Templatize keystone ssl keys/certs

Keystone keys/certs files are fetched from heat metadata. This will allow us distribute identical keyst/certs to all control nodes instead of having different keys/certs on each node. Relies-on: I6d4efa753b97bb8cdbd07b1bf7b1cd123f7a32ed Related to blueprint tripleo-icehouse-ha-production-configuration Change-Id: I420957eb883ef4e21440171fb41c5b46f8e743fa
2014-05-21 03:48:28 -04:00 · 2014-05-21 03:48:28 -04:00 · 154bbab23e
commit 154bbab23e
parent 12ef0d6653
4 changed files with 10 additions and 0 deletions
--- a/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/certs/ca.pem
+++ b/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/certs/ca.pem
@ -0,0 +1 @@
+{{keystone.ca_certificate}}
--- a/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/certs/signing_cert.pem
+++ b/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/certs/signing_cert.pem
@ -0,0 +1 @@
+{{keystone.signing_certificate}}
--- a/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/private/signing_key.pem
+++ b/elements/keystone/os-apply-config/mnt/state/etc/keystone/ssl/private/signing_key.pem
@ -0,0 +1 @@
+{{keystone.signing_key}}
--- a/elements/keystone/os-refresh-config/configure.d/10-keystone-state
+++ b/elements/keystone/os-refresh-config/configure.d/10-keystone-state
@ -3,3 +3,10 @@ set -eux

 [ -d /mnt/state/etc/keystone/ssl/certs ] || install -m 0750 -o keystone -g keystone -d /mnt/state/etc/keystone/ssl/certs
 [ -d /mnt/state/etc/keystone/ssl/private ] || install -m 0750 -o keystone -g keystone -d /mnt/state/etc/keystone/ssl/private
+
+# precreate ssl key file with correct permissions
+# TODO: this can be replaced with mode metadata header when supported in
+# os-apply-config (spec's Change-Id: I8fe7126d7261c1f106d7413bd31aa379e9ae5c3e)
+touch /mnt/state/etc/keystone/ssl/private/signing_key.pem
+chown keystone.keystone /mnt/state/etc/keystone/ssl/private/signing_key.pem
+chmod 0640 /mnt/state/etc/keystone/ssl/private/signing_key.pem