Age | Commit message (Collapse) | Author | Files | Lines |
|
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
|
|
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds
file to be created, which is created when certmonger is started, not
when package is installed.
This patch change the exec dependency to run it only when service is
started.
Also, since the service create the file, let's relax the Exec a little
bit by allowing to retry 5 times after 1s break in case the Exec fails,
for example if service takes more than 5 seconds to create this file.
It will avoid us some race condition in the deployment.
Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b
|
|
Installing the undercloud with generate_service_certificate=True
fails if HAProxy is not pre-installed. This is due to missing
dependency setting on our puppet manifests. We need to specify that
the PEM file needs to be written only if the haproxy user and group
exist (which comes from the package) and that the haproxy frontend
configuration needs to be notified if there are changes in the
certificates.
Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b
Closes-Bug: #1623805
|
|
This sets the subject alt name field for the certificates we
auto-generate, which will remove the security warnings we constantly
see in the undercloud. This is the proper way to set certificates,
since the usage of the CN as a replacement for the subjectAltName is
being deprecated (very slowly).
Change-Id: I475cbffd47425e850902838eec06bf461df2acd0
Closes-Bug: #1622446
|
|
This class extracts the certificate and adds it to the trusted certs.
bp tls-via-certmonger
Change-Id: I6dc1e0469cd7dbbb51659c8f29975d25b2941ec3
|
|
The principal is needed for kerberos-based solutions like FreeIPA.
bp tls-via-certmonger
Change-Id: Ie27848f522d11135b061aef766de2b696c77fcb9
|
|
This resource will be used in both the overcloud and the undercloud,
and can be called in several instances (for public-facing or
internal-facing certificates).
bp tls-via-certmonger
Change-Id: I0410fe0dbbed97d16909e911f7318d78a5bd7d7b
|