Merge "[victoria/ussuri/train] Change nbd, vnc and qemu default cacert file" into stable/ussuri
This commit is contained in:
Zuul
Gerrit Code Review
commit
74efd5e616
@ -105,15 +105,15 @@ parameters:
|
|||||||
description: Specifies the default CA cert to use if TLS is used for
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
services in the internal network.
|
services in the internal network.
|
||||||
InternalTLSNbdCAFile:
|
InternalTLSNbdCAFile:
|
||||||
default: '/etc/pki/qemu/ca-cert.pem'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the CA cert to use for NBD TLS.
|
description: Specifies the CA cert to use for NBD TLS.
|
||||||
InternalTLSVncCAFile:
|
InternalTLSVncCAFile:
|
||||||
default: '/etc/pki/CA/certs/vnc.crt'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the CA cert to use for VNC TLS.
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
InternalTLSQemuCAFile:
|
InternalTLSQemuCAFile:
|
||||||
default: '/etc/pki/CA/certs/qemu.pem'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the CA cert to use for qemu.
|
description: Specifies the CA cert to use for qemu.
|
||||||
CertificateKeySize:
|
CertificateKeySize:
|
||||||
@ -311,6 +311,8 @@ conditions:
|
|||||||
- {get_param: LibvirtVncCACert}
|
- {get_param: LibvirtVncCACert}
|
||||||
- ''
|
- ''
|
||||||
|
|
||||||
|
libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncCAFile}, '/etc/ipa/ca.crt']}}
|
||||||
|
|
||||||
memory_backing_dir_set:
|
memory_backing_dir_set:
|
||||||
not:
|
not:
|
||||||
and:
|
and:
|
||||||
@ -340,6 +342,8 @@ conditions:
|
|||||||
- {get_param: QemuCACert}
|
- {get_param: QemuCACert}
|
||||||
- ''
|
- ''
|
||||||
|
|
||||||
|
qemu_ca_non_default: {not: {equals: [{get_param: InternalTLSQemuCAFile}, '/etc/ipa/ca.crt']}}
|
||||||
|
|
||||||
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
||||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
||||||
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
||||||
@ -510,7 +514,7 @@ outputs:
|
|||||||
qemu-server-cert:
|
qemu-server-cert:
|
||||||
cacertfile:
|
cacertfile:
|
||||||
if:
|
if:
|
||||||
- qemu_specific_ca_unset
|
- qemu_ca_non_default
|
||||||
- get_param: InternalTLSQemuCAFile
|
- get_param: InternalTLSQemuCAFile
|
||||||
- null
|
- null
|
||||||
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
service_certificate: '/etc/pki/qemu/server-cert.pem'
|
||||||
@ -572,7 +576,7 @@ outputs:
|
|||||||
libvirt-vnc-server-cert:
|
libvirt-vnc-server-cert:
|
||||||
cacertfile:
|
cacertfile:
|
||||||
if:
|
if:
|
||||||
- libvirt_vnc_specific_ca_unset
|
- libvirt_vnc_ca_non_default
|
||||||
- get_param: InternalTLSVncCAFile
|
- get_param: InternalTLSVncCAFile
|
||||||
- null
|
- null
|
||||||
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
|
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
|
||||||
|
|||||||
@ -51,7 +51,7 @@ parameters:
|
|||||||
enable TLS transaport for libvirt VNC and configure the
|
enable TLS transaport for libvirt VNC and configure the
|
||||||
relevant keys for libvirt.
|
relevant keys for libvirt.
|
||||||
InternalTLSVncProxyCAFile:
|
InternalTLSVncProxyCAFile:
|
||||||
default: '/etc/pki/CA/certs/vnc.crt'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the CA cert to use for VNC TLS.
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
CertificateKeySize:
|
CertificateKeySize:
|
||||||
@ -122,6 +122,8 @@ conditions:
|
|||||||
- {get_param: LibvirtVncCACert}
|
- {get_param: LibvirtVncCACert}
|
||||||
- ''
|
- ''
|
||||||
|
|
||||||
|
libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncProxyCAFile}, '/etc/ipa/ca.crt']}}
|
||||||
|
|
||||||
allow_noauth:
|
allow_noauth:
|
||||||
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
||||||
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
||||||
@ -219,7 +221,7 @@ outputs:
|
|||||||
libvirt-vnc-client-cert:
|
libvirt-vnc-client-cert:
|
||||||
cacertfile:
|
cacertfile:
|
||||||
if:
|
if:
|
||||||
- libvirt_vnc_specific_ca_unset
|
- libvirt_vnc_ca_non_default
|
||||||
- get_param: InternalTLSVncProxyCAFile
|
- get_param: InternalTLSVncProxyCAFile
|
||||||
- null
|
- null
|
||||||
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
||||||
|
|||||||
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile
|
||||||
|
do not point to the default IPA ca.crt file and instead are requested
|
||||||
|
to be loaded to component specific CA files (even if they are the same).
|
||||||
|
This can lead to a race where the CA cert is not being written by
|
||||||
|
certmonger in time.
|
||||||
|
Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to
|
||||||
|
use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
|
||||||
|
the wallaby release using the ansible role. This change backports to also
|
||||||
|
use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
|
||||||
|
managing the certs via puppet-tripleo.
|
||||||
Loading…
Reference in New Issue
Block a user