Browse code
Merge "Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN"
Jenkins authored on 2016/03/31 08:40:13Showing 2 changed files
| ... | ... |
@@ -257,6 +257,14 @@ function make_cert {
|
| 257 | 257 |
local common_name=$3 |
| 258 | 258 |
local alt_names=$4 |
| 259 | 259 |
|
| 260 |
+ if [ "$common_name" != "$SERVICE_HOST" ]; then |
|
| 261 |
+ if [[ -z "$alt_names" ]]; then |
|
| 262 |
+ alt_names="DNS:$SERVICE_HOST" |
|
| 263 |
+ else |
|
| 264 |
+ alt_names="$alt_names,DNS:$SERVICE_HOST" |
|
| 265 |
+ fi |
|
| 266 |
+ fi |
|
| 267 |
+ |
|
| 260 | 268 |
# Only generate the certificate if it doesn't exist yet on the disk |
| 261 | 269 |
if [ ! -r "$ca_dir/$cert_name.crt" ]; then |
| 262 | 270 |
# Generate a signing request |
| ... | ... |
@@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then |
| 1004 | 1004 |
bootstrap_keystone |
| 1005 | 1005 |
fi |
| 1006 | 1006 |
|
| 1007 |
- if is_service_enabled tls-proxy; then |
|
| 1008 |
- export OS_CACERT=$INT_CA_DIR/ca-chain.pem |
|
| 1009 |
- fi |
|
| 1010 |
- |
|
| 1011 | 1007 |
# Rather than just export these, we write them out to a |
| 1012 | 1008 |
# intermediate userrc file that can also be used to debug if |
| 1013 | 1009 |
# something goes wrong between here and running |
| ... | ... |
@@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME |
| 1028 | 1028 |
|
| 1029 | 1029 |
EOF |
| 1030 | 1030 |
|
| 1031 |
+ if is_service_enabled tls-proxy; then |
|
| 1032 |
+ echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early |
|
| 1033 |
+ fi |
|
| 1034 |
+ |
|
| 1031 | 1035 |
source $TOP_DIR/userrc_early |
| 1032 | 1036 |
|
| 1033 | 1037 |
create_keystone_accounts |