diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2015-11-03 15:27:28 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2015-11-25 15:16:08 +0200 |
commit | 14c4417e425f832660bd54118112fc991564b38d (patch) | |
tree | 41e257f24633dc26ee674a5300da659f96ebda56 /puppet/extraconfig/tls | |
parent | 97b12afbadeadac0be348b7cc263b090f6e6f0b8 (diff) |
Enable trust anchor injection
This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation
Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856
Diffstat (limited to 'puppet/extraconfig/tls')
-rw-r--r-- | puppet/extraconfig/tls/ca-inject.yaml | 66 | ||||
-rw-r--r-- | puppet/extraconfig/tls/no-ca.yaml | 17 |
2 files changed, 83 insertions, 0 deletions
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml new file mode 100644 index 00000000..7e34f071 --- /dev/null +++ b/puppet/extraconfig/tls/ca-inject.yaml @@ -0,0 +1,66 @@ +heat_template_version: 2015-04-30 + +description: > + This is a template which will inject the trusted anchor. + +parameters: + # Can be overriden via parameter_defaults in the environment + SSLRootCertificate: + description: > + The content of a CA's SSL certificate file in PEM format. + This is evaluated on the client side. + type: string + SSLRootCertificatePath: + default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem' + description: > + The filepath of the root certificate as it will be stored in the nodes. + Note that the path has to be one that can be picked up by the update + trust anchor command. e.g. in RHEL it would be + /etc/pki/ca-trust/source/anchors/ca.crt.pem + type: string + UpdateTrustAnchorsCommand: + default: update-ca-trust extract + description: > + command that will be executed to update the trust anchors. + type: string + + # Passed in by controller.yaml + server: + description: ID of the node to apply this config to + type: string + +resources: + CAConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: cacert_path + - name: cacert_content + - name: update_anchor_command + outputs: + - name: root_cert_md5sum + config: | + #!/bin/sh + cat > ${cacert_path} << EOF + ${cacert_content} + EOF + chmod 0440 ${cacert_path} + chown root:root ${cacert_path} + ${update_anchor_command} + md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum + + CADeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: CAConfig} + server: {get_param: server} + input_values: + cacert_path: {get_param: SSLRootCertificatePath} + cacert_content: {get_param: SSLRootCertificate} + update_anchor_command: {get_param: UpdateTrustAnchorsCommand} + +outputs: + deploy_stdout: + description: Deployment reference + value: {get_attr: [CADeployment, root_cert_md5sum]} diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml new file mode 100644 index 00000000..5862a85c --- /dev/null +++ b/puppet/extraconfig/tls/no-ca.yaml @@ -0,0 +1,17 @@ +heat_template_version: 2015-04-30 + +description: > + This is a default no-op template which can be passed to the + OS::Nova::Server resources. This template can be replaced with + a different implementation via the resource registry, such that + deployers may customize their configuration. + +parameters: + server: # Here for compatibility with controller.yaml + description: ID of the controller node to apply this config to + type: string + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: 'Root CA cert injection not enabled.' |