diff options
Diffstat (limited to 'puppet/services/nova-libvirt.yaml')
-rw-r--r-- | puppet/services/nova-libvirt.yaml | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 21a5e78a..4e762b57 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -1,4 +1,4 @@ -heat_template_version: ocata +heat_template_version: pike description: > Libvirt service configured with Puppet @@ -13,6 +13,14 @@ parameters: DefaultPasswords: default: {} type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -41,16 +49,23 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the relevant keys for libvirt. + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. LibvirtCACert: type: string - default: '/etc/ipa/ca.crt' + default: '' description: This specifies the CA certificate to use for TLS in libvirt. This file will be symlinked to the default CA path in libvirt, which is /etc/pki/CA/cacert.pem. Note that due to limitations GNU TLS, which is the TLS backend for libvirt, the file must - be less than 65K (so we can't use the system's CA bundle). The - current default reflects TripleO's default CA, which is - FreeIPA. It will only be used if internal TLS is enabled. + be less than 65K (so we can't use the system's CA bundle). + This parameter should be used if the default (which comes from + the InternalTLSCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. conditions: @@ -63,6 +78,11 @@ conditions: - {get_param: UseTLSTransportForLiveMigration} - true + libvirt_specific_ca_unset: + equals: + - {get_param: LibvirtCACert} + - '' + resources: NovaBase: type: ./nova-base.yaml @@ -70,6 +90,8 @@ resources: ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} outputs: role_data: @@ -113,7 +135,10 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo::certmonger::ca::libvirt::origin_ca_pem: - get_param: LibvirtCACert + if: + - libvirt_specific_ca_unset + - get_param: InternalTLSCAFile + - get_param: LibvirtCACert tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt' tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private' libvirt_certificates_specs: |