Commit Graph

9 Commits

Author SHA1 Message Date
Nagasai Vinaykumar Kapalavai
be82c86906 Qdr: InternalTLS support.
Configuration changes to provide Internal TLS support
for Qdr.

Change-Id: I30142db8bfa55412b8c8224aeb05916184117a86
2019-03-28 16:28:05 -04:00
Juan Antonio Osorio Robles
c5d8ed538a haproxy/certmonger: use container_cli to trigger HUP signal
We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.

Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
Closes-Bug: #1821149
2019-03-21 10:13:07 +00:00
Grzegorz Grasza
7cc4a3da6f neutron dhcpd: Add script for certmonger postsave_cmd
The default update procedure didn't work, so are fixing that.

Related-Bug: #1811401
Needed-By: I449df13ea2c49a8cf6d2e8e632b2b39707071c52
Change-Id: I9954cf33efedf2ec3dfb03109595cd4431feff60
2019-02-04 11:28:29 +01:00
Grzegorz Grasza
e6306badac novnc-proxy: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

Related-Bug: #1811401
Needed-By: Idc0844c8726aa53bc4cbd55f902248f854d2464f
Change-Id: Ifacbee9e31d84be1008ab7545defac71cf65793f
2019-02-01 16:45:41 +01:00
Grzegorz Grasza
4deea3a46b redis: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting stunnel, triggers a configuration reload.

Related-Bug: #1811401
Needed-By: I49811a6cab5416d965ce1da93a71728ad5b1d27c
Change-Id: I437d69fef45d1662e8908c5ca0f7063be6cb9b32
2019-01-25 17:28:26 +01:00
Grzegorz Grasza
801391a13e rabbitmq: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.

Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
2019-01-25 15:47:32 +01:00
Juan Antonio Osorio Robles
bd9846062c Reload HAProxy when certificate is renewed
This is meant to fix the issue of the certificate renewal not
automatically restarting/reloading the haproxy service.

It's all done by a script that's installed by puppet.

Preferably this patch and the one pointed by this should merge at the
same time.

Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Needed-By: Id409899bf04e7f9f2653e6c48cfebd0a92ca2d08
Change-Id: I5d91f8d9b5cd4f86ae0511a69e58858c5dccd35d
2019-01-25 10:40:44 +01:00
Oliver Walsh
ceb4faebe1 Add support for libvirt VNC TLS with option of a dedicated CA
Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
2018-02-14 10:23:26 +00:00
Juan Antonio Osorio Robles
f85199c778 Add manifests to install and configure stunnel
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.

Thus, we add manifests to configure it as such.

bp tls-via-certmonger

Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c
2017-08-25 10:11:08 +00:00