7 Commits

Author SHA1 Message Date
Raildo
963b473380 Adding key_size option on the certmonger_certificate function
certmonger_certificate function currently does not support
creating certificates with private keys stronger than 2048bits.
Adding a key_size option.

key_size option were added on puppet_certmonger on the v2.6.0
upstream: https://github.com/saltedsignal/puppet-certmonger/releases/tag/v2.6.0

Change-Id: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
(cherry picked from commit 190aebca609e8ec68586cfa4ced9f2efa65758d1)
2021-01-05 15:45:15 +00:00
Tobias Urdin
1523a4b804 Convert all class usage to relative names
Change-Id: Ib2ed745b682cf12f9469a5a64451adcabec400af
2019-12-08 23:23:25 +01:00
Juan Antonio Osorio Robles
f1f4a6ccb8 httpd: Remove default post-save command for certmonger
The default command didn't work, so we need to fix that.

Related-Bug: #1811401
Needed-By: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
Change-Id: I642f48aa0e66ca57de2ecee921c798747ba41e1a
2019-01-25 09:44:11 +00:00
Juan Antonio Osorio Robles
095d130f9d Certmonger: Make postsave command configurable
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.

This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.

bp tls-via-certmonger-containers

Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
2017-08-18 18:59:35 +00:00
Juan Antonio Osorio Robles
6990da87c3 Enable setting SubjectaltNames for haproxy and httpd certs
This enables setting the subjectAltNames for HAProxy and httpd certs.
These will eventually replace the usage of many certs, to have instead
just one that has several subjectAltNames.

Change-Id: Icd152c8e0389b6a104381ba6ab4e0944e9828ba3
2017-04-18 15:48:02 +03:00
Juan Antonio Osorio Robles
bbe603a260 Ensure directory exists for certificates for httpd
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.

Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.

bp tls-via-certmonger-containers

Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-11 11:45:43 +00:00
Juan Antonio Osorio Robles
76bf2f532f Enable TLS in the internal network for keystone
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.

This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).

bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-10-19 17:37:32 +03:00