Trust system level CA certificates. (#7)
* Trust system level CA certificates.
Adds general ootb configuration for trusted CA.
* Load pillar over map.jina
* Load pillar over map.jinja
diff --git a/keystone/files/keystonerc b/keystone/files/keystonerc
index e3cf64a..15634a2 100644
--- a/keystone/files/keystonerc
+++ b/keystone/files/keystonerc
@@ -1,4 +1,4 @@
-{%- set server = pillar.keystone.server %}
+{%- from "keystone/map.jinja" import server with context %}
export OS_USERNAME={{ server.admin_name }}
export OS_PASSWORD={{ server.admin_password }}
export OS_TENANT_NAME={{ server.admin_tenant }}
@@ -7,3 +7,4 @@
export OS_SERVICE_TOKEN={{ server.service_token }}
export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
export OS_ENDPOINT_TYPE="internal"
+export OS_CACERT="{{ server.cacert }}"
diff --git a/keystone/files/keystonerc_user b/keystone/files/keystonerc_user
index 61f6e67..26b4581 100644
--- a/keystone/files/keystonerc_user
+++ b/keystone/files/keystonerc_user
@@ -11,3 +11,4 @@
export OS_SERVICE_ENDPOINT="http://{{ provider.host }}:{{ provider.port }}/{{ provider.get('version', 'v2.0') }}/"
{%- endif %}
export OS_AUTH_STRATEGY=keystone
+#export OS_CACERT=
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index ccb0d39..4152b58 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,4 +1,4 @@
-{%- set server = pillar.keystone.server %}
+{%- from "keystone/map.jinja" import server with context %}
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
export OS_PROJECT_DOMAIN_NAME=default
@@ -9,3 +9,4 @@
export OS_PASSWORD={{ server.admin_password }}
export OS_REGION_NAME={{ server.region }}
export OS_INTERFACE=internal
+export OS_CACERT="{{ server.cacert }}"
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 16ed756..361bba9 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -11,7 +11,8 @@
'expiration': '86400'
},
'notification': False,
- 'roles': ['admin', 'Member']
+ 'roles': ['admin', 'Member'],
+ 'cacert': '/etc/ssl/certs/ca-certificates.crt'
},
'RedHat': {
'pkgs': ['openstack-keystone', 'openstack-utils', 'python-keystone', 'python-keystoneclient', 'python-pycadf'],
@@ -24,7 +25,8 @@
'expiration': '86400'
},
'notification': False,
- 'roles': ['admin', 'Member']
+ 'roles': ['admin', 'Member'],
+ 'cacert': '/etc/pki/tls/certs/ca-bundle.crt'
},
}, merge=pillar.keystone.get('server', {})) %}