "$HAPROXY_RESOURCE_NAME" ]]; then
- pcs resource restart "$HAPROXY_RESOURCE_NAME"
- fi
- fi
- elif [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 0 ]]; then
- # Handles reloading HAProxy and fetching a new certificate if
- # necessary
- HAPROXY_CONTAINER_ID=$(docker ps | grep '[[:space:]]haproxy' | awk '{print $1}')
- if [[ -n "$HAPROXY_CONTAINER_ID" ]]; then
- if [[ "$pacemaker_status" == "active" ]]; then
- # We copy the certificate from the mount point to the desired
- # path
- docker exec "$HAPROXY_CONTAINER_ID" cp /var/lib/kolla/config_files/src-tls${cert_path} ${cert_path}
- fi
- docker kill --signal=HUP "$HAPROXY_CONTAINER_ID"
- fi
- fi
-
-
- ControllerTLSDeployment:
- type: OS::Heat::SoftwareDeployment
- properties:
- name: ControllerTLSDeployment
- config: {get_resource: ControllerTLSConfig}
- server: {get_param: server}
- input_values:
- cert_path: {get_param: DeployedSSLCertificatePath}
- cert_chain_content:
- list_join:
- - ''
- - - {get_param: SSLCertificate}
- - {get_param: SSLIntermediateCertificate}
- - {get_param: SSLKey}
-
-outputs:
- deploy_stdout:
- description: Deployment reference
- value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
- deployed_ssl_certificate_path:
- description: The location that the TLS certificate was deployed to.
- value: {get_param: DeployedSSLCertificatePath}
- key_modulus_md5:
- description: MD5 checksum of the Key SSL Modulus
- value: {get_attr: [ControllerTLSDeployment, key_modulus]}
- cert_modulus_md5:
- description: MD5 checksum of the Certificate SSL Modulus
- value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
diff --git a/sample-env-generator/README.rst b/sample-env-generator/README.rst
index f9bbfaa5a0..21aed99a0c 100644
--- a/sample-env-generator/README.rst
+++ b/sample-env-generator/README.rst
@@ -38,7 +38,7 @@ Environment-specific:
- **files**: The Heat templates containing the parameter definitions
for the environment. Should be specified as a path relative to the
root of the ``tripleo-heat-templates`` project. For example:
- ``puppet/extraconfig/tls/tls-cert-inject.yaml:``. Each filename
+ ``puppet/extraconfig/tls/ca-inject.yaml:``. Each filename
should be a YAML dictionary that contains a ``parameters`` entry.
- **parameters**: There should be one ``parameters`` entry per file in the
``files`` section (see the example configuration below).
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index 3b622f8276..bf799b216b 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -288,7 +288,6 @@ ANSIBLE_TASKS_YAMLS = [
HEAT_OUTPUTS_EXCLUSIONS = [
'./puppet/extraconfig/tls/ca-inject.yaml',
- './puppet/extraconfig/tls/tls-cert-inject.yaml',
'./deployed-server/deployed-server.yaml',
'./extraconfig/tasks/ssh/host_public_key.yaml',
'./extraconfig/pre_network/host_config_and_reboot.yaml'