Request certificate for using host service principals
This removes the usage of the VIP service principals for requesting the
certificate, and uses the host instead.
Closes-Bug: #1818513
Depends-On: I245516257da280b91779313ffb18f84c8a4e3635
Change-Id: Ie2c3eb8e863184ffd943dd5b4a003790032542a4
(cherry picked from commit b53f6bacde
)
This commit is contained in:
parent
417fe3328b
commit
8bf53825de
|
@ -68,6 +68,52 @@ outputs:
|
|||
- redis::daemonize: false
|
||||
tripleo::stunnel::manage_service: false
|
||||
tripleo::stunnel::foreground: 'yes'
|
||||
- tripleo::redis::firewall_rules:
|
||||
'108 redis':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
tripleo::profile::base::database::redis::tls_proxy_bind_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
tripleo::profile::base::database::redis::tls_proxy_fqdn:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
tripleo::profile::base::database::redis::tls_proxy_port: 6379
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
|
||||
redis_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/redis.crt'
|
||||
service_key: '/etc/pki/tls/private/redis.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
dnsnames:
|
||||
- str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "redis/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
|
||||
- {}
|
||||
logging_source: {get_attr: [RedisBase, role_data, logging_source]}
|
||||
logging_groups: {get_attr: [RedisBase, role_data, logging_groups]}
|
||||
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
|
||||
|
@ -152,6 +198,16 @@ outputs:
|
|||
- {}
|
||||
metadata_settings:
|
||||
get_attr: [RedisBase, role_data, metadata_settings]
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: redis
|
||||
network: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
type: vip
|
||||
- service: redis
|
||||
network: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
type: node
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
|
@ -137,7 +137,7 @@ outputs:
|
|||
service_key: '/etc/pki/tls/private/mysql.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
dnsnames:
|
||||
|
@ -147,12 +147,12 @@ outputs:
|
|||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
"%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/%{hiera('cloud_name_NETWORK')}"
|
||||
template: "mysql/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
- {}
|
||||
|
|
|
@ -86,8 +86,11 @@ outputs:
|
|||
- ''
|
||||
- - {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- '/overcloud-haproxy-NETWORK.key'
|
||||
hostname: "%{hiera('cloud_name_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
|
||||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
dnsnames:
|
||||
- "%{hiera('cloud_name_NETWORK')}"
|
||||
- "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
|
@ -97,5 +100,8 @@ outputs:
|
|||
- service: haproxy
|
||||
network: $NETWORK
|
||||
type: vip
|
||||
- service: haproxy
|
||||
network: $NETWORK
|
||||
type: node
|
||||
for_each:
|
||||
$NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
|
|
Loading…
Reference in New Issue