[SSL] Sync new options for apache and nginx Set the same options via apache[nginx]/files/_ssl.conf template for sites as they were set by apache[nginx]/files/_ssl_secure.conf (deprecated) earlier. By default the same set of ciphers was set in nginx and apache in _ssl_secure.conf Now the same list of ciphers is set through pillar. Change-Id: I64b6bfe0cbb23d204a50c6bde8d9de6ed6fac306 Related-Prod: https://mirantis.jira.com/browse/PROD-20921

commit: a75691c0d21cecda4c5469e168fd8d31f868f7d1 [log] [tgz]
author: Mykyta Karpin <mkarpin@mirantis.com> Tue Jul 31 09:49:49 2018 +0000
committer: Mykyta Karpin <mkarpin@mirantis.com> Thu Aug 02 11:12:31 2018 +0000
tree: e6fb931870c224d771b44ec6505a1fcc27f0dff9
parent: 7f0eeea879c863278c78bc400a5b5eb0c90e7db5 [diff] [blame]
diff --git a/classes/cluster/virtual-offline-ssl/openstack/control.yml b/classes/cluster/virtual-offline-ssl/openstack/control.yml
index c085eab..eb47619 100644
--- a/classes/cluster/virtual-offline-ssl/openstack/control.yml
+++ b/classes/cluster/virtual-offline-ssl/openstack/control.yml

@@ -51,6 +51,8 @@
 - system.haproxy.proxy.listen.openstack.placement
 - system.haproxy.proxy.listen.openstack.manila
 - system.manila.control.cluster
+- system.apache.server.ssl
+- system.nginx.server.proxy.ssl
 - cluster.virtual-offline-ssl.openstack.dns
 - cluster.virtual-offline-ssl
 parameters:
@@ -59,8 +61,11 @@
     salt_minion_ca_authority: salt_master_ca
     ### nginx ssl sites settings
     nginx_proxy_ssl:
-      enabled: true
-      engine: salt
+      authority: "${_param:salt_minion_ca_authority}"
+      key_file: "/etc/ssl/private/internal_proxy.key"
+      cert_file: "/etc/ssl/certs/internal_proxy.crt"
+      chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
+    apache_ssl:
       authority: "${_param:salt_minion_ca_authority}"
       key_file: "/etc/ssl/private/internal_proxy.key"
       cert_file: "/etc/ssl/certs/internal_proxy.crt"
@@ -73,18 +78,13 @@
     nginx_proxy_openstack_heat_host: 127.0.0.1
     nginx_proxy_openstack_designate_host: 127.0.0.1
     apache_manila_api_address: ${_param:single_address}
-    apache_manila_ssl: ${_param:nginx_proxy_ssl}
     apache_keystone_api_host: ${_param:single_address}
-    apache_keystone_ssl: ${_param:nginx_proxy_ssl}
     apache_barbican_api_address: ${_param:cluster_local_address}
     apache_barbican_api_host: ${_param:single_address}
-    apache_barbican_ssl: ${_param:nginx_proxy_ssl}
     apache_nova_placement_api_address: ${_param:cluster_local_address}
-    apache_nova_placement_ssl: ${_param:nginx_proxy_ssl}
     barbican_dogtag_nss_password: workshop
     barbican_dogtag_host: ${_param:cluster_vip_address}
     apache_cinder_api_address: ${_param:cluster_local_address}
-    apache_cinder_ssl: ${_param:nginx_proxy_ssl}
     # dogtag listens on 8443 but there is no way to bind it to
     # Specific IP, as on this setup dogtag installed on ctl nodes
     # Change port on haproxy side to avoid binding conflict.
commit	a75691c0d21cecda4c5469e168fd8d31f868f7d1	[log] [tgz]
author	Mykyta Karpin <mkarpin@mirantis.com>	Tue Jul 31 09:49:49 2018 +0000
committer	Mykyta Karpin <mkarpin@mirantis.com>	Thu Aug 02 11:12:31 2018 +0000
tree	e6fb931870c224d771b44ec6505a1fcc27f0dff9
parent	7f0eeea879c863278c78bc400a5b5eb0c90e7db5 [diff] [blame]