diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-12-15 16:20:40 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-01-25 00:33:11 +0200 |
commit | 80086fd342032ec448a84ecf7c5dbe98d381450a (patch) | |
tree | 401b9f6d0e6f80930c90a0a48bcd3c435a03b8e7 /puppet/services/apache-internal-tls-certmonger.yaml | |
parent | 00938b0accff3a07954ff058e205f21a51583b56 (diff) |
Add metadata settings for needed kerberos principals
These are only used for TLS-everywhere, and fills up the kerberos
principals that will need to be created for the certs used by the
overcloud. With this, the metadata hook will format these principals
correctly and will further pass them on to the nova metadata service.
Where they can be used if there's a plugin enabled.
bp tls-via-certmonger
bp novajoin
Change-Id: I873094bb69200052febda629fda698a7a782c031
Diffstat (limited to 'puppet/services/apache-internal-tls-certmonger.yaml')
-rw-r--r-- | puppet/services/apache-internal-tls-certmonger.yaml | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..97d6ff8e 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,12 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} |