All of the other SSL environments were converted, but this one was
missed. That's an inconsistent user experience and should be
cleaned up.
This environment also exposed a bug in the tool where it did not
include the parameter_defaults section key if all the parameters
were marked static.
Change-Id: I19bc422c22b9f60f781e696ce703b026dc317786
Closes-Bug:
1713761
(cherry picked from commit
7c06db3d1c384773c4abccbce450c259f75e5e4a)
+# ********************************************************************************
+# DEPRECATED: Use tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
+# instead.
+# ********************************************************************************
# A Heat environment file which can be used to enable a
# a TLS for in the internal network via certmonger
parameter_defaults:
--- /dev/null
+# *******************************************************************
+# This file was created automatically by the sample environment
+# generator. Developers should use `tox -e genconfig` to update it.
+# Users are recommended to make changes to a copy of the file instead
+# of the original, if any customizations are needed.
+# *******************************************************************
+# title: Enable SSL on OpenStack Internal Endpoints
+# description: |
+# A Heat environment file which can be used to enable TLS for the internal
+# network via certmonger
+parameter_defaults:
+ # ******************************************************
+ # Static parameters - these are values that must be
+ # included in the environment but should not be changed.
+ # ******************************************************
+ #
+ # Type: boolean
+ EnableInternalTLS: True
+
+ # Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host.
+ # Type: string
+ RabbitClientUseSSL: True
+
+ # Extra properties or metadata passed to Nova for the created nodes in the overcloud. It's accessible via the Nova metadata API.
+ # Type: json
+ ServerMetadata:
+ ipa_enroll: True
+
+ # *********************
+ # End static parameters
+ # *********************
+resource_registry:
+ OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml
+ OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+ OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
+ OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
The contents of the private key go here
resource_registry:
OS::TripleO::NodeTLSData: ../../puppet/extraconfig/tls/tls-cert-inject.yaml
+ -
+ name: ssl/enable-internal-tls
+ title: Enable SSL on OpenStack Internal Endpoints
+ description: |
+ A Heat environment file which can be used to enable TLS for the internal
+ network via certmonger
+ files:
+ puppet/all-nodes-config.yaml:
+ parameters:
+ - EnableInternalTLS
+ puppet/services/nova-base.yaml:
+ parameters:
+ - RabbitClientUseSSL
+ overcloud.yaml:
+ parameters:
+ - ServerMetadata
+ static:
+ - EnableInternalTLS
+ - RabbitClientUseSSL
+ - ServerMetadata
+ sample_values:
+ EnableInternalTLS: True
+ RabbitClientUseSSL: True
+ ServerMetadata: |-2
+
+ ipa_enroll: True
+ resource_registry:
+ OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+ OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
+ # We use apache as a TLS proxy
+ OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
+ # Creates nova metadata that will create the extra service principals per
+ # node.
+ OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml
- name: ssl/inject-trust-anchor
title: Inject SSL Trust Anchor on Overcloud Nodes
description: |
for line in env_desc.splitlines():
env_file.write(u'# %s\n' % line)
- if parameter_defaults:
+ if parameter_defaults or static_defaults:
env_file.write(u'parameter_defaults:\n')
for name, value in sorted(parameter_defaults.items()):
write_sample_entry(env_file, name, value)