5581a28253
Add support for automatic provisioning and renewal of HTTPS certificates via LetsEncrypt. Spec is available at: https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347 Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io> Implements: blueprint letsencrypt-https Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106
41 lines
2.0 KiB
Django/Jinja
41 lines
2.0 KiB
Django/Jinja
#!/bin/bash -x
|
|
|
|
{% if kolla_enable_tls_internal | bool or kolla_enable_tls_external | bool %}
|
|
{% if kolla_enable_tls_external | bool %}
|
|
if [ ! -e "/etc/haproxy/certificates/haproxy.pem" ]; then
|
|
# Generate temporary self-signed cert
|
|
# This means external tls is enabled but the certificate was not copied
|
|
# to the container - so letsencrypt is enabled
|
|
#
|
|
# Let's generate certificate to make haproxy happy, lego will
|
|
# replace it in a while
|
|
ssl_tmp_dir=$(mktemp -d)
|
|
openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes -keyout ${ssl_tmp_dir}/haproxy$$.key -out ${ssl_tmp_dir}/haproxy$$.crt -subj "/CN={{ kolla_external_fqdn }}"
|
|
cat ${ssl_tmp_dir}/haproxy$$.crt ${ssl_tmp_dir}/haproxy$$.key> /etc/haproxy/certificates/haproxy.pem
|
|
rm -rf ${ssl_tmp_dir}
|
|
chown haproxy:haproxy /etc/haproxy/certificates/haproxy.pem
|
|
chmod 0660 /etc/haproxy/certificates/haproxy.pem
|
|
fi
|
|
{% endif %}
|
|
{% if kolla_enable_tls_internal | bool %}
|
|
if [ ! -e "/etc/haproxy/certificates/haproxy-internal.pem" ]; then
|
|
# Generate temporary self-signed cert
|
|
# This means external tls is enabled but the certificate was not copied
|
|
# to the container - so letsencrypt is enabled
|
|
#
|
|
# Let's generate certificate to make haproxy happy, lego will
|
|
# replace it in a while
|
|
ssl_tmp_dir=$(mktemp -d)
|
|
openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes -keyout ${ssl_tmp_dir}/haproxy-internal$$.key -out ${ssl_tmp_dir}/haproxy-internal$$.crt -subj "/CN={{ kolla_internal_fqdn }}"
|
|
cat ${ssl_tmp_dir}/haproxy-internal$$.crt ${ssl_tmp_dir}/haproxy-internal$$.key> /etc/haproxy/certificates/haproxy-internal.pem
|
|
rm -rf ${ssl_tmp_dir}
|
|
chown haproxy:haproxy /etc/haproxy/certificates/haproxy-internal.pem
|
|
chmod 0660 /etc/haproxy/certificates/haproxy-internal.pem
|
|
fi
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
find /etc/haproxy/services.d/ -mindepth 1 -print0 | \
|
|
xargs -0 -Icfg echo -f cfg | \
|
|
xargs /usr/sbin/haproxy -W -db -p /run/haproxy.pid -f /etc/haproxy/haproxy.cfg
|