Support adding a trusted CA certificate in ansible

Some parts of the ansible playbook may require installing a trusted CA cert on the system. For example specifying a docker registry using a self signed cert. This change will allow the ansible playbook to call the system certificate-install command during initial config. Change-Id: Ic094837388b0fb644d647e693314dd3abaab1266 Signed-off-by: David Sullivan <david.sullivan@windriver.com> Partial-Bug: 1831946
2019-06-18 09:46:17 -04:00 · 2019-06-18 09:46:17 -04:00 · 023c011063
parent dd7ff62936
commit 023c011063
2 changed files with 19 additions and 2 deletions
--- a/puppet-manifests/src/modules/platform/manifests/config.pp
+++ b/puppet-manifests/src/modules/platform/manifests/config.pp
@ -251,6 +251,13 @@ class platform::config::certs::ssl_ca
  inherits ::platform::config::certs::params {

  $ssl_ca_file = '/etc/pki/ca-trust/source/anchors/ca-cert.pem'
+  if str2bool($::is_initial_config) {
+    $docker_restart_cmd = 'systemctl restart docker'
+  }
+  else {
+    $docker_restart_cmd = 'pmon-restart dockerd'
+  }
+
  if ! empty($ssl_ca_cert) {
    file { 'create-ssl-ca-cert':
      ensure  => present,
@ -273,10 +280,19 @@ class platform::config::certs::ssl_ca
    refreshonly => true
  }
  -> exec { 'restart docker':
-    command     => 'pmon-restart dockerd',
+    command     => $docker_restart_cmd,
    subscribe   => File[$ssl_ca_file],
    refreshonly => true
  }
+  if str2bool($::is_controller_active) {
+    Exec['restart docker']
+    -> file { '/etc/platform/.ssl_ca_complete':
+      ensure => present,
+      owner  => root,
+      group  => root,
+      mode   => '0644',
+    }
+  }
 }


--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -10309,7 +10309,8 @@ class ConductorManager(service.PeriodicService):
            }
            self._config_apply_runtime_manifest(context,
                                                config_uuid,
-                                                config_dict)
+                                                config_dict,
+                                                force=True)
        elif mode == constants.CERT_MODE_DOCKER_REGISTRY:
            LOG.info("Docker registry certificate install")
            # docker registry requires a PKCS1 key for the token server