Add EnablePublicTLS flag
This flag is on by default, and serves to enable (or disable) the public TLS by default feature. It differs from the PublicSSLCertificateAutogenerated flag in the fact that it works with mistral, while PublicSSLCertificateAutogenerated works with certmonger in the overcloud. Change-Id: If553ecff26d5ecd529c37ca438e0ba1795e9ecca
This commit is contained in:
parent
2d73097169
commit
1260da2746
@ -50,6 +50,11 @@ parameters:
|
||||
description: >
|
||||
Whether the public SSL certificate was autogenerated or not.
|
||||
type: boolean
|
||||
EnablePublicTLS:
|
||||
default: true
|
||||
description: >
|
||||
Whether to enable TLS on the public interface or not.
|
||||
type: boolean
|
||||
DeployedSSLCertificatePath:
|
||||
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
||||
description: >
|
||||
@ -87,14 +92,16 @@ conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
public_tls_enabled:
|
||||
or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
and:
|
||||
- {get_param: EnablePublicTLS}
|
||||
- or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -38,6 +38,11 @@ parameters:
|
||||
description: >
|
||||
Whether the public SSL certificate was autogenerated or not.
|
||||
type: boolean
|
||||
EnablePublicTLS:
|
||||
default: true
|
||||
description: >
|
||||
Whether to enable TLS on the public interface or not.
|
||||
type: boolean
|
||||
DeployedSSLCertificatePath:
|
||||
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
||||
description: >
|
||||
@ -75,14 +80,16 @@ parameters:
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
public_tls_enabled:
|
||||
or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
and:
|
||||
- {get_param: EnablePublicTLS}
|
||||
- or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -9,6 +9,9 @@
|
||||
# Use this environment when deploying an SSL-enabled overcloud where the public
|
||||
# endpoint is an IP address.
|
||||
parameter_defaults:
|
||||
|
||||
EnablePublicTLS: false
|
||||
|
||||
# Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry.
|
||||
# Type: json
|
||||
EndpointMap:
|
||||
|
@ -67,6 +67,11 @@ parameters:
|
||||
description: >
|
||||
Whether the public SSL certificate was autogenerated or not.
|
||||
type: boolean
|
||||
EnablePublicTLS:
|
||||
default: true
|
||||
description: >
|
||||
Whether to enable TLS on the public interface or not.
|
||||
type: boolean
|
||||
DeployedSSLCertificatePath:
|
||||
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
||||
description: >
|
||||
@ -86,14 +91,16 @@ parameters:
|
||||
conditions:
|
||||
|
||||
public_tls_enabled:
|
||||
or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
and:
|
||||
- {get_param: EnablePublicTLS}
|
||||
- or:
|
||||
- not:
|
||||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
This adds a flag called EnablePublicTLS, which defaults to 'true'. It
|
||||
reflects that Public TLS is enabled by default, and it's read by
|
||||
the deployment workflow to let the public certificate generation happen.
|
||||
It can also be used to disable this feature, if it's set to 'false' as
|
||||
it's done in the no-tls-endpoints-public-ip.yaml environment
|
||||
file, which allows deployers to turn this feature off.
|
Loading…
Reference in New Issue
Block a user