From 889163cd83c80708e96f9f2fb6c63b2af5555604 Mon Sep 17 00:00:00 2001 From: Rabi Mishra Date: Wed, 17 Jun 2020 09:36:10 +0530 Subject: [PATCH] Add new parameter PublicTLSCACert We've been using InternalTLSCAFile parameter when enabling public TLS for undercloud and is quite confusing. We recently changed to use it in clouds.yaml and it would break when both public and internal TLS are enabled for overcloud and both use different CA certs. This adds a new parameter which we will use in clouds.yaml, that would default to empty string assuming that the certificates are trusted. Closes-Bug: #1883818 Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496 Depends-On: https://review.opendev.org/737998 (cherry picked from commit 2acb0d376b66375ba000369b24fc3354365b2601) --- deployment/keystone/keystone-container-puppet.yaml | 8 ++++---- environments/public-tls-undercloud.yaml | 1 + environments/ssl/enable-internal-tls.j2.yaml | 4 ---- environments/ssl/enable-tls.yaml | 4 ++-- .../add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml | 6 ++++++ sample-env-generator/ssl.yaml | 8 ++------ 6 files changed, 15 insertions(+), 16 deletions(-) create mode 100644 releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index dbcf8017db..9ed3c0e660 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -71,11 +71,11 @@ parameters: description: > Whether to enable TLS on the public interface or not. type: boolean - InternalTLSCAFile: - default: '/etc/ipa/ca.crt' + PublicTLSCAFile: + default: '' type: string description: Specifies the default CA cert to use if TLS is used for - services in the internal network. + services in the public network. EnableInternalTLS: type: boolean default: false @@ -766,7 +766,7 @@ outputs: cacert: if: - public_tls_enabled - - {get_param: InternalTLSCAFile} + - {get_param: PublicTLSCAFile} - '' identity_api_version: '3' region_name: {get_param: KeystoneRegion} diff --git a/environments/public-tls-undercloud.yaml b/environments/public-tls-undercloud.yaml index 1851b79543..a0fafdf545 100644 --- a/environments/public-tls-undercloud.yaml +++ b/environments/public-tls-undercloud.yaml @@ -1,5 +1,6 @@ parameter_defaults: InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' + PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' PublicSSLCertificateAutogenerated: true resource_registry: diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml index 6ccc578cac..1bec0f14e2 100644 --- a/environments/ssl/enable-internal-tls.j2.yaml +++ b/environments/ssl/enable-internal-tls.j2.yaml @@ -9,10 +9,6 @@ # A Heat environment file which can be used to enable TLS for the internal # network via certmonger parameter_defaults: - # Specifies the default CA cert to use if TLS is used for services in the internal network. - # Type: string - InternalTLSCAFile: /etc/ipa/ca.crt - # ****************************************************** # Static parameters - these are values that must be # included in the environment but should not be changed. diff --git a/environments/ssl/enable-tls.yaml b/environments/ssl/enable-tls.yaml index 0b727fd7ac..827eb7e571 100644 --- a/environments/ssl/enable-tls.yaml +++ b/environments/ssl/enable-tls.yaml @@ -14,9 +14,9 @@ parameter_defaults: # Type: boolean HorizonSecureCookies: True - # Specifies the default CA cert to use if TLS is used for services in the internal network. + # Specifies the default CA cert to use if TLS is used for services in the public network. # Type: string - InternalTLSCAFile: '' + PublicTLSCAFile: '' # The content of the SSL certificate (without Key) in PEM format. # Type: string diff --git a/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml b/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml new file mode 100644 index 0000000000..cb137d2b6a --- /dev/null +++ b/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml @@ -0,0 +1,6 @@ +--- +features: + - Added new PublicTLSCAFile parameter, that is used to set the + ca cert in clouds.yaml for keystone public endpoint. This + defaults to empty string ('') assuming that the certs are + already trusted. diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index 19d7f8f52b..df64c92341 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -14,7 +14,7 @@ environments: - HorizonSecureCookies deployment/keystone/keystone-container-puppet.yaml: parameters: - - InternalTLSCAFile + - PublicTLSCAFile static: # This should probably be private, but for testing static params I'm # setting it as such for now. @@ -27,7 +27,7 @@ environments: | The contents of the private key go here HorizonSecureCookies: True - InternalTLSCAFile: '' + PublicTLSCAFile: '' - name: ssl/enable-internal-tls title: Enable SSL on OpenStack Internal Endpoints @@ -38,9 +38,6 @@ environments: common/post.yaml: parameters: - EnableInternalTLS - deployment/keystone/keystone-container-puppet.yaml: - parameters: - - InternalTLSCAFile deployment/nova/nova-base-puppet.yaml: parameters: - RpcUseSSL @@ -57,7 +54,6 @@ environments: - ServerMetadata sample_values: EnableInternalTLS: True - InternalTLSCAFile: /etc/ipa/ca.crt RpcUseSSL: True NotifyUseSSL: True ServerMetadata: |-2