Update SSL metadata
- Don't require encrypting CA private key
- Add parameter specifying CA private key name
- Add parameter specifying client cert all file name
- Remove unneeded certificate parameters for API config and metadata
Depends on: https://gerrit.mcp.mirantis.net/7678
Related PROD: PROD-11933
Change-Id: Ieba4f680bff3ad992ec5372d4296fc5bc997e8ba
diff --git a/README.rst b/README.rst
index ab07147..9c19a3f 100644
--- a/README.rst
+++ b/README.rst
@@ -52,9 +52,6 @@
user: openstack
password: password
virtual_host: '/openstack'
- haproxy_amphora:
- client_cert: '/etc/octavia/certs/client.pem'
- server_ca: '/etc/octavia/certs/ca_01.pem'
Octavia manager service pillar:
@@ -88,7 +85,6 @@
password: password
virtual_host: '/openstack'
certificates:
- ca_private_key_passphrase: foobar
ca_private_key: '/etc/octavia/certs/private/cakey.pem'
ca_certificate: '/etc/octavia/certs/ca_01.pem'
controller_worker:
@@ -98,6 +94,8 @@
loadbalancer_topology: 'SINGLE'
haproxy_amphora:
client_cert: '/etc/octavia/certs/client.pem'
+ client_cert_key: '/etc/octavia/certs/client.key'
+ client_cert_all: '/etc/octavia/certs/client_all.pem'
server_ca: '/etc/octavia/certs/ca_01.pem'
health_manager:
bind_ip: 192.168.0.12
diff --git a/metadata/service/api/cluster.yml b/metadata/service/api/cluster.yml
index a7d55fd..e86c56b 100644
--- a/metadata/service/api/cluster.yml
+++ b/metadata/service/api/cluster.yml
@@ -38,6 +38,3 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
- haproxy_amphora:
- client_cert: '/etc/octavia/certs/client.pem'
- server_ca: '/etc/octavia/certs/ca_01.pem'
diff --git a/metadata/service/api/single.yml b/metadata/service/api/single.yml
index 532ec9b..dabaa6b 100644
--- a/metadata/service/api/single.yml
+++ b/metadata/service/api/single.yml
@@ -36,6 +36,3 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
- haproxy_amphora:
- client_cert: '/etc/octavia/certs/client.pem'
- server_ca: '/etc/octavia/certs/ca_01.pem'
diff --git a/metadata/service/manager/single.yml b/metadata/service/manager/single.yml
index 13cdddf..3303e08 100644
--- a/metadata/service/manager/single.yml
+++ b/metadata/service/manager/single.yml
@@ -34,7 +34,6 @@
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
certificates:
- ca_private_key_passphrase: foobar
ca_private_key: '/etc/octavia/certs/private/cakey.pem'
ca_certificate: '/etc/octavia/certs/ca_01.pem'
controller_worker:
@@ -44,6 +43,8 @@
loadbalancer_topology: 'SINGLE'
haproxy_amphora:
client_cert: '/etc/octavia/certs/client.pem'
+ client_cert_key: '/etc/octavia/certs/client.key'
+ client_cert_all: '/etc/octavia/certs/client_all.pem'
server_ca: '/etc/octavia/certs/ca_01.pem'
health_manager:
bind_ip: ${_param:octavia_hm_bind_ip}
diff --git a/octavia/files/ocata/octavia_api.conf b/octavia/files/ocata/octavia_api.conf
index d82d4f7..38bed3c 100644
--- a/octavia/files/ocata/octavia_api.conf
+++ b/octavia/files/ocata/octavia_api.conf
@@ -813,11 +813,9 @@
# The client certificate to talk to the agent (string value)
#client_cert = /etc/octavia/certs/client.pem
-client_cert = {{ api.haproxy_amphora.client_cert }}
# The ca which signed the server certificates (string value)
#server_ca = /etc/octavia/certs/server_ca.pem
-server_ca = {{ api.haproxy_amphora.server_ca }}
# DEPRECATED: If False, use sysvinit. (boolean value)
# This option is deprecated for removal.
diff --git a/octavia/files/ocata/octavia_manager.conf b/octavia/files/ocata/octavia_manager.conf
index 85766ae..1d563e6 100644
--- a/octavia/files/ocata/octavia_manager.conf
+++ b/octavia/files/ocata/octavia_manager.conf
@@ -433,7 +433,6 @@
# Passphrase for the Private Key. Defaults
# to env[OS_OCTAVIA_CA_KEY_PASS] or None.
# ca_private_key_passphrase =
-ca_private_key_passphrase = {{ manager.certificates.ca_private_key_passphrase }}
# Certificate signing digest. Defaults
# to env[OS_OCTAVIA_CA_SIGNING_DIGEST] or "sha256".
@@ -840,7 +839,7 @@
# The client certificate to talk to the agent (string value)
#client_cert = /etc/octavia/certs/client.pem
-client_cert = {{ manager.haproxy_amphora.client_cert }}
+client_cert = {{ manager.haproxy_amphora.client_cert_all }}
# The ca which signed the server certificates (string value)
#server_ca = /etc/octavia/certs/server_ca.pem
diff --git a/tests/pillar/api_cluster.sls b/tests/pillar/api_cluster.sls
index 645b0be..4322f07 100644
--- a/tests/pillar/api_cluster.sls
+++ b/tests/pillar/api_cluster.sls
@@ -31,6 +31,3 @@
- host: 127.0.0.1
- host: 127.0.1.1
- host: 127.0.2.1
- haproxy_amphora:
- client_cert: '/etc/octavia/certs/client.pem'
- server_ca: '/etc/octavia/certs/ca_01.pem'
diff --git a/tests/pillar/api_single.sls b/tests/pillar/api_single.sls
index 29ab5f7..4f9411c 100644
--- a/tests/pillar/api_single.sls
+++ b/tests/pillar/api_single.sls
@@ -27,6 +27,3 @@
user: openstack
password: password
virtual_host: '/openstack'
- haproxy_amphora:
- client_cert: '/etc/octavia/certs/client.pem'
- server_ca: '/etc/octavia/certs/ca_01.pem'
diff --git a/tests/pillar/manager_single.sls b/tests/pillar/manager_single.sls
index 4ded26b..2087332 100644
--- a/tests/pillar/manager_single.sls
+++ b/tests/pillar/manager_single.sls
@@ -25,7 +25,6 @@
password: password
virtual_host: '/openstack'
certificates:
- ca_private_key_passphrase: foobar
ca_private_key: '/etc/octavia/certs/private/cakey.pem'
ca_certificate: '/etc/octavia/certs/ca_01.pem'
controller_worker:
@@ -35,6 +34,8 @@
loadbalancer_topology: 'SINGLE'
haproxy_amphora:
client_cert: '/etc/octavia/certs/client.pem'
+ client_cert_key: '/etc/octavia/certs/client.key'
+ client_cert_all: '/etc/octavia/certs/client_all.pem'
server_ca: '/etc/octavia/certs/ca_01.pem'
health_manager:
bind_ip: 192.168.0.12