diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index cfe2860cbf..5f3c33c9b5 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -56,6 +56,26 @@ parameters: default: 'fernet' constraints: - allowed_values: ['fernet'] + SSLCertificate: + default: '' + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + PublicSSLCertificateAutogenerated: + default: false + description: > + Whether the public SSL certificate was autogenerated or not. + type: boolean + EnablePublicTLS: + default: true + description: > + Whether to enable TLS on the public interface or not. + type: boolean + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. EnableInternalTLS: type: boolean default: false @@ -314,6 +334,17 @@ resources: conditions: fast_forward_upgrade: {not: {equals: [{get_param: ContainerKeystoneImageStein},'']}} + public_tls_enabled: + and: + - {get_param: EnablePublicTLS} + - or: + - not: + equals: + - {get_param: SSLCertificate} + - "" + - equals: + - {get_param: PublicSSLCertificateAutogenerated} + - true internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]} keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]} @@ -718,6 +749,11 @@ outputs: project_name: admin user_domain_name: Default username: admin + cacert: + if: + - public_tls_enabled + - {get_param: InternalTLSCAFile} + - '' identity_api_version: '3' region_name: {get_param: KeystoneRegion} - name: Manage Keystone resources