--- /dev/null
+parameter_defaults:
+ SSLRootCertificate: |
+ The contents of your root CA certificate go here
+
+resource_registry:
+ OS::TripleO::NodeTLSCAData: ../puppet/extraconfig/tls/ca-inject.yaml
# NodeExtraConfig == All nodes configuration pre service deployment
# NodeExtraConfigPost == All nodes configuration post service deployment
OS::TripleO::NodeUserData: firstboot/userdata_default.yaml
+ OS::TripleO::NodeTLSCAData: puppet/extraconfig/tls/no-ca.yaml
OS::TripleO::NodeTLSData: puppet/extraconfig/tls/no-tls.yaml
OS::TripleO::ControllerExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
OS::TripleO::ComputeExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
ceph::profile::params::cluster_network: {get_input: ceph_cluster_network}
ceph::profile::params::public_network: {get_input: ceph_public_network}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: CephStorageDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: CephStorage}
+
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
CephStorageExtraConfigPre:
depends_on: CephStorageDeployment
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: CephStorageExtraConfigPre
+ depends_on: [CephStorageExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: CephStorage}
list_join:
- ','
- - {get_attr: [CephStorageDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [CephStorageExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: BlockStorageDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: BlockStorage}
+
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: BlockStorageDeployment
+ depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: BlockStorage}
list_join:
- ''
- - {get_attr: [BlockStorageDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}
enable_package_install: {get_param: EnablePackageInstall}
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: NovaComputeDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: NovaCompute}
+
# Hook for site-specific additional pre-deployment config, e.g extra hieradata
ComputeExtraConfigPre:
depends_on: NovaComputeDeployment
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: ComputeExtraConfigPre
+ depends_on: [ComputeExtraConfigPre, NodeTLSCAData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: NovaCompute}
list_join:
- ','
- - {get_attr: [NovaComputeDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [ComputeExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: NetworkDeployment
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: Controller}
+
# Hook for site-specific passing of private keys/certificates
NodeTLSData:
- depends_on: NetworkDeployment
+ depends_on: NodeTLSCAData
type: OS::TripleO::NodeTLSData
properties:
server: {get_resource: Controller}
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: ControllerExtraConfigPre
+ depends_on: [ControllerExtraConfigPre, NodeTLSData]
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: Controller}
list_join:
- ','
- - {get_attr: [ControllerDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_attr: [NodeTLSData, deploy_stdout]}
- {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
--- /dev/null
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will inject the trusted anchor.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLRootCertificate:
+ description: >
+ The content of a CA's SSL certificate file in PEM format.
+ This is evaluated on the client side.
+ type: string
+ SSLRootCertificatePath:
+ default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+ description: >
+ The filepath of the root certificate as it will be stored in the nodes.
+ Note that the path has to be one that can be picked up by the update
+ trust anchor command. e.g. in RHEL it would be
+ /etc/pki/ca-trust/source/anchors/ca.crt.pem
+ type: string
+ UpdateTrustAnchorsCommand:
+ default: update-ca-trust extract
+ description: >
+ command that will be executed to update the trust anchors.
+ type: string
+
+ # Passed in by controller.yaml
+ server:
+ description: ID of the node to apply this config to
+ type: string
+
+resources:
+ CAConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cacert_path
+ - name: cacert_content
+ - name: update_anchor_command
+ outputs:
+ - name: root_cert_md5sum
+ config: |
+ #!/bin/sh
+ cat > ${cacert_path} << EOF
+ ${cacert_content}
+ EOF
+ chmod 0440 ${cacert_path}
+ chown root:root ${cacert_path}
+ ${update_anchor_command}
+ md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+ CADeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: CAConfig}
+ server: {get_param: server}
+ input_values:
+ cacert_path: {get_param: SSLRootCertificatePath}
+ cacert_content: {get_param: SSLRootCertificate}
+ update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [CADeployment, root_cert_md5sum]}
--- /dev/null
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template which can be passed to the
+ OS::Nova::Server resources. This template can be replaced with
+ a different implementation via the resource registry, such that
+ deployers may customize their configuration.
+
+parameters:
+ server: # Here for compatibility with controller.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'Root CA cert injection not enabled.'
enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
+ # Resource for site-specific injection of root certificate
+ NodeTLSCAData:
+ depends_on: SwiftStorageHieraDeploy
+ type: OS::TripleO::NodeTLSCAData
+ properties:
+ server: {get_resource: SwiftStorage}
+
# Hook for site-specific additional pre-deployment config,
# applying to all nodes, e.g node registration/unregistration
NodeExtraConfig:
- depends_on: SwiftStorageHieraDeploy
+ depends_on: NodeTLSCAData
type: OS::TripleO::NodeExtraConfig
properties:
server: {get_resource: SwiftStorage}
list_join:
- ','
- - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]}
+ - {get_attr: [NodeTLSCAData, deploy_stdout]}
- {get_param: UpdateIdentifier}
Code Review / apex-tripleo-heat-templates.git / commitdiff