summaryrefslogtreecommitdiffstats
path: root/manifests/certmonger
AgeCommit message (Collapse)AuthorFilesLines
2016-11-29Merge "Include local CA in haproxy PEM"Jenkins1-2/+18
2016-11-25Enable internal TLS for MySQLJuan Antonio Osorio Robles1-0/+84
this adds the necessary code in the manfiest to configure TLS if internal TLS is enabled. this also adds the capability of auto-generating the certificate via certmonger. bp tls-via-certmonger Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-08Include local CA in haproxy PEMJuan Antonio Osorio Robles1-2/+18
In order for the browser to trust the certificate served by HAProxy we need to include the CA cert in the PEM file that the endpoints serve. Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417 Closes-Bug: #1639807
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-0/+62
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-09-20certmonger: improve orchestration for puppet4Emilien Macchi1-4/+6
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds file to be created, which is created when certmonger is started, not when package is installed. This patch change the exec dependency to run it only when service is started. Also, since the service create the file, let's relax the Exec a little bit by allowing to retry 5 times after 1s break in case the Exec fails, for example if service takes more than 5 seconds to create this file. It will avoid us some race condition in the deployment. Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b
2016-09-15Fix dependencies for HAProxy when certmonger is usedJuan Antonio Osorio Robles1-4/+6
Installing the undercloud with generate_service_certificate=True fails if HAProxy is not pre-installed. This is due to missing dependency setting on our puppet manifests. We need to specify that the PEM file needs to be written only if the haproxy user and group exist (which comes from the package) and that the haproxy frontend configuration needs to be notified if there are changes in the certificates. Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b Closes-Bug: #1623805
2016-09-12Fill DNS name for haproxy certificatesJuan Antonio Osorio Robles1-0/+1
This sets the subject alt name field for the certificates we auto-generate, which will remove the security warnings we constantly see in the undercloud. This is the proper way to set certificates, since the usage of the CN as a replacement for the subjectAltName is being deprecated (very slowly). Change-Id: I475cbffd47425e850902838eec06bf461df2acd0 Closes-Bug: #1622446
2016-07-21Add class to use certmonger's local CAJuan Antonio Osorio Robles1-0/+37
This class extracts the certificate and adds it to the trusted certs. bp tls-via-certmonger Change-Id: I6dc1e0469cd7dbbb51659c8f29975d25b2941ec3
2016-07-18Add principal to certmonger's haproxy helperJuan Antonio Osorio Robles1-0/+5
The principal is needed for kerberos-based solutions like FreeIPA. bp tls-via-certmonger Change-Id: Ie27848f522d11135b061aef766de2b696c77fcb9
2016-07-13Add resource for requesting certificates for HAProxyJuan Antonio Osorio Robles1-0/+70
This resource will be used in both the overcloud and the undercloud, and can be called in several instances (for public-facing or internal-facing certificates). bp tls-via-certmonger Change-Id: I0410fe0dbbed97d16909e911f7318d78a5bd7d7b