diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2015-11-03 15:19:18 +0200 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2015-11-23 11:55:26 +0200 |
| commit | 97b12afbadeadac0be348b7cc263b090f6e6f0b8 (patch) | |
| tree | 2861d938b7f27a97441b3c38d667fdb952df9370 /puppet/controller.yaml | |
| parent | f6093f3081d70496ca99a358a2e484a85ff02926 (diff) | |
Inject TLS certificate and keys for the Overcloud
This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.
And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.
Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
Diffstat (limited to 'puppet/controller.yaml')
| -rw-r--r-- | puppet/controller.yaml | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 0c921eb6..e6289219 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -514,20 +514,6 @@ parameters: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true - SSLCACertificate: - default: '' - description: If set, the contents of an SSL certificate authority file. - type: string - SSLCertificate: - default: '' - description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints. - type: string - hidden: true - SSLKey: - default: '' - description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints. - type: string - hidden: true SwiftHashSuffix: default: unset description: A random string to be used as a salt when hashing to determine mappings @@ -611,6 +597,9 @@ parameters: description: > Heat action when to apply network configuration changes default: ['CREATE'] + NodeIndex: + type: number + default: 0 resources: @@ -712,6 +701,14 @@ resources: bridge_name: br-ex interface_name: {get_param: NeutronPublicInterface} + # Hook for site-specific passing of private keys/certificates + NodeTLSData: + depends_on: NetworkDeployment + type: OS::TripleO::NodeTLSData + properties: + server: {get_resource: Controller} + NodeIndex: {get_param: NodeIndex} + ControllerDeployment: type: OS::TripleO::SoftwareDeployment depends_on: NetworkDeployment @@ -1289,6 +1286,12 @@ resources: tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface} tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface} tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address} + # NOTE(jaosorior): The service certificate configuration for + # HAProxy was left commented because to properly use this, we + # need to be able to set up the keystone endpoints. And + # currently that is not possible, but is being addressed by + # other commits. A subsequent commit will uncomment this. + #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_install: {get_input: enable_package_install} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} @@ -1382,5 +1385,6 @@ outputs: list_join: - ',' - - {get_attr: [ControllerDeployment, deploy_stdout]} + - {get_attr: [NodeTLSData, deploy_stdout]} - {get_attr: [ControllerExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} |