Move cobbler and nginx SSL keys to master node
To give SSL keys opportunity to survive between containers recreation, move those keys to master node instead. Change-Id: I6394f57165760b578ef4795d48a478df9788b3ff Closes-Bug: #1491849
This commit is contained in:
parent
b815ca389b
commit
ffce5cd31f
|
@ -157,7 +157,14 @@ class cobbler::server (
|
|||
|
||||
#TODO(mattymo): refactor this into cobbler module and use OS-dependent
|
||||
#directories
|
||||
file { ['/etc/httpd', '/etc/httpd/conf/', '/etc/httpd/conf.d/']:
|
||||
file { ['/etc/httpd',
|
||||
'/etc/httpd/conf/',
|
||||
'/etc/httpd/conf.d/',
|
||||
'/var/lib/fuel',
|
||||
'/var/lib/fuel/keys',
|
||||
'/var/lib/fuel/keys/master',
|
||||
'/var/lib/fuel/keys/master/cobbler',
|
||||
]:
|
||||
ensure => 'directory',
|
||||
}
|
||||
file { '/etc/httpd/conf.d/nailgun.conf':
|
||||
|
@ -179,11 +186,12 @@ class cobbler::server (
|
|||
unit => 'Fuel Deployment Team',
|
||||
email => "root@${dns_domain}",
|
||||
days => 3650,
|
||||
base_dir => '/etc/pki/tls/',
|
||||
base_dir => '/var/lib/fuel/keys/master/cobbler/',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
force => false,
|
||||
cnf_tpl => 'openssl/cert.cnf.erb',
|
||||
require => File['/var/lib/fuel/keys/master/cobbler'],
|
||||
notify => Service[$cobbler_web_service],
|
||||
}
|
||||
|
||||
|
|
|
@ -105,14 +105,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH
|
|||
# the certificate is encrypted, then you will be prompted for a
|
||||
# pass phrase. Note that a kill -HUP will prompt again. A new
|
||||
# certificate can be generated using the genkey(1) command.
|
||||
SSLCertificateFile /etc/pki/tls/cobbler.crt
|
||||
SSLCertificateFile /var/lib/fuel/keys/master/cobbler/cobbler.crt
|
||||
|
||||
# Server Private Key:
|
||||
# If the key is not combined with the certificate, use this
|
||||
# directive to point at the key file. Keep in mind that if
|
||||
# you've both a RSA and a DSA private key you can configure
|
||||
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
||||
SSLCertificateKeyFile /etc/pki/tls/cobbler.key
|
||||
SSLCertificateKeyFile /var/lib/fuel/keys/master/cobbler/cobbler.key
|
||||
|
||||
# Server Certificate Chain:
|
||||
# Point SSLCertificateChainFile at a file containing the
|
||||
|
|
|
@ -103,7 +103,7 @@ ASTUTE_VOL="--volumes-from ${CONTAINER_NAMES['astute']}"
|
|||
###astute: mcollective
|
||||
declare -A REQS
|
||||
REQS["${HOST_VOL['astuteyaml']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
|
||||
REQS["${HOST_VOL['keys']}"]="mcollective astute ostf"
|
||||
REQS["${HOST_VOL['keys']}"]="mcollective astute ostf cobbler nginx"
|
||||
REQS["${HOST_VOL['repo']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
|
||||
REQS["${HOST_VOL['logs']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
|
||||
#Most containers work from local integrated puppet, but rsync needs to serve host puppet
|
||||
|
|
|
@ -33,6 +33,14 @@ class nailgun::nginx(
|
|||
ensure => latest,
|
||||
}
|
||||
|
||||
file { ['/var/lib/fuel',
|
||||
'/var/lib/fuel/keys',
|
||||
'/var/lib/fuel/keys/master',
|
||||
'/var/lib/fuel/keys/master/nginx',
|
||||
]:
|
||||
ensure => 'directory',
|
||||
}
|
||||
|
||||
file { ["/etc/nginx/conf.d/default.conf",
|
||||
"/etc/nginx/conf.d/virtual.conf",
|
||||
"/etc/nginx/conf.d/ssl.conf"]:
|
||||
|
@ -60,10 +68,11 @@ class nailgun::nginx(
|
|||
unit => 'Fuel Deployment Team',
|
||||
email => "root@fuel.master.local",
|
||||
days => 3650,
|
||||
base_dir => '/etc/pki/tls/',
|
||||
base_dir => '/var/lib/fuel/keys/master/nginx/',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
force => false,
|
||||
require => File['/var/lib/fuel/keys/master/nginx'],
|
||||
cnf_tpl => 'openssl/cert.cnf.erb',
|
||||
}
|
||||
}
|
||||
|
|
|
@ -10,8 +10,8 @@ server {
|
|||
<%- end -%>
|
||||
<%- if @ssl_enabled -%>
|
||||
listen 8443 ssl;
|
||||
ssl_certificate /etc/pki/tls/nginx.crt;
|
||||
ssl_certificate_key /etc/pki/tls/nginx.key;
|
||||
ssl_certificate /var/lib/fuel/keys/master/nginx/nginx.crt;
|
||||
ssl_certificate_key /var/lib/fuel/keys/master/nginx/nginx.key;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
<%- end -%>
|
||||
|
|
Loading…
Reference in New Issue