summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-05-04 09:58:01 +0000
committerGerrit Code Review <review@openstack.org>2017-05-04 09:58:01 +0000
commitc37481b1e69a249682241c5da097e5c48d452e85 (patch)
tree433f180a26cbd12226306b4785cb3c3da2e70722 /puppet
parent3a8d43517812c5647a0177bad9fd043d7b6bddb8 (diff)
parent6ff78ce2fe49d828cad0d9aae3938390b1939f89 (diff)
Merge "Internal TLS: use common CA file parameter for libvirt CA cert"
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/nova-libvirt.yaml25
1 files changed, 20 insertions, 5 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
LibvirtCACert:
type: string
- default: '/etc/ipa/ca.crt'
+ default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
- be less than 65K (so we can't use the system's CA bundle). The
- current default reflects TripleO's default CA, which is
- FreeIPA. It will only be used if internal TLS is enabled.
+ be less than 65K (so we can't use the system's CA bundle).
+ This parameter should be used if the default (which comes from
+ the InternalTLSCAFile parameter) is not desired. The current
+ default reflects TripleO's default CA, which is FreeIPA.
+ It will only be used if internal TLS is enabled.
conditions:
@@ -63,6 +70,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
+ libvirt_specific_ca_unset:
+ equals:
+ - {get_param: LibvirtCACert}
+ - ''
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
- get_param: LibvirtCACert
+ if:
+ - libvirt_specific_ca_unset
+ - get_param: InternalTLSCAFile
+ - get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs: