Add new parameter PublicTLSCACert

We've been using InternalTLSCAFile parameter when enabling public TLS for undercloud and is quite confusing. We recently changed to use it in clouds.yaml and it would break when both public and internal TLS are enabled for overcloud and both use different CA certs. This adds a new parameter which we will use in clouds.yaml, that would default to empty string assuming that the certificates are trusted. Closes-Bug: #1883818 Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496 Depends-On: https://review.opendev.org/737998
openstack-archive · Jun 25, 2020 · 2acb0d3 · 2acb0d3
1 parent 708ad27
commit 2acb0d3
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 16 deletions.
diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
@@ -67,11 +67,11 @@ parameters:
     description: >
       Whether to enable TLS on the public interface or not.
     type: boolean
-  InternalTLSCAFile:
-    default: '/etc/ipa/ca.crt'
+  PublicTLSCAFile:
+    default: ''
     type: string
     description: Specifies the default CA cert to use if TLS is used for
-                 services in the internal network.
+                 services in the public network.
   EnableInternalTLS:
     type: boolean
     default: false
@@ -761,7 +761,7 @@ outputs:
                   cacert:
                     if:
                       - public_tls_enabled
-                      - {get_param: InternalTLSCAFile}
+                      - {get_param: PublicTLSCAFile}
                       - ''
                   identity_api_version: '3'
                   region_name: {get_param: KeystoneRegion}

diff --git a/environments/public-tls-undercloud.yaml b/environments/public-tls-undercloud.yaml
@@ -1,5 +1,6 @@
 parameter_defaults:
   InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
+  PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
   PublicSSLCertificateAutogenerated: true
 
 resource_registry:

diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml
@@ -9,10 +9,6 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
-  # Type: string
-  InternalTLSCAFile: /etc/ipa/ca.crt
-
   # ******************************************************
   # Static parameters - these are values that must be
   # included in the environment but should not be changed.

diff --git a/environments/ssl/enable-tls.yaml b/environments/ssl/enable-tls.yaml
@@ -14,9 +14,9 @@ parameter_defaults:
   # Type: boolean
   HorizonSecureCookies: True
 
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Specifies the default CA cert to use if TLS is used for services in the public network.
   # Type: string
-  InternalTLSCAFile: ''
+  PublicTLSCAFile: ''
 
   # The content of the SSL certificate (without Key) in PEM format.
   # Type: string

diff --git a/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml b/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Added new PublicTLSCAFile parameter, that is used to set the
+    ca cert in clouds.yaml for keystone public endpoint. This
+    defaults to empty string ('') assuming that the certs are
+    already trusted.
diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
@@ -14,7 +14,7 @@ environments:
           - HorizonSecureCookies
       deployment/keystone/keystone-container-puppet.yaml:
         parameters:
-          - InternalTLSCAFile
+          - PublicTLSCAFile
     static:
       # This should probably be private, but for testing static params I'm
       # setting it as such for now.
@@ -27,7 +27,7 @@ environments:
         |
             The contents of the private key go here
       HorizonSecureCookies: True
-      InternalTLSCAFile: ''
+      PublicTLSCAFile: ''
   -
     name: ssl/enable-internal-tls
     title: Enable SSL on OpenStack Internal Endpoints
@@ -38,9 +38,6 @@ environments:
       common/post.yaml:
         parameters:
           - EnableInternalTLS
-      deployment/keystone/keystone-container-puppet.yaml:
-        parameters:
-          - InternalTLSCAFile
       deployment/nova/nova-base-puppet.yaml:
         parameters:
           - RpcUseSSL
@@ -57,7 +54,6 @@ environments:
       - ServerMetadata
     sample_values:
       EnableInternalTLS: True
-      InternalTLSCAFile: /etc/ipa/ca.crt
       RpcUseSSL: True
       NotifyUseSSL: True
       ServerMetadata: |-2