Set default InternalTLSCAFile in enable-tls.yaml

Default like undercloud for public TLS. Though this is little confusing we're using the same parameter for both undercloud and overclud. For classic public TLS and certmonger-based internal TLS, where we use both enable-tls.yaml and enable-internal-tls.yaml, we reset it back to use the default ipa cacert. Change-Id: Icfef2768ebb90c1818f157c762b6981d24393ac3 Closes-Bug: #1880936 (cherry picked from commit 7f2ee8566a)
2020-05-27 19:29:21 +05:30 · 2020-05-27 19:29:21 +05:30 · 8bdf199af9
parent a8ef58fd54
commit 8bdf199af9
3 changed files with 16 additions and 0 deletions
--- a/environments/ssl/enable-internal-tls.j2.yaml
+++ b/environments/ssl/enable-internal-tls.j2.yaml
@ -9,6 +9,10 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/ipa/ca.crt
+
  # ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
--- a/environments/ssl/enable-tls.yaml
+++ b/environments/ssl/enable-tls.yaml
@ -14,6 +14,10 @@ parameter_defaults:
  # Type: boolean
  HorizonSecureCookies: True

+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
+
  # The content of the SSL certificate (without Key) in PEM format.
  # Type: string
  SSLCertificate: |
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -12,6 +12,9 @@ environments:
      deployment/horizon/horizon-container-puppet.yaml:
        parameters:
          - HorizonSecureCookies
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
    static:
      # This should probably be private, but for testing static params I'm
      # setting it as such for now.
@ -24,6 +27,7 @@ environments:
        |
            The contents of the private key go here
      HorizonSecureCookies: True
+      InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
  -
    name: ssl/enable-internal-tls
    title: Enable SSL on OpenStack Internal Endpoints
@ -34,6 +38,9 @@ environments:
      common/post.yaml:
        parameters:
          - EnableInternalTLS
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
      deployment/nova/nova-base-puppet.yaml:
        parameters:
          - RpcUseSSL
@ -50,6 +57,7 @@ environments:
      - ServerMetadata
    sample_values:
      EnableInternalTLS: True
+      InternalTLSCAFile: /etc/ipa/ca.crt
      RpcUseSSL: True
      NotifyUseSSL: True
      ServerMetadata: |-2