From 6ff78ce2fe49d828cad0d9aae3938390b1939f89 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 26 Apr 2017 12:38:22 +0300
Subject: Internal TLS: use common CA file parameter for libvirt CA cert

libvirt has its own parameter for setting the CA, however, if we have a
common CA for all services in the internal network (which we do), it's
more consistent to use the common parameter for configuring that CA
file.

The previous parameter was left in case the deployer wants to use a
specific CA file for the compute nodes.

Change-Id: I3d132d3d257d7ea9f43e49593f8509c3cd205ca5
---
 puppet/services/nova-libvirt.yaml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 21a5e78a..c3e6f4e4 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -41,16 +41,23 @@ parameters:
     description: If set to true and if EnableInternalTLS is enabled, it will
                  set the libvirt URI's transport to tls and configure the
                  relevant keys for libvirt.
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   LibvirtCACert:
     type: string
-    default: '/etc/ipa/ca.crt'
+    default: ''
     description: This specifies the CA certificate to use for TLS in libvirt.
                  This file will be symlinked to the default CA path in libvirt,
                  which is /etc/pki/CA/cacert.pem. Note that due to limitations
                  GNU TLS, which is the TLS backend for libvirt, the file must
-                 be less than 65K (so we can't use the system's CA bundle). The
-                 current default reflects TripleO's default CA, which is
-                 FreeIPA. It will only be used if internal TLS is enabled.
+                 be less than 65K (so we can't use the system's CA bundle).
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
 
 conditions:
 
@@ -63,6 +70,11 @@ conditions:
       - {get_param: UseTLSTransportForLiveMigration}
       - true
 
+  libvirt_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtCACert}
+      - ''
+
 resources:
   NovaBase:
     type: ./nova-base.yaml
@@ -113,7 +125,10 @@ outputs:
                     params:
                       $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                 tripleo::certmonger::ca::libvirt::origin_ca_pem:
-                  get_param: LibvirtCACert
+                  if:
+                    - libvirt_specific_ca_unset
+                    - get_param: InternalTLSCAFile
+                    - get_param: LibvirtCACert
                 tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
                 tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
                 libvirt_certificates_specs:
-- 
cgit 1.2.3-korg