summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-04-26 12:38:22 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-03 12:46:14 +0300
commit6ff78ce2fe49d828cad0d9aae3938390b1939f89 (patch)
treea331a5e145ee55837658f9fa400fe160fa4e0ba4 /puppet
parent82ff1acf035d277dd2e7b9d7fc6e060ab2415144 (diff)
Internal TLS: use common CA file parameter for libvirt CA cert
libvirt has its own parameter for setting the CA, however, if we have a common CA for all services in the internal network (which we do), it's more consistent to use the common parameter for configuring that CA file. The previous parameter was left in case the deployer wants to use a specific CA file for the compute nodes. Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/nova-libvirt.yaml25
1 files changed, 20 insertions, 5 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
LibvirtCACert:
type: string
- default: '/etc/ipa/ca.crt'
+ default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
- be less than 65K (so we can't use the system's CA bundle). The
- current default reflects TripleO's default CA, which is
- FreeIPA. It will only be used if internal TLS is enabled.
+ be less than 65K (so we can't use the system's CA bundle).
+ This parameter should be used if the default (which comes from
+ the InternalTLSCAFile parameter) is not desired. The current
+ default reflects TripleO's default CA, which is FreeIPA.
+ It will only be used if internal TLS is enabled.
conditions:
@@ -63,6 +70,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
+ libvirt_specific_ca_unset:
+ equals:
+ - {get_param: LibvirtCACert}
+ - ''
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
- get_param: LibvirtCACert
+ if:
+ - libvirt_specific_ca_unset
+ - get_param: InternalTLSCAFile
+ - get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs: