ed7d687398
In commit 37a339d2b0
, the hieradata
parameter certmonger_ca was set to only be set when internal_tls was
enabled.
This breaks cert issuance by an non-local certmonger CA when the
issuing the haproxy cert on the undercloud eg. issuing this cert by
IPA, which relies on this hieradata being set.
There is no reason to restrict this data from being set, and doing so
fixes the problem. (rhbz#1793975)
The remaining data should be set only when internal_tls is enabled.
Change-Id: If3e3870dd7bd087984e433f7aa832d1bb0ac5b2b
Fixes-Bug: 1860718
75 lines
2.2 KiB
YAML
75 lines
2.2 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Requests certificates using certmonger through Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
DefaultCRLURL:
|
|
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
|
|
description: URI where to get the CRL to be configured in the nodes.
|
|
type: string
|
|
# NOTE(jaosorior): This is being set as IPA as it's the first
|
|
# CA we'll actually be testing out. But we can change this if
|
|
# people request it.
|
|
CertmongerCA:
|
|
type: string
|
|
default: 'IPA'
|
|
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
|
|
# automated and upgrades are addressed
|
|
CertmongerVncCA:
|
|
type: string
|
|
default: 'IPA'
|
|
CertmongerQemuCA:
|
|
type: string
|
|
default: 'IPA'
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the certmonger-user service
|
|
value:
|
|
service_name: certmonger_user
|
|
config_settings:
|
|
map_merge:
|
|
- certmonger_ca: {get_param: CertmongerCA}
|
|
- if:
|
|
- internal_tls_enabled
|
|
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
|
|
certmonger_ca_vnc: {get_param: CertmongerVncCA}
|
|
certmonger_ca_qemu: {get_param: CertmongerQemuCA}
|
|
- {}
|
|
step_config: |
|
|
include ::tripleo::profile::base::certmonger_user
|