From 3214bf08c467f74073a4046ee0bd1a1738468f5e Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 24 Apr 2020 14:43:51 +0200 Subject: [PATCH] Fix missing OctaviaClientCert* parameters OctaviaClientCert and OctaviaClientCertFile parameters were incorrectly removed in change Ia64668f9ef6efc91a05594ca34c35614d338fdb6. That breaks the user-provided certificate & key feature in Octavia deployments by not copying the client certificate to the controllers, Octavia services are then unable to communicate with running amphorae. This commit restores those parameters. Change-Id: I42b48a10512ef817203705a201c0b30d8d1bd50b Closes-Bug: #1874712 (cherry picked from commit 022c8f84254cd402e7cb3d128ef7c5601baafb55) --- deployment/octavia/octavia-base.yaml | 17 +++++++++++++++++ .../octavia/octavia-deployment-config.j2.yaml | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/deployment/octavia/octavia-base.yaml b/deployment/octavia/octavia-base.yaml index f97027ec49..6aae08ca80 100644 --- a/deployment/octavia/octavia-base.yaml +++ b/deployment/octavia/octavia-base.yaml @@ -83,6 +83,16 @@ parameters: If provided, this will create or update a file on the host with the path provided in OctaviaCaKeyFile with the key data. + OctaviaClientCertFile: + type: string + default: '/etc/octavia/certs/client.pem' + description: Octavia client certificate for amphorae. + OctaviaClientCert: + type: string + default: '' + description: Octavia client certificate data. If provided, this will create + or update a file on the host with the path provided in + OctaviaClientCertFile with the certificate data. OctaviaServerCertsKeyPassphrase: constraints: - length: { min: 32, max: 32} @@ -197,6 +207,7 @@ conditions: service_debug_unset: {equals : [{get_param: OctaviaDebug}, '']} octavia_ca_cert_unset: {equals: [{get_param: OctaviaCaCert}, '']} octavia_ca_key_unset: {equals: [{get_param: OctaviaCaKey}, '']} + octavia_client_cert_unset: {equals: [{get_param: OctaviaClientCert}, '']} octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]} outputs: @@ -233,6 +244,7 @@ outputs: octavia::service_auth::auth_type: 'password' octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile} octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile} + octavia::certificates::client_cert: {get_param: OctaviaClientCertFile} octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase} octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} @@ -271,3 +283,8 @@ outputs: - octavia_ca_key_unset - {} - octavia::certificates::ca_private_key_data: {get_param: OctaviaCaKey} + - + if: + - octavia_client_cert_unset + - {} + - octavia::certificates::client_cert_data: {get_param: OctaviaClientCert} diff --git a/deployment/octavia/octavia-deployment-config.j2.yaml b/deployment/octavia/octavia-deployment-config.j2.yaml index 7286658826..ce6320cf5f 100644 --- a/deployment/octavia/octavia-deployment-config.j2.yaml +++ b/deployment/octavia/octavia-deployment-config.j2.yaml @@ -146,7 +146,7 @@ parameters: hidden: true OctaviaClientCertFile: default: '/etc/octavia/certs/client.pem' - description: client certificate for amphoras + description: Octavia client certificate for amphorae. type: string OctaviaGenerateCerts: type: boolean