aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-09-27 07:15:53 +0000
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-10-19 17:39:07 +0300
commita173a030aa97ae17b457206cab3e657c28c04880 (patch)
tree75b1d59de2dcabd30cb6e18e97d43a0f7d3ad30f
parent76bf2f532f9541eaf9cd7242ad2bf520f6788033 (diff)
Enable TLS in the internal network for ceilometer
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the ceilometer service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
-rw-r--r--manifests/haproxy.pp1
-rw-r--r--manifests/profile/base/ceilometer/api.pp55
2 files changed, 54 insertions, 2 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 3ad10eb..932b016 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -880,6 +880,7 @@ class tripleo::haproxy (
server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[ceilometer_api_ssl_port],
service_network => $ceilometer_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index da94da2..6ef4748 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -18,18 +18,69 @@
#
# === Parameters
#
+# [*ceilometer_network*]
+# (Optional) The network name where the ceilometer endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('ceilometer_api_network', undef)
+#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::ceilometer::api (
- $step = hiera('step'),
+ $ceilometer_network = hiera('ceilometer_api_network', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::ceilometer
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$ceilometer_network {
+ fail('ceilometer_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${ceilometer_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${ceilometer_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 {
include ::ceilometer::api
- include ::ceilometer::wsgi::apache
+ class { '::ceilometer::wsgi::apache':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
}
}