aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/ceph-storage.yaml10
-rw-r--r--puppet/cinder-storage.yaml10
-rw-r--r--puppet/compute.yaml10
-rw-r--r--puppet/controller.yaml61
-rw-r--r--puppet/extraconfig/tls/ca-inject.yaml66
-rw-r--r--puppet/extraconfig/tls/no-ca.yaml17
-rw-r--r--puppet/extraconfig/tls/no-tls.yaml34
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml95
-rw-r--r--puppet/hieradata/controller.yaml106
-rw-r--r--puppet/manifests/overcloud_cephstorage.pp1
-rw-r--r--puppet/manifests/overcloud_compute.pp1
-rw-r--r--puppet/manifests/overcloud_controller.pp1
-rw-r--r--puppet/manifests/overcloud_controller_pacemaker.pp1
-rw-r--r--puppet/manifests/overcloud_object.pp1
-rw-r--r--puppet/manifests/overcloud_volume.pp1
-rw-r--r--puppet/swift-storage.yaml10
16 files changed, 406 insertions, 19 deletions
diff --git a/puppet/ceph-storage.yaml b/puppet/ceph-storage.yaml
index 0bf0fde4..7d36b46c 100644
--- a/puppet/ceph-storage.yaml
+++ b/puppet/ceph-storage.yaml
@@ -176,6 +176,13 @@ resources:
ceph::profile::params::cluster_network: {get_input: ceph_cluster_network}
ceph::profile::params::public_network: {get_input: ceph_public_network}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: CephStorageDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: CephStorage}
+
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
CephStorageExtraConfigPre:
depends_on: CephStorageDeployment
@@ -186,7 +193,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: CephStorageExtraConfigPre
+ depends_on: [CephStorageExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: CephStorage}
@@ -227,5 +234,6 @@ outputs:
list_join:
- ','
- - {get_attr: [CephStorageDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [CephStorageExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml
index b500e43b..19d5bb51 100644
--- a/puppet/cinder-storage.yaml
+++ b/puppet/cinder-storage.yaml
@@ -257,10 +257,17 @@ resources:
snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: BlockStorageDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: BlockStorage}
+
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: BlockStorageDeployment
+ depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: BlockStorage}
@@ -304,4 +311,5 @@ outputs:
list_join:
- ''
- - {get_attr: [BlockStorageDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}
diff --git a/puppet/compute.yaml b/puppet/compute.yaml
index 6ae39132..1d16a254 100644
--- a/puppet/compute.yaml
+++ b/puppet/compute.yaml
@@ -540,6 +540,13 @@ resources:
enable_package_install: {get_param: EnablePackageInstall}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: NovaComputeDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: NovaCompute}
+
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
ComputeExtraConfigPre:
depends_on: NovaComputeDeployment
@@ -550,7 +557,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: ComputeExtraConfigPre
+ depends_on: [ComputeExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: NovaCompute}
@@ -602,5 +609,6 @@ outputs:
list_join:
- ','
- - {get_attr: [NovaComputeDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [ComputeExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 0c921eb6..9792e7dc 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -278,6 +278,14 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ ManageFirewall:
+ default: false
+ description: Whether to manage IPtables rules.
+ type: boolean
+ PurgeFirewallRules:
+ default: false
+ description: Whether IPtables rules should be purged before setting up the new ones.
+ type: boolean
MysqlClusterUniquePart:
description: A unique identifier of the MySQL cluster the controller is in.
type: string
@@ -514,20 +522,6 @@ parameters:
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
- SSLCACertificate:
- default: ''
- description: If set, the contents of an SSL certificate authority file.
- type: string
- SSLCertificate:
- default: ''
- description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
- type: string
- hidden: true
- SSLKey:
- default: ''
- description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
- type: string
- hidden: true
SwiftHashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings
@@ -611,6 +605,9 @@ parameters:
description: >
Heat action when to apply network configuration changes
default: ['CREATE']
+ NodeIndex:
+ type: number
+ default: 0
resources:
@@ -712,6 +709,21 @@ resources:
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: NetworkDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: Controller}
+
+ # Hook for site-specific passing of private keys/certificates
+ NodeTLSData:
+ depends_on: NodeTLSCAData
+ type: OS::TripleO::NodeTLSData
+ properties:
+ server: {get_resource: Controller}
+ NodeIndex: {get_param: NodeIndex}
+
ControllerDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: NetworkDeployment
@@ -825,6 +837,8 @@ resources:
enable_galera: {get_param: EnableGalera}
enable_ceph_storage: {get_param: EnableCephStorage}
enable_swift_storage: {get_param: EnableSwiftStorage}
+ manage_firewall: {get_param: ManageFirewall}
+ purge_firewall_rules: {get_param: PurgeFirewallRules}
mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql_root_password: {get_param: MysqlRootPassword}
@@ -1280,6 +1294,9 @@ resources:
# Redis
redis::bind: {get_input: redis_network}
redis_vip: {get_input: redis_vip}
+ # Firewall
+ tripleo::firewall::manage_firewall: {get_input: manage_firewall}
+ tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
# Misc
memcached::listen_ip: {get_input: memcached_network}
neutron_public_interface_ip: {get_input: neutron_public_interface_ip}
@@ -1289,6 +1306,12 @@ resources:
tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface}
tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface}
tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address}
+ # NOTE(jaosorior): The service certificate configuration for
+ # HAProxy was left commented because to properly use this, we
+ # need to be able to set up the keystone endpoints. And
+ # currently that is not possible, but is being addressed by
+ # other commits. A subsequent commit will uncomment this.
+ #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_install: {get_input: enable_package_install}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
@@ -1302,7 +1325,7 @@ resources:
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: ControllerExtraConfigPre
+ depends_on: [ControllerExtraConfigPre, NodeTLSData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: Controller}
@@ -1382,5 +1405,13 @@ outputs:
list_join:
- ','
- - {get_attr: [ControllerDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
+ - {get_attr: [NodeTLSData, deploy_stdout]}
- {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
+ tls_key_modulus_md5:
+ description: MD5 checksum of the TLS Key Modulus
+ value: {get_attr: [NodeTLSData, key_modulus_md5]}
+ tls_cert_modulus_md5:
+ description: MD5 checksum of the TLS Certificate Modulus
+ value: {get_attr: [NodeTLSData, cert_modulus_md5]}
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
new file mode 100644
index 00000000..7e34f071
--- /dev/null
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -0,0 +1,66 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will inject the trusted anchor.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLRootCertificate:
+ description: >
+ The content of a CA's SSL certificate file in PEM format.
+ This is evaluated on the client side.
+ type: string
+ SSLRootCertificatePath:
+ default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+ description: >
+ The filepath of the root certificate as it will be stored in the nodes.
+ Note that the path has to be one that can be picked up by the update
+ trust anchor command. e.g. in RHEL it would be
+ /etc/pki/ca-trust/source/anchors/ca.crt.pem
+ type: string
+ UpdateTrustAnchorsCommand:
+ default: update-ca-trust extract
+ description: >
+ command that will be executed to update the trust anchors.
+ type: string
+
+ # Passed in by controller.yaml
+ server:
+ description: ID of the node to apply this config to
+ type: string
+
+resources:
+ CAConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cacert_path
+ - name: cacert_content
+ - name: update_anchor_command
+ outputs:
+ - name: root_cert_md5sum
+ config: |
+ #!/bin/sh
+ cat > ${cacert_path} << EOF
+ ${cacert_content}
+ EOF
+ chmod 0440 ${cacert_path}
+ chown root:root ${cacert_path}
+ ${update_anchor_command}
+ md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+ CADeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: CAConfig}
+ server: {get_param: server}
+ input_values:
+ cacert_path: {get_param: SSLRootCertificatePath}
+ cacert_content: {get_param: SSLRootCertificate}
+ update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [CADeployment, root_cert_md5sum]}
diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template which can be passed to the
+ OS::Nova::Server resources. This template can be replaced with
+ a different implementation via the resource registry, such that
+ deployers may customize their configuration.
+
+parameters:
+ server: # Here for compatibility with controller.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'Root CA cert injection not enabled.'
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..2da209cb
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,34 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template. This defines the parameters that
+ need to be passed in order to have TLS enabled in the controller
+ nodes. This template can be replaced with a different
+ implementation via the resource registry, such that deployers
+ may customize their configuration.
+
+parameters:
+ DeployedSSLCertificatePath:
+ default: ''
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+ NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+ default: 0
+ type: number
+ server: # Here for compatibility with tls-cert-inject.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'TLS not enabled.'
+ deployed_ssl_certificate_path:
+ value: ''
+ key_modulus_md5:
+ description: Key SSL Modulus
+ value: ''
+ cert_modulus_md5:
+ description: Certificate SSL Modulus
+ value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..739a51ad
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,95 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will build the TLS Certificates necessary
+ for the load balancer using the given parameters.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ SSLIntermediateCertificate:
+ default: ''
+ description: >
+ The content of an SSL intermediate CA certificate in PEM format.
+ type: string
+ SSLKey:
+ default: ''
+ description: >
+ The content of the SSL Key in PEM format.
+ type: string
+ hidden: true
+
+ # Can be overriden by parameter_defaults if the user wants to try deploying
+ # this in a distro that doesn't support this path.
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+
+ # Passed in by the controller
+ NodeIndex:
+ default: 0
+ type: number
+ server:
+ description: ID of the controller node to apply this config to
+ type: string
+
+resources:
+ ControllerTLSConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cert_path
+ - name: cert_chain_content
+ outputs:
+ - name: chain_md5sum
+ - name: cert_modulus
+ - name: key_modulus
+ config: |
+ #!/bin/sh
+ cat << EOF | tee ${cert_path} > /dev/null
+ ${cert_chain_content}
+ EOF
+ chmod 0440 ${cert_path}
+ chown root:haproxy ${cert_path}
+ md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+ openssl x509 -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.cert_modulus
+ openssl rsa -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.key_modulus
+
+ ControllerTLSDeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: ControllerTLSConfig}
+ server: {get_param: server}
+ input_values:
+ cert_path: {get_param: DeployedSSLCertificatePath}
+ cert_chain_content:
+ list_join:
+ - ''
+ - - {get_param: SSLCertificate}
+ - {get_param: SSLIntermediateCertificate}
+ - {get_param: SSLKey}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+ deployed_ssl_certificate_path:
+ description: The location that the TLS certificate was deployed to.
+ value: {get_param: DeployedSSLCertificatePath}
+ key_modulus_md5:
+ description: MD5 checksum of the Key SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+ cert_modulus_md5:
+ description: MD5 checksum of the Certificate SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index a4914c0e..f42ddf6c 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true
tripleo::loadbalancer::horizon: true
controller_classes: []
+# firewall
+tripleo::firewall::firewall_rules:
+ '101 mongodb_config':
+ port: 27019
+ '102 mongodb_sharding':
+ port: 27018
+ '103 mongod':
+ port: 27017
+ '104 mysql galera':
+ port:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
+ '105 ntp':
+ port: 123
+ proto: udp
+ '106 vrrp':
+ proto: vrrp
+ '107 haproxy stats':
+ port: 1993
+ '108 redis':
+ port:
+ - 6379
+ - 26379
+ '109 rabbitmq':
+ port:
+ - 5672
+ - 35672
+ '110 ceph':
+ port:
+ - 6789
+ - '6800-6810'
+ '111 keystone':
+ port:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
+ '112 glance':
+ port:
+ - 9292
+ - 9191
+ - 13292
+ '113 nova':
+ port:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
+ '114 neutron server':
+ port:
+ - 9696
+ - 13696
+ '115 neutron dhcp input':
+ proto: 'udp'
+ port: 67
+ '116 neutron dhcp output':
+ proto: 'udp'
+ chain: 'OUTPUT'
+ port: 68
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ port: 4789
+ '119 cinder':
+ port:
+ - 8776
+ - 13776
+ '120 iscsi initiator':
+ port: 3260
+ '121 memcached':
+ port: 11211
+ '122 swift proxy':
+ port:
+ - 8080
+ - 13808
+ '123 swift storage':
+ port:
+ - 873
+ - 6000
+ - 6001
+ - 6002
+ '124 ceilometer':
+ port:
+ - 8777
+ - 13777
+ '125 heat':
+ port:
+ - 8000
+ - 13800
+ - 8003
+ - 13003
+ - 8004
+ - 13004
+ '126 horizon':
+ port:
+ - 80
+ - 443
+ '127 snmp':
+ port: 161
+ proto: 'udp'
diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp
index 51f5e88d..7f8970cc 100644
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp
index cd41cc79..58182346 100644
--- a/puppet/manifests/overcloud_compute.pp
+++ b/puppet/manifests/overcloud_compute.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 570c43ba..f758c55a 100644
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
if hiera('step') >= 1 {
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 2a3f1f92..95b7992c 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -19,6 +19,7 @@ Pcmk_resource <| |> {
}
include ::tripleo::packages
+include ::tripleo::firewall
if $::hostname == downcase(hiera('bootstrap_nodeid')) {
$pacemaker_master = true
diff --git a/puppet/manifests/overcloud_object.pp b/puppet/manifests/overcloud_object.pp
index 5f0b4c82..1eabddf1 100644
--- a/puppet/manifests/overcloud_object.pp
+++ b/puppet/manifests/overcloud_object.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_volume.pp b/puppet/manifests/overcloud_volume.pp
index 7f24959a..2bdd8a9c 100644
--- a/puppet/manifests/overcloud_volume.pp
+++ b/puppet/manifests/overcloud_volume.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml
index 19a7c7a3..b1746dcb 100644
--- a/puppet/swift-storage.yaml
+++ b/puppet/swift-storage.yaml
@@ -218,10 +218,17 @@ resources:
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: SwiftStorageHieraDeploy
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: SwiftStorage}
+
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: SwiftStorageHieraDeploy
+ depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: SwiftStorage}
@@ -272,4 +279,5 @@ outputs:
list_join:
- ','
- - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}