Merge "Add new parameter PublicTLSCACert" into stable/train

deployment/keystone/keystone-container-puppet.yaml

@@ -71,11 +71,11 @@ parameters:
     description: >
       Whether to enable TLS on the public interface or not.
     type: boolean
-  InternalTLSCAFile:
+  PublicTLSCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: ''
     type: string
     description: Specifies the default CA cert to use if TLS is used for
-                 services in the internal network.
+                 services in the public network.
   EnableInternalTLS:
     type: boolean
     default: false
@@ -766,7 +766,7 @@ outputs:
                   cacert:
                     if:
                       - public_tls_enabled
-                      - {get_param: InternalTLSCAFile}
+                      - {get_param: PublicTLSCAFile}
                       - ''
                   identity_api_version: '3'
                   region_name: {get_param: KeystoneRegion}

environments/public-tls-undercloud.yaml

@@ -1,5 +1,6 @@
 parameter_defaults:
   InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
+  PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
   PublicSSLCertificateAutogenerated: true
 
 resource_registry:

environments/ssl/enable-internal-tls.j2.yaml

@@ -9,10 +9,6 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
-  # Type: string
-  InternalTLSCAFile: /etc/ipa/ca.crt
-
   # ******************************************************
   # Static parameters - these are values that must be
   # included in the environment but should not be changed.

environments/ssl/enable-tls.yaml

@@ -14,9 +14,9 @@ parameter_defaults:
   # Type: boolean
   HorizonSecureCookies: True
 
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Specifies the default CA cert to use if TLS is used for services in the public network.
   # Type: string
-  InternalTLSCAFile: ''
+  PublicTLSCAFile: ''
 
   # The content of the SSL certificate (without Key) in PEM format.
   # Type: string

releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - Added new PublicTLSCAFile parameter, that is used to set the
+    ca cert in clouds.yaml for keystone public endpoint. This
+    defaults to empty string ('') assuming that the certs are
+    already trusted.

sample-env-generator/ssl.yaml

@@ -14,7 +14,7 @@ environments:
           - HorizonSecureCookies
       deployment/keystone/keystone-container-puppet.yaml:
         parameters:
-          - InternalTLSCAFile
+          - PublicTLSCAFile
     static:
       # This should probably be private, but for testing static params I'm
       # setting it as such for now.
@@ -27,7 +27,7 @@ environments:
         |
             The contents of the private key go here
       HorizonSecureCookies: True
-      InternalTLSCAFile: ''
+      PublicTLSCAFile: ''
   -
     name: ssl/enable-internal-tls
     title: Enable SSL on OpenStack Internal Endpoints
@@ -38,9 +38,6 @@ environments:
       common/post.yaml:
         parameters:
           - EnableInternalTLS
-      deployment/keystone/keystone-container-puppet.yaml:
-        parameters:
-          - InternalTLSCAFile
       deployment/nova/nova-base-puppet.yaml:
         parameters:
           - RpcUseSSL
@@ -57,7 +54,6 @@ environments:
       - ServerMetadata
     sample_values:
       EnableInternalTLS: True
-      InternalTLSCAFile: /etc/ipa/ca.crt
       RpcUseSSL: True
       NotifyUseSSL: True
       ServerMetadata: |-2