openstack/tripleo-heat-templates
Code Issues Proposed changes
Files
febe32556f87d0a9ca864bdee9db98473d5f2d74
tripleo-heat-templates/puppet/extraconfig/tls/ca-inject.yaml
Juan Antonio Osorio Robles b6ee4bf4a5 Make injected CA file readable by others 
Currently the permissions for the CA file that is injected (if the
environment is set), doesn't permit users that don't belong to the group
that owns the file to read it. This is too restrictive and isn't
necessary, as the certificate should be public.

This is useful in the case where we want a service that can't read the
certificate chain (or bundle) to be able to read that CA certificate.
This is the case for the MariaDB version that is being used in CentOS
7.1 for example.

Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
2016-02-17 15:51:52 +02:00

68 lines
2.0 KiB
YAML
Raw Blame History

heat_template_version: 2015-04-30
description: >
This is a template which will inject the trusted anchor.
parameters:
# Can be overriden via parameter_defaults in the environment
SSLRootCertificate:
description: >
The content of a CA's SSL certificate file in PEM format.
This is evaluated on the client side.
type: string
SSLRootCertificatePath:
default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
description: >
The filepath of the root certificate as it will be stored in the nodes.
Note that the path has to be one that can be picked up by the update
trust anchor command. e.g. in RHEL it would be
/etc/pki/ca-trust/source/anchors/ca.crt.pem
type: string
UpdateTrustAnchorsCommand:
default: update-ca-trust extract
description: >
command that will be executed to update the trust anchors.
type: string
# Passed in by controller.yaml
server:
description: ID of the node to apply this config to
type: string
resources:
CAConfig:
type: OS::Heat::SoftwareConfig
properties:
group: script
inputs:
- name: cacert_path
- name: cacert_content
- name: update_anchor_command
outputs:
- name: root_cert_md5sum
config: |
#!/bin/sh
cat > ${cacert_path} << EOF
${cacert_content}
EOF
chmod 0444 ${cacert_path}
chown root:root ${cacert_path}
${update_anchor_command}
md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
CADeployment:
type: OS::Heat::SoftwareDeployment
properties:
name: CADeployment
config: {get_resource: CAConfig}
server: {get_param: server}
input_values:
cacert_path: {get_param: SSLRootCertificatePath}
cacert_content: {get_param: SSLRootCertificate}
update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
outputs:
deploy_stdout:
description: Deployment reference
value: {get_attr: [CADeployment, root_cert_md5sum]}
View Git Blame Copy Permalink