summaryrefslogtreecommitdiffstats
path: root/puppet/services/nova-libvirt.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/services/nova-libvirt.yaml')
-rw-r--r--puppet/services/nova-libvirt.yaml37
1 files changed, 31 insertions, 6 deletions
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..4e762b57 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -1,4 +1,4 @@
-heat_template_version: ocata
+heat_template_version: pike
description: >
Libvirt service configured with Puppet
@@ -13,6 +13,14 @@ parameters:
DefaultPasswords:
default: {}
type: json
+ RoleName:
+ default: ''
+ description: Role name on which the service is applied
+ type: string
+ RoleParameters:
+ default: {}
+ description: Parameters specific to the role
+ type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@@ -41,16 +49,23 @@ parameters:
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
LibvirtCACert:
type: string
- default: '/etc/ipa/ca.crt'
+ default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
- be less than 65K (so we can't use the system's CA bundle). The
- current default reflects TripleO's default CA, which is
- FreeIPA. It will only be used if internal TLS is enabled.
+ be less than 65K (so we can't use the system's CA bundle).
+ This parameter should be used if the default (which comes from
+ the InternalTLSCAFile parameter) is not desired. The current
+ default reflects TripleO's default CA, which is FreeIPA.
+ It will only be used if internal TLS is enabled.
conditions:
@@ -63,6 +78,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
+ libvirt_specific_ca_unset:
+ equals:
+ - {get_param: LibvirtCACert}
+ - ''
+
resources:
NovaBase:
type: ./nova-base.yaml
@@ -70,6 +90,8 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ RoleName: {get_param: RoleName}
+ RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
@@ -113,7 +135,10 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
- get_param: LibvirtCACert
+ if:
+ - libvirt_specific_ca_unset
+ - get_param: InternalTLSCAFile
+ - get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs: