diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-05-04 09:58:01 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-05-04 09:58:01 +0000 |
commit | c37481b1e69a249682241c5da097e5c48d452e85 (patch) | |
tree | 433f180a26cbd12226306b4785cb3c3da2e70722 /puppet | |
parent | 3a8d43517812c5647a0177bad9fd043d7b6bddb8 (diff) | |
parent | 6ff78ce2fe49d828cad0d9aae3938390b1939f89 (diff) |
Merge "Internal TLS: use common CA file parameter for libvirt CA cert"
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/services/nova-libvirt.yaml | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 21a5e78a..c3e6f4e4 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -41,16 +41,23 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. LibvirtCACert: type: string - default: '/etc/ipa/ca.crt' + default: '' description: This specifies the CA certificate to use for TLS in libvirt. This file will be symlinked to the default CA path in libvirt, which is /etc/pki/CA/cacert.pem. Note that due to limitations GNU TLS, which is the TLS backend for libvirt, the file must - be less than 65K (so we can't use the system's CA bundle). The - current default reflects TripleO's default CA, which is - FreeIPA. It will only be used if internal TLS is enabled. + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. conditions: @@ -63,6 +70,11 @@ conditions: - {get_param: UseTLSTransportForLiveMigration} - true + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' + resources: NovaBase: type: ./nova-base.yaml @@ -113,7 +125,10 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo::certmonger::ca::libvirt::origin_ca_pem: - get_param: LibvirtCACert + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' libvirt_certificates_specs: |