Merge "Add new parameter PublicTLSCACert" into stable/train
This commit is contained in:
commit
4271246cf1
|
@ -71,11 +71,11 @@ parameters:
|
||||||
description: >
|
description: >
|
||||||
Whether to enable TLS on the public interface or not.
|
Whether to enable TLS on the public interface or not.
|
||||||
type: boolean
|
type: boolean
|
||||||
InternalTLSCAFile:
|
PublicTLSCAFile:
|
||||||
default: '/etc/ipa/ca.crt'
|
default: ''
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the default CA cert to use if TLS is used for
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
services in the internal network.
|
services in the public network.
|
||||||
EnableInternalTLS:
|
EnableInternalTLS:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
@ -766,7 +766,7 @@ outputs:
|
||||||
cacert:
|
cacert:
|
||||||
if:
|
if:
|
||||||
- public_tls_enabled
|
- public_tls_enabled
|
||||||
- {get_param: InternalTLSCAFile}
|
- {get_param: PublicTLSCAFile}
|
||||||
- ''
|
- ''
|
||||||
identity_api_version: '3'
|
identity_api_version: '3'
|
||||||
region_name: {get_param: KeystoneRegion}
|
region_name: {get_param: KeystoneRegion}
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||||
|
PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||||
PublicSSLCertificateAutogenerated: true
|
PublicSSLCertificateAutogenerated: true
|
||||||
|
|
||||||
resource_registry:
|
resource_registry:
|
||||||
|
|
|
@ -9,10 +9,6 @@
|
||||||
# A Heat environment file which can be used to enable TLS for the internal
|
# A Heat environment file which can be used to enable TLS for the internal
|
||||||
# network via certmonger
|
# network via certmonger
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
|
||||||
# Type: string
|
|
||||||
InternalTLSCAFile: /etc/ipa/ca.crt
|
|
||||||
|
|
||||||
# ******************************************************
|
# ******************************************************
|
||||||
# Static parameters - these are values that must be
|
# Static parameters - these are values that must be
|
||||||
# included in the environment but should not be changed.
|
# included in the environment but should not be changed.
|
||||||
|
|
|
@ -14,9 +14,9 @@ parameter_defaults:
|
||||||
# Type: boolean
|
# Type: boolean
|
||||||
HorizonSecureCookies: True
|
HorizonSecureCookies: True
|
||||||
|
|
||||||
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
# Specifies the default CA cert to use if TLS is used for services in the public network.
|
||||||
# Type: string
|
# Type: string
|
||||||
InternalTLSCAFile: ''
|
PublicTLSCAFile: ''
|
||||||
|
|
||||||
# The content of the SSL certificate (without Key) in PEM format.
|
# The content of the SSL certificate (without Key) in PEM format.
|
||||||
# Type: string
|
# Type: string
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Added new PublicTLSCAFile parameter, that is used to set the
|
||||||
|
ca cert in clouds.yaml for keystone public endpoint. This
|
||||||
|
defaults to empty string ('') assuming that the certs are
|
||||||
|
already trusted.
|
|
@ -14,7 +14,7 @@ environments:
|
||||||
- HorizonSecureCookies
|
- HorizonSecureCookies
|
||||||
deployment/keystone/keystone-container-puppet.yaml:
|
deployment/keystone/keystone-container-puppet.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- InternalTLSCAFile
|
- PublicTLSCAFile
|
||||||
static:
|
static:
|
||||||
# This should probably be private, but for testing static params I'm
|
# This should probably be private, but for testing static params I'm
|
||||||
# setting it as such for now.
|
# setting it as such for now.
|
||||||
|
@ -27,7 +27,7 @@ environments:
|
||||||
|
|
|
|
||||||
The contents of the private key go here
|
The contents of the private key go here
|
||||||
HorizonSecureCookies: True
|
HorizonSecureCookies: True
|
||||||
InternalTLSCAFile: ''
|
PublicTLSCAFile: ''
|
||||||
-
|
-
|
||||||
name: ssl/enable-internal-tls
|
name: ssl/enable-internal-tls
|
||||||
title: Enable SSL on OpenStack Internal Endpoints
|
title: Enable SSL on OpenStack Internal Endpoints
|
||||||
|
@ -38,9 +38,6 @@ environments:
|
||||||
common/post.yaml:
|
common/post.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- EnableInternalTLS
|
- EnableInternalTLS
|
||||||
deployment/keystone/keystone-container-puppet.yaml:
|
|
||||||
parameters:
|
|
||||||
- InternalTLSCAFile
|
|
||||||
deployment/nova/nova-base-puppet.yaml:
|
deployment/nova/nova-base-puppet.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- RpcUseSSL
|
- RpcUseSSL
|
||||||
|
@ -57,7 +54,6 @@ environments:
|
||||||
- ServerMetadata
|
- ServerMetadata
|
||||||
sample_values:
|
sample_values:
|
||||||
EnableInternalTLS: True
|
EnableInternalTLS: True
|
||||||
InternalTLSCAFile: /etc/ipa/ca.crt
|
|
||||||
RpcUseSSL: True
|
RpcUseSSL: True
|
||||||
NotifyUseSSL: True
|
NotifyUseSSL: True
|
||||||
ServerMetadata: |-2
|
ServerMetadata: |-2
|
||||||
|
|
Loading…
Reference in New Issue