summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/certmonger_user.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-09-05Use TLS proxy for Redis' internal TLSMartin André1-0/+9
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
2017-08-24TLS-everywhere/libvirt: Make postsave command configurableJuan Antonio Osorio Robles1-1/+8
This is requires for when libvirt is running over a container, since we shouldn't try to restart the libvirt process, but the container itself. bp tls-via-certmonger-containers Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
2017-08-18Certmonger: Make postsave command configurableJuan Antonio Osorio Robles1-2/+16
We need to make it configurable since these commands don't apply for containerized environments. This way we can restart containers or disable restarting and rely on other means. This stems from the issue that some services get accidentally started by certmonger on containerized environments, which makes the container initialization fail. bp tls-via-certmonger-containers Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
2017-08-11Modify resource dependencies of certmonger_user resourcesJuan Antonio Osorio Robles1-1/+4
In a containerized environment the haproxy class might not be defined, so this was made optional. On the other hand, this also retrieves the CRL before any certmonger_certificate resources are created. bp tls-via-certmonger-containers Change-Id: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec
2017-08-02Ensure directory exists for certificates for haproxyJuan Antonio Osorio Robles1-0/+1
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: Iba3adb9464a755e67c6f87d1233b3affa8be565a
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-0/+10
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-05-17TLS everywhere: Add resources for mongodb's TLS configurationJuan Antonio Osorio Robles1-0/+9
bp tls-via-certmonger Change-Id: I85dda29bcad686372a74bd7f094bfd62777a3032
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+9
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+9
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-11Ensure directory exists for certificates for httpdJuan Antonio Osorio Robles1-0/+1
We used to rely on a standard directory for the certificates and keys that are requested by certmonger. However, given the approach we plan to take for containers that's described in the blueprint, we need to use service-specific directories for the certs/keys, since we plan to bind-mount these into the containers, and we don't want to bind mount any keys/certs from other services. Thus, we start by creating this directories if they don't exist in the filesystem and adding the proper selinux labels. bp tls-via-certmonger-containers Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-04-07TLS-everywhere: Add resources for libvirt's cert for live migrationJuan Antonio Osorio Robles1-0/+12
This merely requests the certificates that will be used for libvirt's live migration if TLS-everywhere is enabled. bp tls-via-certmonger Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2017-03-14Create profile to request certificates for the services in the nodeJuan Antonio Osorio Robles1-0/+77
This profile will specifically be used to create all the certificates required in the node. These are fetched from hiera and will be ran in the first step of the overcloud deployment and in the undercloud. The reasoning for this is that, with services moving to containers, we can't yet do these requests for certificates within the containers for the specific services. this is because the containers won't have credentials to the CA, while the baremetal node does. So instead we still do this on the baremetal node, and will subsequently bind mount the certificates to the containers that need them. Also, this gives us flexibility since this approach still works for the baremetal case. There will be a subsequent commit removing the certificate requests from the service-specific profiles. Change-Id: I4d2e62b5c1b893551f9478cf5f69173c334ac81f