Add new parameter PublicTLSCACert

We've been using InternalTLSCAFile parameter when enabling
public TLS for undercloud and is quite confusing. We recently
changed to use it in clouds.yaml and it would break when
both public and internal TLS are enabled for overcloud and both
use different CA certs. This adds a new parameter which we
will use in clouds.yaml, that would default to empty string
assuming that the certificates are trusted.

Closes-Bug: #1883818
Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496
Depends-On: https://review.opendev.org/737998
This commit is contained in:
Rabi Mishra 2020-06-17 09:36:10 +05:30 committed by Harry Rybacki
parent 708ad27a1f
commit 2acb0d376b
6 changed files with 15 additions and 16 deletions

View File

@ -67,11 +67,11 @@ parameters:
description: > description: >
Whether to enable TLS on the public interface or not. Whether to enable TLS on the public interface or not.
type: boolean type: boolean
InternalTLSCAFile: PublicTLSCAFile:
default: '/etc/ipa/ca.crt' default: ''
type: string type: string
description: Specifies the default CA cert to use if TLS is used for description: Specifies the default CA cert to use if TLS is used for
services in the internal network. services in the public network.
EnableInternalTLS: EnableInternalTLS:
type: boolean type: boolean
default: false default: false
@ -761,7 +761,7 @@ outputs:
cacert: cacert:
if: if:
- public_tls_enabled - public_tls_enabled
- {get_param: InternalTLSCAFile} - {get_param: PublicTLSCAFile}
- '' - ''
identity_api_version: '3' identity_api_version: '3'
region_name: {get_param: KeystoneRegion} region_name: {get_param: KeystoneRegion}

View File

@ -1,5 +1,6 @@
parameter_defaults: parameter_defaults:
InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
PublicSSLCertificateAutogenerated: true PublicSSLCertificateAutogenerated: true
resource_registry: resource_registry:

View File

@ -9,10 +9,6 @@
# A Heat environment file which can be used to enable TLS for the internal # A Heat environment file which can be used to enable TLS for the internal
# network via certmonger # network via certmonger
parameter_defaults: parameter_defaults:
# Specifies the default CA cert to use if TLS is used for services in the internal network.
# Type: string
InternalTLSCAFile: /etc/ipa/ca.crt
# ****************************************************** # ******************************************************
# Static parameters - these are values that must be # Static parameters - these are values that must be
# included in the environment but should not be changed. # included in the environment but should not be changed.

View File

@ -14,9 +14,9 @@ parameter_defaults:
# Type: boolean # Type: boolean
HorizonSecureCookies: True HorizonSecureCookies: True
# Specifies the default CA cert to use if TLS is used for services in the internal network. # Specifies the default CA cert to use if TLS is used for services in the public network.
# Type: string # Type: string
InternalTLSCAFile: '' PublicTLSCAFile: ''
# The content of the SSL certificate (without Key) in PEM format. # The content of the SSL certificate (without Key) in PEM format.
# Type: string # Type: string

View File

@ -0,0 +1,6 @@
---
features:
- Added new PublicTLSCAFile parameter, that is used to set the
ca cert in clouds.yaml for keystone public endpoint. This
defaults to empty string ('') assuming that the certs are
already trusted.

View File

@ -14,7 +14,7 @@ environments:
- HorizonSecureCookies - HorizonSecureCookies
deployment/keystone/keystone-container-puppet.yaml: deployment/keystone/keystone-container-puppet.yaml:
parameters: parameters:
- InternalTLSCAFile - PublicTLSCAFile
static: static:
# This should probably be private, but for testing static params I'm # This should probably be private, but for testing static params I'm
# setting it as such for now. # setting it as such for now.
@ -27,7 +27,7 @@ environments:
| |
The contents of the private key go here The contents of the private key go here
HorizonSecureCookies: True HorizonSecureCookies: True
InternalTLSCAFile: '' PublicTLSCAFile: ''
- -
name: ssl/enable-internal-tls name: ssl/enable-internal-tls
title: Enable SSL on OpenStack Internal Endpoints title: Enable SSL on OpenStack Internal Endpoints
@ -38,9 +38,6 @@ environments:
common/post.yaml: common/post.yaml:
parameters: parameters:
- EnableInternalTLS - EnableInternalTLS
deployment/keystone/keystone-container-puppet.yaml:
parameters:
- InternalTLSCAFile
deployment/nova/nova-base-puppet.yaml: deployment/nova/nova-base-puppet.yaml:
parameters: parameters:
- RpcUseSSL - RpcUseSSL
@ -57,7 +54,6 @@ environments:
- ServerMetadata - ServerMetadata
sample_values: sample_values:
EnableInternalTLS: True EnableInternalTLS: True
InternalTLSCAFile: /etc/ipa/ca.crt
RpcUseSSL: True RpcUseSSL: True
NotifyUseSSL: True NotifyUseSSL: True
ServerMetadata: |-2 ServerMetadata: |-2