Merge "Set default InternalTLSCAFile in enable-tls.yaml" into stable/ussuri

2020-05-30 02:42:13 +00:00 · 2020-05-30 02:42:13 +00:00 · 8ad5f5697e
parent 3f3aba0554 8bdf199af9
commit 8ad5f5697e
3 changed files with 16 additions and 0 deletions
--- a/environments/ssl/enable-internal-tls.j2.yaml
+++ b/environments/ssl/enable-internal-tls.j2.yaml
@ -9,6 +9,10 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/ipa/ca.crt
+
  # ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
--- a/environments/ssl/enable-tls.yaml
+++ b/environments/ssl/enable-tls.yaml
@ -14,6 +14,10 @@ parameter_defaults:
  # Type: boolean
  HorizonSecureCookies: True

+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
+
  # The content of the SSL certificate (without Key) in PEM format.
  # Type: string
  SSLCertificate: |
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -12,6 +12,9 @@ environments:
      deployment/horizon/horizon-container-puppet.yaml:
        parameters:
          - HorizonSecureCookies
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
    static:
      # This should probably be private, but for testing static params I'm
      # setting it as such for now.
@ -24,6 +27,7 @@ environments:
        |
            The contents of the private key go here
      HorizonSecureCookies: True
+      InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
  -
    name: ssl/enable-internal-tls
    title: Enable SSL on OpenStack Internal Endpoints
@ -34,6 +38,9 @@ environments:
      common/post.yaml:
        parameters:
          - EnableInternalTLS
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
      deployment/nova/nova-base-puppet.yaml:
        parameters:
          - RpcUseSSL
@ -50,6 +57,7 @@ environments:
      - ServerMetadata
    sample_values:
      EnableInternalTLS: True
+      InternalTLSCAFile: /etc/ipa/ca.crt
      RpcUseSSL: True
      NotifyUseSSL: True
      ServerMetadata: |-2