Add EnablePublicTLS flag

This flag is on by default, and serves to enable (or disable) the public TLS by default feature. It differs from the PublicSSLCertificateAutogenerated flag in the fact that it works with mistral, while PublicSSLCertificateAutogenerated works with certmonger in the overcloud. Change-Id: If553ecff26d5ecd529c37ca438e0ba1795e9ecca
2018-04-26 17:08:50 +03:00 · 2018-04-26 17:08:50 +03:00 · 1260da2746
commit 1260da2746
parent 2d73097169
5 changed files with 57 additions and 24 deletions
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@ -50,6 +50,11 @@ parameters:
    description: >
      Whether the public SSL certificate was autogenerated or not.
    type: boolean
+  EnablePublicTLS:
+    default: true
+    description: >
+      Whether to enable TLS on the public interface or not.
+    type: boolean
  DeployedSSLCertificatePath:
    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
    description: >
@ -87,7 +92,9 @@ conditions:
  puppet_debug_enabled: {get_param: ConfigDebug}
  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  public_tls_enabled:
-    or:
+    and:
+    - {get_param: EnablePublicTLS}
+    - or:
      - not:
          equals:
          - {get_param: SSLCertificate}
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@ -38,6 +38,11 @@ parameters:
    description: >
      Whether the public SSL certificate was autogenerated or not.
    type: boolean
+  EnablePublicTLS:
+    default: true
+    description: >
+      Whether to enable TLS on the public interface or not.
+    type: boolean
  DeployedSSLCertificatePath:
    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
    description: >
@ -75,7 +80,9 @@ parameters:
 conditions:
  puppet_debug_enabled: {get_param: ConfigDebug}
  public_tls_enabled:
-    or:
+    and:
+    - {get_param: EnablePublicTLS}
+    - or:
      - not:
          equals:
          - {get_param: SSLCertificate}
--- a/environments/no-tls-endpoints-public-ip.yaml
+++ b/environments/no-tls-endpoints-public-ip.yaml
@ -9,6 +9,9 @@
 #   Use this environment when deploying an SSL-enabled overcloud where the public
 #   endpoint is an IP address.
 parameter_defaults:
+
+  EnablePublicTLS: false
+
  # Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.
  # Type: json
  EndpointMap:
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -67,6 +67,11 @@ parameters:
    description: >
      Whether the public SSL certificate was autogenerated or not.
    type: boolean
+  EnablePublicTLS:
+    default: true
+    description: >
+      Whether to enable TLS on the public interface or not.
+    type: boolean
  DeployedSSLCertificatePath:
    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
    description: >
@ -86,7 +91,9 @@ parameters:
 conditions:

  public_tls_enabled:
-    or:
+    and:
+    - {get_param: EnablePublicTLS}
+    - or:
      - not:
          equals:
          - {get_param: SSLCertificate}
--- a/releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml
+++ b/releasenotes/notes/Add-EnablePublicTLS-parameter-b3fcd01af6f3c101.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    This adds a flag called EnablePublicTLS, which defaults to 'true'. It
+    reflects that Public TLS is enabled by default, and it's read by
+    the deployment workflow to let the public certificate generation happen.
+    It can also be used to disable this feature, if it's set to 'false' as
+    it's done in the no-tls-endpoints-public-ip.yaml environment
+    file, which allows deployers to turn this feature off.