heat_template_version: rocky description: > Requests certificates using certmonger through Puppet parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json EnableInternalTLS: type: boolean default: false DefaultCRLURL: default: 'http://ipa-ca/ipa/crl/MasterCRL.bin' description: URI where to get the CRL to be configured in the nodes. type: string # NOTE(jaosorior): This is being set as IPA as it's the first # CA we'll actually be testing out. But we can change this if # people request it. CertmongerCA: type: string default: 'IPA' # TODO: default to a dedicated CA once the ipa sub-CA setup has been # automated and upgrades are addressed CertmongerVncCA: type: string default: 'IPA' CertmongerQemuCA: type: string default: 'IPA' conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: description: Role data for the certmonger-user service value: service_name: certmonger_user config_settings: map_merge: - certmonger_ca: {get_param: CertmongerCA} - if: - internal_tls_enabled - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL} certmonger_ca_vnc: {get_param: CertmongerVncCA} certmonger_ca_qemu: {get_param: CertmongerQemuCA} - {} step_config: | include ::tripleo::profile::base::certmonger_user