kolla-ansible/ansible/roles/octavia-certificates/defaults/main.yml
Matt Crees d9451f49f3 Add support for checking Octavia cert expiration
Adds a flag ``kolla-ansible octavia-certificates --check-expiry <days>``
to the ``octavia-certificates`` command to check if the certificates
will expire within a given number of days.

Change-Id: I869b8afd85fe282d823ecf3593aa22f94a61b2a0
2023-04-27 15:22:12 +01:00

49 lines
2.0 KiB
YAML

---
#####################
# Certificate options.
#####################
octavia_certs_work_dir: "{{ node_config }}/octavia-certificates"
# OpenSSL configuration file path.
octavia_certs_openssl_cnf_path: openssl.cnf
# For more info see: https://en.wikipedia.org/wiki/Certificate_signing_request
# Country; The two-letter ISO code for the country where your organization is located
octavia_certs_country: US
# Province, Region, County or State
octavia_certs_state: Oregon
# Business name / Organization
octavia_certs_organization: OpenStack
# Department Name / Organizational Unit
octavia_certs_organizational_unit: Octavia
# Server CA.
octavia_certs_server_ca_expiry: 3650
octavia_certs_server_ca_country: "{{ octavia_certs_country }}"
octavia_certs_server_ca_state: "{{ octavia_certs_state }}"
octavia_certs_server_ca_organization: "{{ octavia_certs_organization }}"
octavia_certs_server_ca_organizational_unit: "{{ octavia_certs_organizational_unit }}"
octavia_certs_server_ca_common_name: server-ca.example.org
# Client CA.
octavia_certs_client_ca_expiry: 3650
octavia_certs_client_ca_country: "{{ octavia_certs_country }}"
octavia_certs_client_ca_state: "{{ octavia_certs_state }}"
octavia_certs_client_ca_organization: "{{ octavia_certs_organization }}"
octavia_certs_client_ca_organizational_unit: "{{ octavia_certs_organizational_unit }}"
octavia_certs_client_ca_common_name: client-ca.example.org
# Client certificate.
octavia_certs_client_expiry: 365
octavia_certs_client_req_country: "{{ octavia_certs_country }}"
octavia_certs_client_req_state: "{{ octavia_certs_state }}"
octavia_certs_client_req_organization: "{{ octavia_certs_organization }}"
octavia_certs_client_req_organizational_unit: "{{ octavia_certs_organizational_unit }}"
# NOTE(yoctozepto): This should ideally be per controller, i.e. controller
# generates its key&CSR and this CA signs it.
octavia_certs_client_req_common_name: client.example.org
# Used with command `kolla-ansible octavia-certificates --check-expiry <days>`.
octavia_certs_check_expiry: "no"