44ef2a3ec1
The new master branch should point now to rocky. So, HOT templates should specify that they might contain features for rocky release [1] Also, this submission updates the yaml validation to use only latest heat_version alias. There are cases in which we will need to set the version for specific templates i.e. mixed versions, so there is added a variable to assign specific templates to specific heat_version aliases, avoiding the introductions of error by bulk replacing the the old version in new releases. [1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
68 lines
2.0 KiB
YAML
68 lines
2.0 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
This is a template which will inject the trusted anchor.
|
|
|
|
parameters:
|
|
# Can be overridden via parameter_defaults in the environment
|
|
SSLRootCertificate:
|
|
description: >
|
|
The content of a CA's SSL certificate file in PEM format.
|
|
This is evaluated on the client side.
|
|
type: string
|
|
SSLRootCertificatePath:
|
|
default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
|
|
description: >
|
|
The filepath of the root certificate as it will be stored in the nodes.
|
|
Note that the path has to be one that can be picked up by the update
|
|
trust anchor command. e.g. in RHEL it would be
|
|
/etc/pki/ca-trust/source/anchors/ca.crt.pem
|
|
type: string
|
|
UpdateTrustAnchorsCommand:
|
|
default: update-ca-trust extract
|
|
description: >
|
|
command that will be executed to update the trust anchors.
|
|
type: string
|
|
|
|
# Passed in by controller.yaml
|
|
server:
|
|
description: ID of the node to apply this config to
|
|
type: string
|
|
|
|
resources:
|
|
CAConfig:
|
|
type: OS::Heat::SoftwareConfig
|
|
properties:
|
|
group: script
|
|
inputs:
|
|
- name: cacert_path
|
|
- name: cacert_content
|
|
- name: update_anchor_command
|
|
outputs:
|
|
- name: root_cert_md5sum
|
|
config: |
|
|
#!/bin/sh
|
|
cat > ${cacert_path} << EOF
|
|
${cacert_content}
|
|
EOF
|
|
chmod 0444 ${cacert_path}
|
|
chown root:root ${cacert_path}
|
|
${update_anchor_command}
|
|
md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
|
|
|
|
CADeployment:
|
|
type: OS::Heat::SoftwareDeployment
|
|
properties:
|
|
name: CADeployment
|
|
config: {get_resource: CAConfig}
|
|
server: {get_param: server}
|
|
input_values:
|
|
cacert_path: {get_param: SSLRootCertificatePath}
|
|
cacert_content: {get_param: SSLRootCertificate}
|
|
update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
|
|
|
|
outputs:
|
|
deploy_stdout:
|
|
description: Deployment reference
|
|
value: {get_attr: [CADeployment, root_cert_md5sum]}
|