31bc6eaa88
This profile will request the certificates for the services on the node. So with this, we will remove the requesting of these certs on the services' profiles themselves. The reasoning for this is that for a containerized environment, the containers won't have credentials to the CA while the baremetal node does. So, with this, we will have this profile that still gets executed in the baremetal nodes, and we can subsequently pass the requested certificates by bind-mounting them on the containers. On the other hand, this approach still works well for the TLS-everywhere case when the services are running on baremetal. Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6 Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
25 lines
1.0 KiB
YAML
25 lines
1.0 KiB
YAML
# A Heat environment file which can be used to enable a
|
|
# a TLS for in the internal network via certmonger
|
|
parameter_defaults:
|
|
EnableInternalTLS: true
|
|
RabbitClientUseSSL: true
|
|
|
|
# Required for novajoin to enroll the overcloud nodes
|
|
ServerMetadata:
|
|
ipa_enroll: True
|
|
|
|
resource_registry:
|
|
OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
|
|
|
|
OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
|
|
OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
|
|
OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
|
|
OS::TripleO::Services::RabbitMQTLS: ../puppet/services/rabbitmq-internal-tls-certmonger.yaml
|
|
|
|
# We use apache as a TLS proxy
|
|
OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
|
|
|
|
# Creates nova metadata that will create the extra service principals per
|
|
# node.
|
|
OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml
|