diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 62d7a3b5b1..cd4e87aa06 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -50,6 +50,11 @@ parameters: description: > Whether the public SSL certificate was autogenerated or not. type: boolean + EnablePublicTLS: + default: true + description: > + Whether to enable TLS on the public interface or not. + type: boolean DeployedSSLCertificatePath: default: '/etc/pki/tls/private/overcloud_endpoint.pem' description: > @@ -87,14 +92,16 @@ conditions: puppet_debug_enabled: {get_param: ConfigDebug} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} public_tls_enabled: - or: - - not: - equals: - - {get_param: SSLCertificate} - - "" - - equals: - - {get_param: PublicSSLCertificateAutogenerated} - - true + and: + - {get_param: EnablePublicTLS} + - or: + - not: + equals: + - {get_param: SSLCertificate} + - "" + - equals: + - {get_param: PublicSSLCertificateAutogenerated} + - true resources: diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 9cdd0859a1..f42060a574 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -38,6 +38,11 @@ parameters: description: > Whether the public SSL certificate was autogenerated or not. type: boolean + EnablePublicTLS: + default: true + description: > + Whether to enable TLS on the public interface or not. + type: boolean DeployedSSLCertificatePath: default: '/etc/pki/tls/private/overcloud_endpoint.pem' description: > @@ -75,14 +80,16 @@ parameters: conditions: puppet_debug_enabled: {get_param: ConfigDebug} public_tls_enabled: - or: - - not: - equals: - - {get_param: SSLCertificate} - - "" - - equals: - - {get_param: PublicSSLCertificateAutogenerated} - - true + and: + - {get_param: EnablePublicTLS} + - or: + - not: + equals: + - {get_param: SSLCertificate} + - "" + - equals: + - {get_param: PublicSSLCertificateAutogenerated} + - true resources: diff --git a/environments/no-tls-endpoints-public-ip.yaml b/environments/no-tls-endpoints-public-ip.yaml index 0b959d41dc..84091980a9 100644 --- a/environments/no-tls-endpoints-public-ip.yaml +++ b/environments/no-tls-endpoints-public-ip.yaml @@ -9,6 +9,9 @@ # Use this environment when deploying an SSL-enabled overcloud where the public # endpoint is an IP address. parameter_defaults: + + EnablePublicTLS: false + # Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. # Type: json EndpointMap: diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 04a06c9c5a..ac5013fada 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -67,6 +67,11 @@ parameters: description: > Whether the public SSL certificate was autogenerated or not. type: boolean + EnablePublicTLS: + default: true + description: > + Whether to enable TLS on the public interface or not. + type: boolean DeployedSSLCertificatePath: default: '/etc/pki/tls/private/overcloud_endpoint.pem' description: > @@ -86,14 +91,16 @@ parameters: conditions: public_tls_enabled: - or: - - not: - equals: - - {get_param: SSLCertificate} - - "" - - equals: - - {get_param: PublicSSLCertificateAutogenerated} - - true + and: + - {get_param: EnablePublicTLS} + - or: + - not: + equals: + - {get_param: SSLCertificate} + - "" + - equals: + - {get_param: PublicSSLCertificateAutogenerated} + - true resources: diff --git a/releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml b/releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml new file mode 100644 index 0000000000..6146299516 --- /dev/null +++ b/releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + This adds a flag called EnablePublicTLS, which defaults to 'true'. It + reflects that Public TLS is enabled by default, and it's read by + the deployment workflow to let the public certificate generation happen. + It can also be used to disable this feature, if it's set to 'false' as + it's done in the no-tls-endpoints-public-ip.yaml environment + file, which allows deployers to turn this feature off.