Fix missing OctaviaClientCert* parameters

OctaviaClientCert and OctaviaClientCertFile parameters were incorrectly removed in change Ia64668f9ef6efc91a05594ca34c35614d338fdb6. That breaks the user-provided certificate & key feature in Octavia deployments by not copying the client certificate to the controllers, Octavia services are then unable to communicate with running amphorae. This commit restores those parameters. Change-Id: I42b48a10512ef817203705a201c0b30d8d1bd50b Closes-Bug: #1874712
2020-04-24 14:43:51 +02:00 · 2020-04-24 14:43:51 +02:00 · 022c8f8425
parent e730fd780b
commit 022c8f8425
2 changed files with 18 additions and 1 deletions
--- a/deployment/octavia/octavia-base.yaml
+++ b/deployment/octavia/octavia-base.yaml
@ -92,6 +92,16 @@ parameters:
                 If provided, this will create or update a file on the host
                 with the path provided in OctaviaCaKeyFile with the key
                 data.
+  OctaviaClientCertFile:
+    type: string
+    default: '/etc/octavia/certs/client.pem'
+    description: Octavia client certificate for amphorae.
+  OctaviaClientCert:
+    type: string
+    default: ''
+    description: Octavia client certificate data. If provided, this will create
+                 or update a file on the host with the path provided in
+                 OctaviaClientCertFile with the certificate data.
  OctaviaServerCertsKeyPassphrase:
    constraints:
      - length: { min: 32, max: 32}
@ -206,6 +216,7 @@ conditions:
  service_debug_unset: {equals : [{get_param: OctaviaDebug}, '']}
  octavia_ca_cert_unset: {equals: [{get_param: OctaviaCaCert}, '']}
  octavia_ca_key_unset: {equals: [{get_param: OctaviaCaKey}, '']}
+  octavia_client_cert_unset: {equals: [{get_param: OctaviaClientCert}, '']}
  octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]}
  enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}

@ -253,6 +264,7 @@ outputs:
            octavia::service_auth::region_name: {get_param: KeystoneRegion}
            octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
            octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
+            octavia::certificates::client_cert: {get_param: OctaviaClientCertFile}
            octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
            octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
            octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
@ -291,3 +303,8 @@ outputs:
            - octavia_ca_key_unset
            - {}
            - octavia::certificates::ca_private_key_data: {get_param: OctaviaCaKey}
+          -
+            if:
+            - octavia_client_cert_unset
+            - {}
+            - octavia::certificates::client_cert_data: {get_param: OctaviaClientCert}
--- a/deployment/octavia/octavia-deployment-config.j2.yaml
+++ b/deployment/octavia/octavia-deployment-config.j2.yaml
@ -146,7 +146,7 @@ parameters:
    hidden: true
  OctaviaClientCertFile:
    default: '/etc/octavia/certs/client.pem'
-    description: client certificate for amphoras
+    description: Octavia client certificate for amphorae.
    type: string
  OctaviaGenerateCerts:
    type: boolean