Remove certificate request bits from service profiles
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
This commit is contained in:
parent
2102a610c1
commit
d9916ce773
|
@ -39,14 +39,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
|
@ -57,17 +49,12 @@ class tripleo::profile::base::aodh::api (
|
||||||
$aodh_network = hiera('aodh_api_network', undef),
|
$aodh_network = hiera('aodh_api_network', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::tripleo::profile::base::aodh
|
include ::tripleo::profile::base::aodh
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$aodh_network {
|
if !$aodh_network {
|
||||||
fail('aodh_api_network is not set in the hieradata.')
|
fail('aodh_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,14 +43,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
|
@ -105,7 +97,6 @@ class tripleo::profile::base::barbican::api (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
|
$oslomsg_rpc_proto = hiera('messaging_rpc_service_name', 'rabbit'),
|
||||||
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
|
$oslomsg_rpc_hosts = any2array(hiera('rabbitmq_node_names', undef)),
|
||||||
|
@ -126,10 +117,6 @@ class tripleo::profile::base::barbican::api (
|
||||||
}
|
}
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$barbican_network {
|
if !$barbican_network {
|
||||||
fail('barbican_api_network is not set in the hieradata.')
|
fail('barbican_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -39,14 +39,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
|
@ -56,16 +48,11 @@ class tripleo::profile::base::ceilometer::api (
|
||||||
$ceilometer_network = hiera('ceilometer_api_network', undef),
|
$ceilometer_network = hiera('ceilometer_api_network', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
include ::tripleo::profile::base::ceilometer
|
include ::tripleo::profile::base::ceilometer
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$ceilometer_network {
|
if !$ceilometer_network {
|
||||||
fail('ceilometer_api_network is not set in the hieradata.')
|
fail('ceilometer_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,14 +43,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
|
@ -61,7 +53,6 @@ class tripleo::profile::base::cinder::api (
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$cinder_api_network = hiera('cinder_api_network', undef),
|
$cinder_api_network = hiera('cinder_api_network', undef),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
if $::hostname == downcase($bootstrap_node) {
|
if $::hostname == downcase($bootstrap_node) {
|
||||||
|
@ -73,10 +64,6 @@ class tripleo::profile::base::cinder::api (
|
||||||
include ::tripleo::profile::base::cinder
|
include ::tripleo::profile::base::cinder
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$cinder_api_network {
|
if !$cinder_api_network {
|
||||||
fail('cinder_api_network is not set in the hieradata.')
|
fail('cinder_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -47,12 +47,6 @@
|
||||||
# limit for the mysql service.
|
# limit for the mysql service.
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# MySQL. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*manage_resources*]
|
# [*manage_resources*]
|
||||||
# (Optional) Whether or not manage root user, root my.cnf, and service.
|
# (Optional) Whether or not manage root user, root my.cnf, and service.
|
||||||
# Defaults to true
|
# Defaults to true
|
||||||
|
@ -82,7 +76,6 @@ class tripleo::profile::base::database::mysql (
|
||||||
$certificate_specs = {},
|
$certificate_specs = {},
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_dropin_file_limit = false,
|
$generate_dropin_file_limit = false,
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$manage_resources = true,
|
$manage_resources = true,
|
||||||
$mysql_server_options = {},
|
$mysql_server_options = {},
|
||||||
$mysql_max_connections = hiera('mysql_max_connections', undef),
|
$mysql_max_connections = hiera('mysql_max_connections', undef),
|
||||||
|
@ -100,9 +93,6 @@ class tripleo::profile::base::database::mysql (
|
||||||
validate_hash($certificate_specs)
|
validate_hash($certificate_specs)
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs)
|
|
||||||
}
|
|
||||||
$tls_certfile = $certificate_specs['service_certificate']
|
$tls_certfile = $certificate_specs['service_certificate']
|
||||||
$tls_keyfile = $certificate_specs['service_key']
|
$tls_keyfile = $certificate_specs['service_key']
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -38,14 +38,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*glance_backend*]
|
# [*glance_backend*]
|
||||||
# (Optional) Glance backend(s) to use.
|
# (Optional) Glance backend(s) to use.
|
||||||
# Defaults to downcase(hiera('glance_backend', 'swift'))
|
# Defaults to downcase(hiera('glance_backend', 'swift'))
|
||||||
|
@ -91,7 +83,6 @@ class tripleo::profile::base::glance::api (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$glance_backend = downcase(hiera('glance_backend', 'swift')),
|
$glance_backend = downcase(hiera('glance_backend', 'swift')),
|
||||||
$glance_network = hiera('glance_api_network', undef),
|
$glance_network = hiera('glance_api_network', undef),
|
||||||
$glance_nfs_enabled = false,
|
$glance_nfs_enabled = false,
|
||||||
|
@ -102,10 +93,6 @@ class tripleo::profile::base::glance::api (
|
||||||
$tls_proxy_fqdn = undef,
|
$tls_proxy_fqdn = undef,
|
||||||
$tls_proxy_port = 9292,
|
$tls_proxy_port = 9292,
|
||||||
) {
|
) {
|
||||||
if $enable_internal_tls and $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if $::hostname == downcase($bootstrap_node) {
|
if $::hostname == downcase($bootstrap_node) {
|
||||||
$sync_db = true
|
$sync_db = true
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -38,14 +38,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*gnocchi_backend*]
|
# [*gnocchi_backend*]
|
||||||
# (Optional) Gnocchi backend string file, swift or rbd
|
# (Optional) Gnocchi backend string file, swift or rbd
|
||||||
# Defaults to swift
|
# Defaults to swift
|
||||||
|
@ -64,7 +56,6 @@ class tripleo::profile::base::gnocchi::api (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
|
$gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
|
||||||
$gnocchi_network = hiera('gnocchi_api_network', undef),
|
$gnocchi_network = hiera('gnocchi_api_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
|
@ -78,10 +69,6 @@ class tripleo::profile::base::gnocchi::api (
|
||||||
include ::tripleo::profile::base::gnocchi
|
include ::tripleo::profile::base::gnocchi
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$gnocchi_network {
|
if !$gnocchi_network {
|
||||||
fail('gnocchi_api_network is not set in the hieradata.')
|
fail('gnocchi_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,14 +36,6 @@
|
||||||
# (Optional) Whether or not loadbalancer is enabled.
|
# (Optional) Whether or not loadbalancer is enabled.
|
||||||
# Defaults to hiera('enable_load_balancer', true).
|
# Defaults to hiera('enable_load_balancer', true).
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
|
@ -52,18 +44,10 @@
|
||||||
class tripleo::profile::base::haproxy (
|
class tripleo::profile::base::haproxy (
|
||||||
$certificates_specs = {},
|
$certificates_specs = {},
|
||||||
$enable_load_balancer = hiera('enable_load_balancer', true),
|
$enable_load_balancer = hiera('enable_load_balancer', true),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
if $step >= 1 {
|
if $step >= 1 {
|
||||||
if $enable_load_balancer {
|
if $enable_load_balancer {
|
||||||
if str2bool($generate_service_certificates) {
|
|
||||||
ensure_resources('tripleo::certmonger::haproxy', $certificates_specs)
|
|
||||||
# The haproxy fronends (or listen resources) depend on the certificate
|
|
||||||
# existing and need to be refreshed if it changed.
|
|
||||||
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
|
|
||||||
}
|
|
||||||
|
|
||||||
class {'::tripleo::haproxy':
|
class {'::tripleo::haproxy':
|
||||||
internal_certificates_specs => $certificates_specs,
|
internal_certificates_specs => $certificates_specs,
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,14 +34,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*heat_api_network*]
|
# [*heat_api_network*]
|
||||||
# (Optional) The network name where the heat API endpoint is listening on.
|
# (Optional) The network name where the heat API endpoint is listening on.
|
||||||
# This is set by t-h-t.
|
# This is set by t-h-t.
|
||||||
|
@ -55,17 +47,12 @@
|
||||||
class tripleo::profile::base::heat::api (
|
class tripleo::profile::base::heat::api (
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$heat_api_network = hiera('heat_api_network', undef),
|
$heat_api_network = hiera('heat_api_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
include ::tripleo::profile::base::heat
|
include ::tripleo::profile::base::heat
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$heat_api_network {
|
if !$heat_api_network {
|
||||||
fail('heat_api_network is not set in the hieradata.')
|
fail('heat_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,14 +34,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*heat_api_cfn_network*]
|
# [*heat_api_cfn_network*]
|
||||||
# (Optional) The network name where the heat cfn endpoint is listening on.
|
# (Optional) The network name where the heat cfn endpoint is listening on.
|
||||||
# This is set by t-h-t.
|
# This is set by t-h-t.
|
||||||
|
@ -55,17 +47,12 @@
|
||||||
class tripleo::profile::base::heat::api_cfn (
|
class tripleo::profile::base::heat::api_cfn (
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$heat_api_cfn_network = hiera('heat_api_cfn_network', undef),
|
$heat_api_cfn_network = hiera('heat_api_cfn_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
include ::tripleo::profile::base::heat
|
include ::tripleo::profile::base::heat
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$heat_api_cfn_network {
|
if !$heat_api_cfn_network {
|
||||||
fail('heat_api_cfn_network is not set in the hieradata.')
|
fail('heat_api_cfn_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,14 +34,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*heat_api_cloudwatch_network*]
|
# [*heat_api_cloudwatch_network*]
|
||||||
# (Optional) The network name where the heat cloudwatch endpoint is listening
|
# (Optional) The network name where the heat cloudwatch endpoint is listening
|
||||||
# on. This is set by t-h-t.
|
# on. This is set by t-h-t.
|
||||||
|
@ -55,17 +47,12 @@
|
||||||
class tripleo::profile::base::heat::api_cloudwatch (
|
class tripleo::profile::base::heat::api_cloudwatch (
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
|
$heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
include ::tripleo::profile::base::heat
|
include ::tripleo::profile::base::heat
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$heat_api_cloudwatch_network {
|
if !$heat_api_cloudwatch_network {
|
||||||
fail('heat_api_cloudwatch_network is not set in the hieradata.')
|
fail('heat_api_cloudwatch_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,14 +43,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*heat_admin_domain*]
|
# [*heat_admin_domain*]
|
||||||
# domain name for heat admin
|
# domain name for heat admin
|
||||||
# Defaults to undef
|
# Defaults to undef
|
||||||
|
@ -130,7 +122,6 @@ class tripleo::profile::base::keystone (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$heat_admin_domain = undef,
|
$heat_admin_domain = undef,
|
||||||
$heat_admin_email = undef,
|
$heat_admin_email = undef,
|
||||||
$heat_admin_password = undef,
|
$heat_admin_password = undef,
|
||||||
|
@ -163,10 +154,6 @@ class tripleo::profile::base::keystone (
|
||||||
}
|
}
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$public_endpoint_network {
|
if !$public_endpoint_network {
|
||||||
fail('keystone_public_api_network is not set in the hieradata.')
|
fail('keystone_public_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,14 +43,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*l3_ha_override*]
|
# [*l3_ha_override*]
|
||||||
# (Optional) Override the calculated value for neutron::server::l3_ha
|
# (Optional) Override the calculated value for neutron::server::l3_ha
|
||||||
# by default this is calculated to enable when DVR is not enabled
|
# by default this is calculated to enable when DVR is not enabled
|
||||||
|
@ -95,7 +87,6 @@ class tripleo::profile::base::neutron::server (
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$dvr_enabled = hiera('neutron::server::router_distributed', false),
|
$dvr_enabled = hiera('neutron::server::router_distributed', false),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$l3_ha_override = '',
|
$l3_ha_override = '',
|
||||||
$l3_nodes = hiera('neutron_l3_short_node_names', []),
|
$l3_nodes = hiera('neutron_l3_short_node_names', []),
|
||||||
$neutron_network = hiera('neutron_api_network', undef),
|
$neutron_network = hiera('neutron_api_network', undef),
|
||||||
|
@ -104,10 +95,6 @@ class tripleo::profile::base::neutron::server (
|
||||||
$tls_proxy_fqdn = undef,
|
$tls_proxy_fqdn = undef,
|
||||||
$tls_proxy_port = 9696,
|
$tls_proxy_port = 9696,
|
||||||
) {
|
) {
|
||||||
if $enable_internal_tls and $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if $::hostname == downcase($bootstrap_node) {
|
if $::hostname == downcase($bootstrap_node) {
|
||||||
$sync_db = true
|
$sync_db = true
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -36,14 +36,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*nova_api_network*]
|
# [*nova_api_network*]
|
||||||
# (Optional) The network name where the nova API endpoint is listening on.
|
# (Optional) The network name where the nova API endpoint is listening on.
|
||||||
# This is set by t-h-t.
|
# This is set by t-h-t.
|
||||||
|
@ -63,7 +55,6 @@ class tripleo::profile::base::nova::api (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$nova_api_network = hiera('nova_api_network', undef),
|
$nova_api_network = hiera('nova_api_network', undef),
|
||||||
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
|
$nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
|
@ -93,10 +84,6 @@ class tripleo::profile::base::nova::api (
|
||||||
# https://bugs.launchpad.net/nova/+bug/1661360
|
# https://bugs.launchpad.net/nova/+bug/1661360
|
||||||
if $nova_api_wsgi_enabled {
|
if $nova_api_wsgi_enabled {
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$nova_api_network {
|
if !$nova_api_network {
|
||||||
fail('nova_api_network is not set in the hieradata.')
|
fail('nova_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,14 +36,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*nova_placement_network*]
|
# [*nova_placement_network*]
|
||||||
# (Optional) The network name where the nova placement endpoint is listening on.
|
# (Optional) The network name where the nova placement endpoint is listening on.
|
||||||
# This is set by t-h-t.
|
# This is set by t-h-t.
|
||||||
|
@ -58,7 +50,6 @@ class tripleo::profile::base::nova::placement (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$nova_placement_network = hiera('nova_placement_network', undef),
|
$nova_placement_network = hiera('nova_placement_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
|
@ -72,10 +63,6 @@ class tripleo::profile::base::nova::placement (
|
||||||
include ::tripleo::profile::base::nova::authtoken
|
include ::tripleo::profile::base::nova::authtoken
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$nova_placement_network {
|
if !$nova_placement_network {
|
||||||
fail('nova_placement_network is not set in the hieradata.')
|
fail('nova_placement_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,14 +38,6 @@
|
||||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||||
# Defaults to hiera('enable_internal_tls', false)
|
# Defaults to hiera('enable_internal_tls', false)
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# HAProxy. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Note that this doesn't configure the certificates in haproxy, it merely
|
|
||||||
# creates the certificates.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*panko_network*]
|
# [*panko_network*]
|
||||||
# (Optional) The network name where the panko endpoint is listening on.
|
# (Optional) The network name where the panko endpoint is listening on.
|
||||||
# This is set by t-h-t.
|
# This is set by t-h-t.
|
||||||
|
@ -60,7 +52,6 @@ class tripleo::profile::base::panko::api (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$certificates_specs = hiera('apache_certificates_specs', {}),
|
$certificates_specs = hiera('apache_certificates_specs', {}),
|
||||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$panko_network = hiera('panko_api_network', undef),
|
$panko_network = hiera('panko_api_network', undef),
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
|
@ -73,10 +64,6 @@ class tripleo::profile::base::panko::api (
|
||||||
include ::tripleo::profile::base::panko
|
include ::tripleo::profile::base::panko
|
||||||
|
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !$panko_network {
|
if !$panko_network {
|
||||||
fail('panko_api_network is not set in the hieradata.')
|
fail('panko_api_network is not set in the hieradata.')
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,12 +42,6 @@
|
||||||
# (Optional) RabbitMQ environment.
|
# (Optional) RabbitMQ environment.
|
||||||
# Defaults to hiera('rabbitmq_environment').
|
# Defaults to hiera('rabbitmq_environment').
|
||||||
#
|
#
|
||||||
# [*generate_service_certificates*]
|
|
||||||
# (Optional) Whether or not certmonger will generate certificates for
|
|
||||||
# MySQL. This could be as many as specified by the $certificates_specs
|
|
||||||
# variable.
|
|
||||||
# Defaults to hiera('generate_service_certificate', false).
|
|
||||||
#
|
|
||||||
# [*inet_dist_interface*]
|
# [*inet_dist_interface*]
|
||||||
# (Optional) Address to bind the inter-cluster interface
|
# (Optional) Address to bind the inter-cluster interface
|
||||||
# to. It is the inet_dist_use_interface option in the kernel variables
|
# to. It is the inet_dist_use_interface option in the kernel variables
|
||||||
|
@ -87,7 +81,6 @@ class tripleo::profile::base::rabbitmq (
|
||||||
$config_variables = hiera('rabbitmq_config_variables'),
|
$config_variables = hiera('rabbitmq_config_variables'),
|
||||||
$enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
|
$enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
|
||||||
$environment = hiera('rabbitmq_environment'),
|
$environment = hiera('rabbitmq_environment'),
|
||||||
$generate_service_certificates = hiera('generate_service_certificates', false),
|
|
||||||
$inet_dist_interface = hiera('rabbitmq::interface', undef),
|
$inet_dist_interface = hiera('rabbitmq::interface', undef),
|
||||||
$ipv6 = str2bool(hiera('rabbit_ipv6', false)),
|
$ipv6 = str2bool(hiera('rabbit_ipv6', false)),
|
||||||
$kernel_variables = hiera('rabbitmq_kernel_variables'),
|
$kernel_variables = hiera('rabbitmq_kernel_variables'),
|
||||||
|
@ -98,9 +91,6 @@ class tripleo::profile::base::rabbitmq (
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
) {
|
) {
|
||||||
if $enable_internal_tls {
|
if $enable_internal_tls {
|
||||||
if $generate_service_certificates {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs)
|
|
||||||
}
|
|
||||||
$tls_certfile = $certificate_specs['service_certificate']
|
$tls_certfile = $certificate_specs['service_certificate']
|
||||||
$tls_keyfile = $certificate_specs['service_key']
|
$tls_keyfile = $certificate_specs['service_key']
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -49,7 +49,6 @@ eos
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 1,
|
:step => 1,
|
||||||
:enable_internal_tls => true,
|
:enable_internal_tls => true,
|
||||||
:generate_service_certificates => true,
|
|
||||||
:nova_placement_network => 'bar',
|
:nova_placement_network => 'bar',
|
||||||
:certificates_specs => {
|
:certificates_specs => {
|
||||||
'httpd-bar' => {
|
'httpd-bar' => {
|
||||||
|
@ -63,7 +62,6 @@ eos
|
||||||
it {
|
it {
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova::placement')
|
is_expected.to contain_class('tripleo::profile::base::nova::placement')
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
is_expected.to contain_tripleo__certmonger__httpd('httpd-bar')
|
|
||||||
is_expected.to_not contain_class('nova::keystone::authtoken')
|
is_expected.to_not contain_class('nova::keystone::authtoken')
|
||||||
is_expected.to_not contain_class('nova::wsgi::apache_placement')
|
is_expected.to_not contain_class('nova::wsgi::apache_placement')
|
||||||
}
|
}
|
||||||
|
@ -87,7 +85,6 @@ eos
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 3,
|
:step => 3,
|
||||||
:enable_internal_tls => true,
|
:enable_internal_tls => true,
|
||||||
:generate_service_certificates => false,
|
|
||||||
:nova_placement_network => 'bar',
|
:nova_placement_network => 'bar',
|
||||||
:certificates_specs => {
|
:certificates_specs => {
|
||||||
'httpd-bar' => {
|
'httpd-bar' => {
|
||||||
|
@ -102,7 +99,6 @@ eos
|
||||||
it {
|
it {
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova::placement')
|
is_expected.to contain_class('tripleo::profile::base::nova::placement')
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
is_expected.to_not contain_tripleo__certmonger__httpd('foo')
|
|
||||||
is_expected.to contain_class('nova::keystone::authtoken')
|
is_expected.to contain_class('nova::keystone::authtoken')
|
||||||
is_expected.to contain_class('nova::wsgi::apache_placement').with(
|
is_expected.to contain_class('nova::wsgi::apache_placement').with(
|
||||||
:ssl_cert => '/foo.pem',
|
:ssl_cert => '/foo.pem',
|
||||||
|
|
Loading…
Reference in New Issue