From 64084f25cd82d43598d6f6ed247ee59ae9ef059d Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 5 Sep 2017 14:51:25 -0700 Subject: [PATCH] Document infracloud ssl This change adds documentation for how we set up ssl for the infracloud regions. Change-Id: I96bcd1d10cd7e14230ba1f1dbcffb08bf75ba9dc --- doc/source/infra-cloud.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/source/infra-cloud.rst b/doc/source/infra-cloud.rst index e45bca3ae6..dd0bf7c91a 100644 --- a/doc/source/infra-cloud.rst +++ b/doc/source/infra-cloud.rst @@ -196,6 +196,27 @@ there should be a second VLAN that is connected only to the NIC of the Ironic Cloud and is routed to the IPMI management network of all of the other nodes. Whether we use LinuxBridge or Open vSwitch is still TBD. +SSL +--- + +Since we are the single user of Infracloud we have configured Vanilla and +Chocolate controllers to use the snakeoil ssl certs for each controller. +This gives us simple to generate certs with long lifetimes which we can trust +directly by asserting trust against the public cert. + +If you need to update certs in one of the clouds simply run:: + + /usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite + +on the controller in question. Then copy the contents of +``/etc/ssl/certs/ssl-cert-snakeoil.pem`` to public system-config hiera and +``/etc/ssl/private/ssl-cert-snakeoil.key`` to private hiera on the +puppetmaster. + +Puppet will then ensure we trust the public key everywhere that talks to the +controller (puppetmaster, nodepool, controller itself, compute nodes, etc) +and deploy the private key so that it is used by services. + Troubleshooting ===============