openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"" into stable/rocky

This commit is contained in:
Zuul 2019-08-21 01:11:03 +00:00 committed by Gerrit Code Review
parent 1c7b5ff95f ad1a53934f
commit 29dc880347
5 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker/services/nova-libvirt.yaml
View File

@ -97,7 +97,7 @@ parameters:
description: Specifies the default CA cert to use if TLS is used for description: Specifies the default CA cert to use if TLS is used for
services in the internal network. services in the internal network.
InternalTLSVncCAFile: InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/pki/CA/certs/vnc.crt'
type: string type: string
description: Specifies the CA cert to use for VNC TLS. description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert: LibvirtCACert:

2
docker/services/nova-vnc-proxy.yaml
View File

@ -55,7 +55,7 @@ parameters:
enable TLS transaport for libvirt VNC and configure the enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt. relevant keys for libvirt.
InternalTLSVncCAFile: InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/pki/CA/certs/vnc.crt'
type: string type: string
description: Specifies the CA cert to use for VNC TLS. description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert: LibvirtVncCACert:

2
puppet/services/nova-libvirt.yaml
View File

@ -88,7 +88,7 @@ parameters:
description: Specifies the default CA cert to use if TLS is used for description: Specifies the default CA cert to use if TLS is used for
services in the internal network. services in the internal network.
InternalTLSVncCAFile: InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/pki/CA/certs/vnc.crt'
type: string type: string
description: Specifies the CA cert to use for VNC TLS. description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert: LibvirtCACert:

2
puppet/services/nova-vnc-proxy.yaml
View File

@ -56,7 +56,7 @@ parameters:
enable TLS transaport for libvirt VNC and configure the enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt. relevant keys for libvirt.
InternalTLSVncCAFile: InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/pki/CA/certs/vnc.crt'
type: string type: string
description: Specifies the CA cert to use for VNC TLS. description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert: LibvirtVncCACert:

10
releasenotes/notes/nova-point-internalTLSVNCCAFile-to-ipa-ca-1dfccad609a4d4cb.yaml
View File

@ -1,10 +0,0 @@
---
fixes:
- |
In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
requrested does not have the full CA chain and only have the free IPA
CA. As a result qemu which can not verify the vnc certificate sent by
the vnc-proxy. The issue is in certmonger as it does not return the full
CA chain.
As a workaround, until certmonger is fixed, this change points the
InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.