Add support for deploying SSL certificates
Change-Id: Idab966afe0005aea0388411d17469e4cdd258eb8
diff --git a/README.rst b/README.rst
index 7495992..108398e 100644
--- a/README.rst
+++ b/README.rst
@@ -252,6 +252,41 @@
port: 8082
params: backup check
+It's also possible to use multiple certificates for one listener (eg. when
+it's bind on multiple interfaces):
+
+.. code-block:: yaml
+
+ haproxy:
+ proxy:
+ listen:
+ dummy_site:
+ mode: http
+ binds:
+ - address: 127.0.0.1
+ port: 8080
+ ssl:
+ enabled: true
+ key: |
+ my super secret key follows
+ cert: |
+ certificate
+ chain: |
+ CA chain (if any)
+ - address: 127.0.1.1
+ port: 8081
+ ssl:
+ enabled: true
+ key: |
+ my super secret key follows
+ cert: |
+ certificate
+ chain: |
+ CA chain (if any)
+
+Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
+directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
+
Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
.. code-block:: yaml
diff --git a/haproxy/files/haproxy.cfg b/haproxy/files/haproxy.cfg
index dc33adb..79eb112 100644
--- a/haproxy/files/haproxy.cfg
+++ b/haproxy/files/haproxy.cfg
@@ -63,7 +63,7 @@
listen {{ listen_name }}
{%- for bind in listen.binds %}
- bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}ssl crt {{ bind.ssl.pem_file }}{% endif %}
+ bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}{% if bind.ssl.pem_file is defined %}ssl crt {{ bind.ssl.pem_file }}{% else %}/etc/haproxy/ssl/{{ listen_name }}{% endif %}{% endif %}
{%- endfor %}
{%- if listen.get('type', None) == 'http' %}
mode http
diff --git a/haproxy/files/ssl_all.pem b/haproxy/files/ssl_all.pem
new file mode 100644
index 0000000..748f351
--- /dev/null
+++ b/haproxy/files/ssl_all.pem
@@ -0,0 +1,6 @@
+{#-
+ vim: syntax=jinja
+-#}
+{{ key }}
+{{ cert }}
+{% if chain %}{{ chain }}{% endif %}
diff --git a/haproxy/proxy.sls b/haproxy/proxy.sls
index 427a266..ac90a42 100644
--- a/haproxy/proxy.sls
+++ b/haproxy/proxy.sls
@@ -39,4 +39,32 @@
- file: /etc/haproxy/haproxy.cfg
- file: /etc/default/haproxy
+{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
+ {%- if listen.get('enabled', True) %}
+ {%- for bind in listen.binds %}
+ {% if bind.get('ssl', {}).enabled|default(False) and bind.ssl.key is defined %}
+ {%- set pem_file = bind.ssl.get('pem_file', '/etc/haproxy/ssl/%s/%s-all.pem'|format(listen_name, loop.index)) %}
+
+{{ pem_file }}:
+ file.managed:
+ - template: jinja
+ - source: salt://haproxy/files/ssl_all.pem
+ - user: root
+ - group: haproxy
+ - mode: 640
+ - makedirs: true
+ - defaults:
+ key: {{ bind.ssl.key|yaml }}
+ cert: {{ bind.ssl.cert|yaml }}
+ chain: {{ bind.ssl.get('chain', '')|yaml }}
+ - require:
+ - file: haproxy_ssl
+ - watch_in:
+ - service: haproxy_service
+
+ {%- endif %}
+ {%- endfor %}
+ {%- endif %}
+{%- endfor %}
+
{%- endif %}