Fix AFS and CA docs references to puppetmaster
Also, update the locations that we're told to hieraedit. Change-Id: I41824ff9dc52b3e70a5e55ae71ef49f29511e8e3
This commit is contained in:
Monty Taylor
parent
dd4b26903b
commit
7ed39c17f5
@ -363,13 +363,13 @@ read-write volumes.
|
||||
kadmin: ktadd -k /path/to/foo.keytab service/foo-mirror@OPENSTACK.ORG
|
||||
|
||||
* Add the service principal's keytab to hiera. Copy the binary key to
|
||||
``puppetmaster.openstack.org`` and then use ``hieraedit`` to update
|
||||
``bridge.openstack.org`` and then use ``hieraedit`` to update
|
||||
the files
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
root@puppetmaster:~# /opt/system-config/tools/hieraedit.py \
|
||||
--yaml /etc/puppet/hieradata/production/fqdn/mirror-update.openstack.org.yaml \
|
||||
root@bridge:~# /opt/system-config/tools/hieraedit.py \
|
||||
--yaml /etc/ansible/hosts/host_vars/mirror-update.openstack.org.yaml \
|
||||
-f /path/to/foo.keytab KEYNAME
|
||||
|
||||
(don't forget to ``git commit`` and save the change; you can remove
|
||||
|
||||
@ -12,7 +12,7 @@ At a Glance
|
||||
===========
|
||||
|
||||
:Hosts:
|
||||
* puppetmaster.openstack.org
|
||||
* bridge.openstack.org
|
||||
:Projects:
|
||||
* https://www.openssl.org/
|
||||
:Documentation:
|
||||
@ -21,29 +21,29 @@ At a Glance
|
||||
Overview
|
||||
========
|
||||
|
||||
Today we have a single CA service setup on puppetmaster.o.o:
|
||||
Today we have a single CA service setup on bridge.o.o:
|
||||
|
||||
/etc/zuul-ca
|
||||
|
||||
This is used for generating SSL certificates needed by our CI systems. As we
|
||||
need to create more SSL certificates for new services, we'll create additional
|
||||
directories on puppetmaster.openstack.org, having multiple CA services.
|
||||
directories on bridge.openstack.org, having multiple CA services.
|
||||
|
||||
Generating a CA certificate
|
||||
---------------------------
|
||||
|
||||
Below are the steps for create a new certificicate authority. Today we do this
|
||||
on puppetmaster.openstack.org. Some important things to note, our pass phrase
|
||||
on bridge.openstack.org. Some important things to note, our pass phrase
|
||||
for our cakey.pem file is stored in our GPG password.txt file. Additionally, by
|
||||
default our cacert.pem file will only be valid for 3 years.
|
||||
|
||||
*NOTE* In the example below we'll be using the /etc/zuul-ca folder on
|
||||
puppetmaster.openstack.org.
|
||||
bridge.openstack.org.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
root@puppetmaster:~# cd /etc/zuul-ca
|
||||
root@puppetmaster:/etc/zuul-ca# env CN=zuulv3.openstack.org CATOP=. SSLEAY_CONFIG="-config ./openssl.cnf" /usr/lib/ssl/misc/CA.sh -newca
|
||||
root@bridge:~# cd /etc/zuul-ca
|
||||
root@bridge:/etc/zuul-ca# env CN=zuul.openstack.org CATOP=. SSLEAY_CONFIG="-config ./openssl.cnf" /usr/lib/ssl/misc/CA.sh -newca
|
||||
CA certificate filename (or enter to create)
|
||||
|
||||
Making CA certificate ...
|
||||
@ -68,7 +68,7 @@ puppetmaster.openstack.org.
|
||||
stateOrProvinceName = Texas
|
||||
organizationName = OpenStack Foundation
|
||||
organizationalUnitName = Infrastructure
|
||||
commonName = zuulv3.openstack.org
|
||||
commonName = zuul.openstack.org
|
||||
emailAddress = openstack-infra@lists.openstack.org
|
||||
X509v3 extensions:
|
||||
X509v3 Subject Key Identifier:
|
||||
@ -91,9 +91,9 @@ certificate. Below we'll be create the private key for a gearman server.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
root@puppetmaster:~# umask 077
|
||||
root@puppetmaster:~# cd /etc/zuul-ca
|
||||
root@puppetmaster:/etc/zuul-ca# env CN=gearman.server CATOP=. SSLEAY_CONFIG="-config ./openssl.cnf" /usr/lib/ssl/misc/CA.sh -newreq-nodes
|
||||
root@bridge:~# umask 077
|
||||
root@bridge:~# cd /etc/zuul-ca
|
||||
root@bridge:/etc/zuul-ca# env CN=gearman.server CATOP=. SSLEAY_CONFIG="-config ./openssl.cnf" /usr/lib/ssl/misc/CA.sh -newreq-nodes
|
||||
Generating a 2048 bit RSA private key
|
||||
.......+++
|
||||
....+++
|
||||
@ -243,15 +243,15 @@ then deleted from disk.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
root@puppetmaster:~# cd /etc/zuul-ca
|
||||
root@puppetmaster:/etc/zuul-ca# /opt/system-config/tools/hieraedit.py \
|
||||
> --yaml /etc/puppet/hieradata/production/group/gearman.yaml \
|
||||
root@bridge:~# cd /etc/zuul-ca
|
||||
root@bridge:/etc/zuul-ca# /opt/system-config/tools/hieraedit.py \
|
||||
> --yaml /etc/ansible/hosts/group_vars/gearman.yaml \
|
||||
> -f newreq.pem gearman_ssl_key
|
||||
root@puppetmaster:/etc/zuul-ca# /opt/system-config/tools/hieraedit.py \
|
||||
> --yaml /etc/puppet/hieradata/production/group/gearman.yaml \
|
||||
root@bridge:/etc/zuul-ca# /opt/system-config/tools/hieraedit.py \
|
||||
> --yaml /etc/ansible/hosts/group_vars/gearman.yaml \
|
||||
> -f newcert.pem gearman_ssl_cert
|
||||
root@puppetmaster:/etc/zuul-ca# shred newreq.pem
|
||||
root@puppetmaster:/etc/zuul-ca# rm newcert.pem newreq.pem
|
||||
root@bridge:/etc/zuul-ca# shred newreq.pem
|
||||
root@bridge:/etc/zuul-ca# rm newcert.pem newreq.pem
|
||||
|
||||
**NOTE** Be sure to delete newcert.pem and newreq.pem from the top-level
|
||||
directory once complete. This helps avoid leaking our private keys.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user