Always include certmonger_user
This makes sure we always include the certmonger_user profile, which installs the local CA (if that's the one we're using). This is necessary for when we deploy TLS by default in the overcloud. It also makes the setting of the certificate specification to be optional and to depend on the generate_service_certificate flag. Change-Id: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c
This commit is contained in:
parent
6a016a6214
commit
b1fe5c01bd
|
@ -73,11 +73,9 @@ Class['::rabbitmq'] -> Service['httpd']
|
|||
include ::tripleo::firewall
|
||||
include ::tripleo::selinux
|
||||
include ::tripleo::profile::base::kernel
|
||||
include ::tripleo::profile::base::certmonger_user
|
||||
|
||||
if hiera('tripleo::haproxy::service_certificate', undef) {
|
||||
if str2bool(hiera('generate_service_certificates')) {
|
||||
include ::tripleo::profile::base::certmonger_user
|
||||
}
|
||||
class {'::tripleo::profile::base::haproxy':
|
||||
enable_load_balancer => true,
|
||||
}
|
||||
|
|
|
@ -17,6 +17,7 @@ sysctl_settings: {{SYSCTL_SETTINGS}}
|
|||
# SSL
|
||||
tripleo::haproxy::service_certificate: {{UNDERCLOUD_SERVICE_CERTIFICATE}}
|
||||
generate_service_certificates: {{GENERATE_SERVICE_CERTIFICATE}}
|
||||
{{#GENERATE_SERVICE_CERTIFICATE}}
|
||||
tripleo::profile::base::haproxy::certificates_specs:
|
||||
undercloud-haproxy-public:
|
||||
service_pem: {{UNDERCLOUD_SERVICE_CERTIFICATE}}
|
||||
|
@ -25,6 +26,7 @@ tripleo::profile::base::haproxy::certificates_specs:
|
|||
hostname: "%{hiera('controller_public_host')}"
|
||||
postsave_cmd: "/usr/bin/instack-haproxy-cert-update '/etc/pki/tls/certs/undercloud-front.crt' '/etc/pki/tls/private/undercloud-front.key' {{UNDERCLOUD_SERVICE_CERTIFICATE}} undercloud-haproxy-public-cert"
|
||||
principal: {{SERVICE_PRINCIPAL}}
|
||||
{{/GENERATE_SERVICE_CERTIFICATE}}
|
||||
|
||||
# CA defaults
|
||||
certmonger_ca: {{CERTIFICATE_GENERATION_CA}}
|
||||
|
|
Loading…
Reference in New Issue