Prepare for fqdn on internal endpoints in keystone catalog
* Adds hosts entries to each node to map
<openstack_control_address> to <openstack_service_hostname>.<domain>
* Adds appropriate DNS aliases to openstack API, barbican, novncproxy
certs
Change-Id: I8fbd0f03a7c60291c66c5fd686052d18d4edc426
Related-Prod: PROD-24975
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 96e8f5f..334fd43 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -5,6 +5,8 @@
# General
cluster_public_protocol: https
cluster_internal_protocol: http
+ openstack_service_hostname: os-ctl-vip
+ openstack_service_host: ${_param:openstack_service_hostname}.${linux:system:domain}
# SSL
ceilometer_agent_ssl_enabled: False
openstack_mysql_x509_enabled: False
diff --git a/linux/network/hosts.yml b/linux/network/hosts/init.yml
similarity index 100%
rename from linux/network/hosts.yml
rename to linux/network/hosts/init.yml
diff --git a/linux/network/hosts/openstack.yml b/linux/network/hosts/openstack.yml
new file mode 100644
index 0000000..1238d0a
--- /dev/null
+++ b/linux/network/hosts/openstack.yml
@@ -0,0 +1,9 @@
+parameters:
+ linux:
+ network:
+ host:
+ openstack_control_vip:
+ address: ${_param:openstack_control_address}
+ names:
+ - ${_param:openstack_service_hostname}
+ - ${_param:openstack_service_hos}
diff --git a/salt/minion/cert/barbican.yml b/salt/minion/cert/barbican.yml
index b53d07d..eb38c44 100644
--- a/salt/minion/cert/barbican.yml
+++ b/salt/minion/cert/barbican.yml
@@ -2,7 +2,7 @@
_param:
salt_minion_ca_host: kmn01.${_param:cluster_domain}
salt_minion_ca_authority: salt_master_ca
- barbican_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address}
+ barbican_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address},DNS:${_param:openstack_service_host}
salt:
minion:
cert:
diff --git a/salt/minion/cert/openstack_api.yml b/salt/minion/cert/openstack_api.yml
index 03e8974..3f6af63 100644
--- a/salt/minion/cert/openstack_api.yml
+++ b/salt/minion/cert/openstack_api.yml
@@ -2,7 +2,7 @@
_param:
salt_minion_ca_host: ${linux:network:fqdn}
salt_minion_ca_authority: salt_master_ca
- openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address}
+ openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address},DNS:${_param:openstack_service_host}
openstack_api_cert_key_file: "/etc/ssl/private/openstack_api.key"
openstack_api_cert_cert_file: "/etc/ssl/certs/openstack_api.crt"
openstack_api_cert_all_file: "/etc/ssl/certs/openstack_api_with_chain.crt"
diff --git a/salt/minion/cert/vnc/novncproxy_server.yml b/salt/minion/cert/vnc/novncproxy_server.yml
index 9c3dd96..a9f0062 100644
--- a/salt/minion/cert/vnc/novncproxy_server.yml
+++ b/salt/minion/cert/vnc/novncproxy_server.yml
@@ -20,6 +20,7 @@
DNS:${linux:system:name},
DNS:${_param:cluster_vip_address},
DNS:${linux:network:fqdn}
+ DNS:${_param:openstack_service_host}
key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
key_file: ${_param:novncproxy_server_ssl_key_file}
cert_file: ${_param:novncproxy_server_ssl_cert_file}