diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-26 12:38:22 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-03 12:46:14 +0300 |
commit | 6ff78ce2fe49d828cad0d9aae3938390b1939f89 (patch) | |
tree | a331a5e145ee55837658f9fa400fe160fa4e0ba4 /puppet | |
parent | 82ff1acf035d277dd2e7b9d7fc6e060ab2415144 (diff) |
Internal TLS: use common CA file parameter for libvirt CA cert
libvirt has its own parameter for setting the CA, however, if we have a
common CA for all services in the internal network (which we do), it's
more consistent to use the common parameter for configuring that CA
file.
The previous parameter was left in case the deployer wants to use a
specific CA file for the compute nodes.
Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/services/nova-libvirt.yaml | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 21a5e78a..c3e6f4e4 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -41,16 +41,23 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. LibvirtCACert: type: string - default: '/etc/ipa/ca.crt' + default: '' description: This specifies the CA certificate to use for TLS in libvirt. This file will be symlinked to the default CA path in libvirt, which is /etc/pki/CA/cacert.pem. Note that due to limitations GNU TLS, which is the TLS backend for libvirt, the file must - be less than 65K (so we can't use the system's CA bundle). The - current default reflects TripleO's default CA, which is - FreeIPA. It will only be used if internal TLS is enabled. + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. conditions: @@ -63,6 +70,11 @@ conditions: - {get_param: UseTLSTransportForLiveMigration} - true + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' + resources: NovaBase: type: ./nova-base.yaml @@ -113,7 +125,10 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo::certmonger::ca::libvirt::origin_ca_pem: - get_param: LibvirtCACert + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' libvirt_certificates_specs: |