tripleo-heat-templates/deployment/certs/certmonger-user-baremetal-puppet.yaml
Ade Lee ed7d687398 Always set hieradata for certmonger_ca
In commit 37a339d2b0 , the hieradata
parameter certmonger_ca was set to only be set when internal_tls was
enabled.

This breaks cert issuance by an non-local certmonger CA when the
issuing the haproxy cert on the undercloud eg. issuing this cert by
IPA, which relies on this hieradata being set.

There is no reason to restrict this data from being set, and doing so
fixes the problem. (rhbz#1793975)

The remaining data should be set only when internal_tls is enabled.
Change-Id: If3e3870dd7bd087984e433f7aa832d1bb0ac5b2b
Fixes-Bug: 1860718
2020-02-07 15:44:25 -05:00

75 lines
2.2 KiB
YAML

heat_template_version: rocky
description: >
Requests certificates using certmonger through Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
DefaultCRLURL:
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
description: URI where to get the CRL to be configured in the nodes.
type: string
# NOTE(jaosorior): This is being set as IPA as it's the first
# CA we'll actually be testing out. But we can change this if
# people request it.
CertmongerCA:
type: string
default: 'IPA'
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
# automated and upgrades are addressed
CertmongerVncCA:
type: string
default: 'IPA'
CertmongerQemuCA:
type: string
default: 'IPA'
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the certmonger-user service
value:
service_name: certmonger_user
config_settings:
map_merge:
- certmonger_ca: {get_param: CertmongerCA}
- if:
- internal_tls_enabled
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
certmonger_ca_vnc: {get_param: CertmongerVncCA}
certmonger_ca_qemu: {get_param: CertmongerQemuCA}
- {}
step_config: |
include ::tripleo::profile::base::certmonger_user