37a339d2b0
Configures certs/key for nova-novnc vencrypt when TLS is enabled on the internal network. A dedicated IPA sub-CA can be used to restrict access, however by default the main IPA CA is used. Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8 Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
70 lines
2.0 KiB
YAML
70 lines
2.0 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
Requests certificates using certmonger through Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
DefaultCRLURL:
|
|
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
|
|
description: URI where to get the CRL to be configured in the nodes.
|
|
type: string
|
|
# NOTE(jaosorior): This is being set as IPA as it's the first
|
|
# CA we'll actually be testing out. But we can change this if
|
|
# people request it.
|
|
CertmongerCA:
|
|
type: string
|
|
default: 'IPA'
|
|
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
|
|
# automated and upgrades are addressed
|
|
CertmongerVncCA:
|
|
type: string
|
|
default: 'IPA'
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the certmonger-user service
|
|
value:
|
|
service_name: certmonger_user
|
|
config_settings:
|
|
if:
|
|
- internal_tls_enabled
|
|
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
|
|
certmonger_ca: {get_param: CertmongerCA}
|
|
certmonger_ca_vnc: {get_param: CertmongerVncCA}
|
|
- {}
|
|
step_config: |
|
|
include ::tripleo::profile::base::certmonger_user
|