Merge "Add new parameter PublicTLSCACert" into stable/train
This commit is contained in:
commit
4271246cf1
|
@ -71,11 +71,11 @@ parameters:
|
|||
description: >
|
||||
Whether to enable TLS on the public interface or not.
|
||||
type: boolean
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
PublicTLSCAFile:
|
||||
default: ''
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
services in the public network.
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
@ -766,7 +766,7 @@ outputs:
|
|||
cacert:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- {get_param: PublicTLSCAFile}
|
||||
- ''
|
||||
identity_api_version: '3'
|
||||
region_name: {get_param: KeystoneRegion}
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
parameter_defaults:
|
||||
InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||
PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||
PublicSSLCertificateAutogenerated: true
|
||||
|
||||
resource_registry:
|
||||
|
|
|
@ -9,10 +9,6 @@
|
|||
# A Heat environment file which can be used to enable TLS for the internal
|
||||
# network via certmonger
|
||||
parameter_defaults:
|
||||
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
||||
# Type: string
|
||||
InternalTLSCAFile: /etc/ipa/ca.crt
|
||||
|
||||
# ******************************************************
|
||||
# Static parameters - these are values that must be
|
||||
# included in the environment but should not be changed.
|
||||
|
|
|
@ -14,9 +14,9 @@ parameter_defaults:
|
|||
# Type: boolean
|
||||
HorizonSecureCookies: True
|
||||
|
||||
# Specifies the default CA cert to use if TLS is used for services in the internal network.
|
||||
# Specifies the default CA cert to use if TLS is used for services in the public network.
|
||||
# Type: string
|
||||
InternalTLSCAFile: ''
|
||||
PublicTLSCAFile: ''
|
||||
|
||||
# The content of the SSL certificate (without Key) in PEM format.
|
||||
# Type: string
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- Added new PublicTLSCAFile parameter, that is used to set the
|
||||
ca cert in clouds.yaml for keystone public endpoint. This
|
||||
defaults to empty string ('') assuming that the certs are
|
||||
already trusted.
|
|
@ -14,7 +14,7 @@ environments:
|
|||
- HorizonSecureCookies
|
||||
deployment/keystone/keystone-container-puppet.yaml:
|
||||
parameters:
|
||||
- InternalTLSCAFile
|
||||
- PublicTLSCAFile
|
||||
static:
|
||||
# This should probably be private, but for testing static params I'm
|
||||
# setting it as such for now.
|
||||
|
@ -27,7 +27,7 @@ environments:
|
|||
|
|
||||
The contents of the private key go here
|
||||
HorizonSecureCookies: True
|
||||
InternalTLSCAFile: ''
|
||||
PublicTLSCAFile: ''
|
||||
-
|
||||
name: ssl/enable-internal-tls
|
||||
title: Enable SSL on OpenStack Internal Endpoints
|
||||
|
@ -38,9 +38,6 @@ environments:
|
|||
common/post.yaml:
|
||||
parameters:
|
||||
- EnableInternalTLS
|
||||
deployment/keystone/keystone-container-puppet.yaml:
|
||||
parameters:
|
||||
- InternalTLSCAFile
|
||||
deployment/nova/nova-base-puppet.yaml:
|
||||
parameters:
|
||||
- RpcUseSSL
|
||||
|
@ -57,7 +54,6 @@ environments:
|
|||
- ServerMetadata
|
||||
sample_values:
|
||||
EnableInternalTLS: True
|
||||
InternalTLSCAFile: /etc/ipa/ca.crt
|
||||
RpcUseSSL: True
|
||||
NotifyUseSSL: True
|
||||
ServerMetadata: |-2
|
||||
|
|
Loading…
Reference in New Issue