Browse Source

Merge "Add new parameter PublicTLSCACert" into stable/train

changes/59/739459/6
Zuul 1 month ago
committed by Gerrit Code Review
parent
commit
4271246cf1
6 changed files with 15 additions and 16 deletions
  1. +4
    -4
      deployment/keystone/keystone-container-puppet.yaml
  2. +1
    -0
      environments/public-tls-undercloud.yaml
  3. +0
    -4
      environments/ssl/enable-internal-tls.j2.yaml
  4. +2
    -2
      environments/ssl/enable-tls.yaml
  5. +6
    -0
      releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml
  6. +2
    -6
      sample-env-generator/ssl.yaml

+ 4
- 4
deployment/keystone/keystone-container-puppet.yaml View File

@@ -71,11 +71,11 @@ parameters:
description: >
Whether to enable TLS on the public interface or not.
type: boolean
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
PublicTLSCAFile:
default: ''
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
services in the public network.
EnableInternalTLS:
type: boolean
default: false
@@ -766,7 +766,7 @@ outputs:
cacert:
if:
- public_tls_enabled
- {get_param: InternalTLSCAFile}
- {get_param: PublicTLSCAFile}
- ''
identity_api_version: '3'
region_name: {get_param: KeystoneRegion}


+ 1
- 0
environments/public-tls-undercloud.yaml View File

@@ -1,5 +1,6 @@
parameter_defaults:
InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
PublicSSLCertificateAutogenerated: true

resource_registry:


+ 0
- 4
environments/ssl/enable-internal-tls.j2.yaml View File

@@ -9,10 +9,6 @@
# A Heat environment file which can be used to enable TLS for the internal
# network via certmonger
parameter_defaults:
# Specifies the default CA cert to use if TLS is used for services in the internal network.
# Type: string
InternalTLSCAFile: /etc/ipa/ca.crt

# ******************************************************
# Static parameters - these are values that must be
# included in the environment but should not be changed.


+ 2
- 2
environments/ssl/enable-tls.yaml View File

@@ -14,9 +14,9 @@ parameter_defaults:
# Type: boolean
HorizonSecureCookies: True

# Specifies the default CA cert to use if TLS is used for services in the internal network.
# Specifies the default CA cert to use if TLS is used for services in the public network.
# Type: string
InternalTLSCAFile: ''
PublicTLSCAFile: ''

# The content of the SSL certificate (without Key) in PEM format.
# Type: string


+ 6
- 0
releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml View File

@@ -0,0 +1,6 @@
---
features:
- Added new PublicTLSCAFile parameter, that is used to set the
ca cert in clouds.yaml for keystone public endpoint. This
defaults to empty string ('') assuming that the certs are
already trusted.

+ 2
- 6
sample-env-generator/ssl.yaml View File

@@ -14,7 +14,7 @@ environments:
- HorizonSecureCookies
deployment/keystone/keystone-container-puppet.yaml:
parameters:
- InternalTLSCAFile
- PublicTLSCAFile
static:
# This should probably be private, but for testing static params I'm
# setting it as such for now.
@@ -27,7 +27,7 @@ environments:
|
The contents of the private key go here
HorizonSecureCookies: True
InternalTLSCAFile: ''
PublicTLSCAFile: ''
-
name: ssl/enable-internal-tls
title: Enable SSL on OpenStack Internal Endpoints
@@ -38,9 +38,6 @@ environments:
common/post.yaml:
parameters:
- EnableInternalTLS
deployment/keystone/keystone-container-puppet.yaml:
parameters:
- InternalTLSCAFile
deployment/nova/nova-base-puppet.yaml:
parameters:
- RpcUseSSL
@@ -57,7 +54,6 @@ environments:
- ServerMetadata
sample_values:
EnableInternalTLS: True
InternalTLSCAFile: /etc/ipa/ca.crt
RpcUseSSL: True
NotifyUseSSL: True
ServerMetadata: |-2


Loading…
Cancel
Save