Set default InternalTLSCAFile in enable-tls.yaml
Default like undercloud for public TLS. Though this
is little confusing we're using the same parameter
for both undercloud and overclud.
For classic public TLS and certmonger-based internal
TLS, where we use both enable-tls.yaml and
enable-internal-tls.yaml, we reset it back to use the
default ipa cacert.
Change-Id: Icfef2768ebb90c1818f157c762b6981d24393ac3
Closes-Bug: #1880936
(cherry picked from commit 7f2ee8566a
)
This commit is contained in:
parent
8412d09855
commit
c530e2af70
|
@ -9,6 +9,10 @@
|
||||||
# A Heat environment file which can be used to enable TLS for the internal
|
# A Heat environment file which can be used to enable TLS for the internal
|
||||||
# network via certmonger
|
# network via certmonger
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
|
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
||||||
|
# Type: string
|
||||||
|
InternalTLSCAFile: /etc/ipa/ca.crt
|
||||||
|
|
||||||
# ******************************************************
|
# ******************************************************
|
||||||
# Static parameters - these are values that must be
|
# Static parameters - these are values that must be
|
||||||
# included in the environment but should not be changed.
|
# included in the environment but should not be changed.
|
||||||
|
|
|
@ -14,6 +14,10 @@ parameter_defaults:
|
||||||
# Type: boolean
|
# Type: boolean
|
||||||
HorizonSecureCookies: True
|
HorizonSecureCookies: True
|
||||||
|
|
||||||
|
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
||||||
|
# Type: string
|
||||||
|
InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
|
||||||
|
|
||||||
# The content of the SSL certificate (without Key) in PEM format.
|
# The content of the SSL certificate (without Key) in PEM format.
|
||||||
# Type: string
|
# Type: string
|
||||||
SSLCertificate: |
|
SSLCertificate: |
|
||||||
|
|
|
@ -12,6 +12,9 @@ environments:
|
||||||
deployment/horizon/horizon-container-puppet.yaml:
|
deployment/horizon/horizon-container-puppet.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- HorizonSecureCookies
|
- HorizonSecureCookies
|
||||||
|
deployment/keystone/keystone-container-puppet.yaml:
|
||||||
|
parameters:
|
||||||
|
- InternalTLSCAFile
|
||||||
static:
|
static:
|
||||||
# This should probably be private, but for testing static params I'm
|
# This should probably be private, but for testing static params I'm
|
||||||
# setting it as such for now.
|
# setting it as such for now.
|
||||||
|
@ -24,6 +27,7 @@ environments:
|
||||||
|
|
|
|
||||||
The contents of the private key go here
|
The contents of the private key go here
|
||||||
HorizonSecureCookies: True
|
HorizonSecureCookies: True
|
||||||
|
InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
|
||||||
-
|
-
|
||||||
name: ssl/enable-internal-tls
|
name: ssl/enable-internal-tls
|
||||||
title: Enable SSL on OpenStack Internal Endpoints
|
title: Enable SSL on OpenStack Internal Endpoints
|
||||||
|
@ -34,6 +38,9 @@ environments:
|
||||||
common/post.yaml:
|
common/post.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- EnableInternalTLS
|
- EnableInternalTLS
|
||||||
|
deployment/keystone/keystone-container-puppet.yaml:
|
||||||
|
parameters:
|
||||||
|
- InternalTLSCAFile
|
||||||
deployment/nova/nova-base-puppet.yaml:
|
deployment/nova/nova-base-puppet.yaml:
|
||||||
parameters:
|
parameters:
|
||||||
- RpcUseSSL
|
- RpcUseSSL
|
||||||
|
@ -50,6 +57,7 @@ environments:
|
||||||
- ServerMetadata
|
- ServerMetadata
|
||||||
sample_values:
|
sample_values:
|
||||||
EnableInternalTLS: True
|
EnableInternalTLS: True
|
||||||
|
InternalTLSCAFile: /etc/ipa/ca.crt
|
||||||
RpcUseSSL: True
|
RpcUseSSL: True
|
||||||
NotifyUseSSL: True
|
NotifyUseSSL: True
|
||||||
ServerMetadata: |-2
|
ServerMetadata: |-2
|
||||||
|
|
Loading…
Reference in New Issue