A new config.tls.generate-cert option is added that defaults to true.
When true, a self-signed certificate will be generated and OpenStack
API endpoints will be configured to use TLS with that self-signed
certificate. The following config options are added:
snap get microstack config.tls.generate-cert
snap get microstack config.tls.cacert-path
snap get microstack config.tls.cert-path
snap get microstack config.tls.key-path
Users can provide their own certificate by setting generate-cert to
false and storing their own certificates/key at the paths specified
by cacert-path, cert-path, and key-path. 'snap set' can also be used
to change the cert/key file names.
An important detail for clustering is that additional compute nodes
will need manual configuration of cacert-path, cert-path, and key-path.
The same certificates/key can can be copied from the controller node
to the compute node.
Other notable changes:
* The existing generate_selfsigned() function is modified to change
the subject alternative name to be made up of the hostname and
optionally an IP. The controller hostname and IP are used when
generating the certificate for self-signed TLS endpoints. The
hostname is now used instead of 'microstack.run' when generating
the clustering certificate.
* This change also aligns logging for nginx and corresponding sites
and moves all nginx sites to {snap_common}/etc/nginx/sites-enabled.
Depends-On: https://review.opendev.org/c/x/microstack/+/772900
Change-Id: Iceea3127822404a3275fcf8a221cbedc4b52c217
e0901510d7