openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Add EnablePublicTLS flag 

This flag is on by default, and serves to enable (or disable) the
public TLS by default feature.

It differs from the PublicSSLCertificateAutogenerated flag in the fact
that it works with mistral, while PublicSSLCertificateAutogenerated
works with certmonger in the overcloud.

Change-Id: If553ecff26d5ecd529c37ca438e0ba1795e9ecca
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-26 17:08:50 +03:00
parent 2d73097169
commit 1260da2746
5 changed files with 57 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docker/services/haproxy.yaml
View File

@ -50,6 +50,11 @@ parameters:
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
@ -87,14 +92,16 @@ conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
public_tls_enabled:
or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
resources:

23
docker/services/pacemaker/haproxy.yaml
View File

@ -38,6 +38,11 @@ parameters:
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
@ -75,14 +80,16 @@ parameters:
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
public_tls_enabled:
or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
resources:

3
environments/no-tls-endpoints-public-ip.yaml
View File

@ -9,6 +9,9 @@
# Use this environment when deploying an SSL-enabled overcloud where the public
# endpoint is an IP address.
parameter_defaults:
EnablePublicTLS: false
# Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.
# Type: json
EndpointMap:

23
puppet/services/haproxy.yaml
View File

@ -67,6 +67,11 @@ parameters:
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
@ -86,14 +91,16 @@ parameters:
conditions:
public_tls_enabled:
or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
resources:

9
releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
This adds a flag called EnablePublicTLS, which defaults to 'true'. It
reflects that Public TLS is enabled by default, and it's read by
the deployment workflow to let the public certificate generation happen.
It can also be used to disable this feature, if it's set to 'false' as
it's done in the no-tls-endpoints-public-ip.yaml environment
file, which allows deployers to turn this feature off.