5d35e97cfa
The CA certificate is currently passed via ssl-source.yaml as "stunnel.cacert", but this value is not currently used by stunnel since we have no use case for client cert authentication. This change proposes that it also be exposed as "ssl.ca_certificate", which is consistent with the overall SSL direction being driven by the PKI spec: I32473fe797a4c1e28d14c3b82c8892c7c59a4e55 This new CA certificate value will be installed as a trusted CA on all cloud nodes that issue SSL-secured connection requests to OpenStack or other infrastructure (MySQL, RabbitMQ) services. Change-Id: Ibacd7c98980520e11c0df89632013f2ba2dbe370
74 lines
2.1 KiB
YAML
74 lines
2.1 KiB
YAML
description: 'ssl-source: SSL endpoint metadata for openstack'
|
|
parameters:
|
|
SSLCertificate:
|
|
default: ''
|
|
description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
|
|
type: string
|
|
hidden: true
|
|
SSLKey:
|
|
default: ''
|
|
description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
|
|
type: string
|
|
hidden: true
|
|
SSLCACertificate:
|
|
default: ''
|
|
description: If set, the contents of an SSL certificate authority file.
|
|
type: string
|
|
resources:
|
|
SSLConfig:
|
|
type: OS::Heat::StructuredConfig
|
|
properties:
|
|
group: os-apply-config
|
|
config:
|
|
ssl:
|
|
ca_certificate:
|
|
get_input: ssl_ca_certificate
|
|
stunnel:
|
|
cert:
|
|
get_input: ssl_certificate
|
|
key:
|
|
get_input: ssl_key
|
|
cacert:
|
|
get_input: ssl_ca_certificate
|
|
ports:
|
|
- name: 'ec2'
|
|
accept: 13773
|
|
connect: 8773
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'image'
|
|
accept: 13292
|
|
connect: 9292
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'identity'
|
|
accept: 13000
|
|
connect: 5000
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'network'
|
|
accept: 13696
|
|
connect: 9696
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'compute'
|
|
accept: 13774
|
|
connect: 8774
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'swift-proxy'
|
|
accept: 13080
|
|
connect: 8080
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'cinder'
|
|
accept: 13776
|
|
connect: 8776
|
|
connect_host:
|
|
get_input: controller_host
|
|
- name: 'ceilometer'
|
|
accept: 13777
|
|
connect: 8777
|
|
connect_host:
|
|
get_input: controller_host
|