d9451f49f3
Adds a flag ``kolla-ansible octavia-certificates --check-expiry <days>`` to the ``octavia-certificates`` command to check if the certificates will expire within a given number of days. Change-Id: I869b8afd85fe282d823ecf3593aa22f94a61b2a0
49 lines
2.0 KiB
YAML
49 lines
2.0 KiB
YAML
---
|
|
#####################
|
|
# Certificate options.
|
|
#####################
|
|
|
|
octavia_certs_work_dir: "{{ node_config }}/octavia-certificates"
|
|
|
|
# OpenSSL configuration file path.
|
|
octavia_certs_openssl_cnf_path: openssl.cnf
|
|
|
|
# For more info see: https://en.wikipedia.org/wiki/Certificate_signing_request
|
|
# Country; The two-letter ISO code for the country where your organization is located
|
|
octavia_certs_country: US
|
|
# Province, Region, County or State
|
|
octavia_certs_state: Oregon
|
|
# Business name / Organization
|
|
octavia_certs_organization: OpenStack
|
|
# Department Name / Organizational Unit
|
|
octavia_certs_organizational_unit: Octavia
|
|
|
|
# Server CA.
|
|
octavia_certs_server_ca_expiry: 3650
|
|
octavia_certs_server_ca_country: "{{ octavia_certs_country }}"
|
|
octavia_certs_server_ca_state: "{{ octavia_certs_state }}"
|
|
octavia_certs_server_ca_organization: "{{ octavia_certs_organization }}"
|
|
octavia_certs_server_ca_organizational_unit: "{{ octavia_certs_organizational_unit }}"
|
|
octavia_certs_server_ca_common_name: server-ca.example.org
|
|
|
|
# Client CA.
|
|
octavia_certs_client_ca_expiry: 3650
|
|
octavia_certs_client_ca_country: "{{ octavia_certs_country }}"
|
|
octavia_certs_client_ca_state: "{{ octavia_certs_state }}"
|
|
octavia_certs_client_ca_organization: "{{ octavia_certs_organization }}"
|
|
octavia_certs_client_ca_organizational_unit: "{{ octavia_certs_organizational_unit }}"
|
|
octavia_certs_client_ca_common_name: client-ca.example.org
|
|
|
|
# Client certificate.
|
|
octavia_certs_client_expiry: 365
|
|
octavia_certs_client_req_country: "{{ octavia_certs_country }}"
|
|
octavia_certs_client_req_state: "{{ octavia_certs_state }}"
|
|
octavia_certs_client_req_organization: "{{ octavia_certs_organization }}"
|
|
octavia_certs_client_req_organizational_unit: "{{ octavia_certs_organizational_unit }}"
|
|
# NOTE(yoctozepto): This should ideally be per controller, i.e. controller
|
|
# generates its key&CSR and this CA signs it.
|
|
octavia_certs_client_req_common_name: client.example.org
|
|
|
|
# Used with command `kolla-ansible octavia-certificates --check-expiry <days>`.
|
|
octavia_certs_check_expiry: "no"
|