Browse code
Move certificate setup earlier in deployment
Currently the x509 certificate setup is done after all the
openstack services have been deployed. This is OK because
none of the services require that the x509 certs exist
when they are being deployed. With the integration of TLS
into the nova novnc proxy (and later spice & serial proxy)
service, x509 certs will need to exist before Nova is
deployed.
The CA setup must thus be moved earlier in the devstack
deployment flow, prior to the setup of any services. One
part of the CA setup, however, fixes up the global cert
bundle locations and this can only be done after the
python requests module is install, thus must remain in
its current location.
Change-Id: Idcd264fb73bb88dc2f4280c53c013dfe4364afff
Daniel P. Berrange authored on 2016/11/14 22:23:14Showing 3 changed files
| ... | ... |
@@ -809,6 +809,13 @@ if is_service_enabled cinder nova; then |
| 809 | 809 |
install_os_brick |
| 810 | 810 |
fi |
| 811 | 811 |
|
| 812 |
+# Setup TLS certs |
|
| 813 |
+if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
|
| 814 |
+ configure_CA |
|
| 815 |
+ init_CA |
|
| 816 |
+ init_cert |
|
| 817 |
+fi |
|
| 818 |
+ |
|
| 812 | 819 |
# Install middleware |
| 813 | 820 |
install_keystonemiddleware |
| 814 | 821 |
|
| ... | ... |
@@ -881,14 +888,9 @@ if is_service_enabled heat; then |
| 881 | 881 |
fi |
| 882 | 882 |
|
| 883 | 883 |
if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then |
| 884 |
- configure_CA |
|
| 885 |
- init_CA |
|
| 886 |
- init_cert |
|
| 887 |
- # Add name to ``/etc/hosts``. |
|
| 888 |
- # Don't be naive and add to existing line! |
|
| 884 |
+ fix_system_ca_bundle_path |
|
| 889 | 885 |
fi |
| 890 | 886 |
|
| 891 |
- |
|
| 892 | 887 |
# Extras Install |
| 893 | 888 |
# -------------- |
| 894 | 889 |
|