summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-04-05 10:43:33 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-04-08 10:35:03 +0000
commit0d24384b6e6944e314dcf1e522784c3396d024b6 (patch)
tree78a4056b9d08fa3072a4cd9d217eb0ec7e898704 /manifests
parentf3bb9638788d51fe72684cfabdba142a66acc0af (diff)
Remove individual service certificates
They are not being used and add extra logic and unnecessary clutter to the code. So this CR removes them in favor of just configuring TLS with the service_certificate. The only individual cert left was the one for haproxy stats. Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
Diffstat (limited to 'manifests')
-rw-r--r--manifests/loadbalancer.pp237
1 files changed, 36 insertions, 201 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 4393173..e76ae9b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -117,7 +117,6 @@
# [*service_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the public API endpoints using the specified file.
-# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
# [*ssl_cipher_suite*]
@@ -130,80 +129,6 @@
# String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3'
#
-# [*keystone_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Keystone public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*neutron_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Neutron public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*cinder_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Cinder public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*manila_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Manila public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*glance_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Glance public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*nova_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Nova public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*ceilometer_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ceilometer public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*aodh_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Aodh public API endpoint using the specified file.
-#
-# [*sahara_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Sahara public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*trove_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Trove public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*gnocchi_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Gnocchi public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*swift_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Swift public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*heat_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Heat public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*horizon_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Horizon public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*ironic_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ironic public API endpoint using the specified file.
-# Defaults to undef
-#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -391,21 +316,6 @@ class tripleo::loadbalancer (
$service_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
- $keystone_certificate = undef,
- $neutron_certificate = undef,
- $cinder_certificate = undef,
- $sahara_certificate = undef,
- $trove_certificate = undef,
- $manila_certificate = undef,
- $glance_certificate = undef,
- $nova_certificate = undef,
- $ceilometer_certificate = undef,
- $aodh_certificate = undef,
- $gnocchi_certificate = undef,
- $swift_certificate = undef,
- $heat_certificate = undef,
- $horizon_certificate = undef,
- $ironic_certificate = undef,
$haproxy_stats_certificate = undef,
$keystone_admin = false,
$keystone_public = false,
@@ -577,81 +487,6 @@ class tripleo::loadbalancer (
}
- if $keystone_certificate {
- $keystone_bind_certificate = $keystone_certificate
- } else {
- $keystone_bind_certificate = $service_certificate
- }
- if $neutron_certificate {
- $neutron_bind_certificate = $neutron_certificate
- } else {
- $neutron_bind_certificate = $service_certificate
- }
- if $cinder_certificate {
- $cinder_bind_certificate = $cinder_certificate
- } else {
- $cinder_bind_certificate = $service_certificate
- }
- if $sahara_certificate {
- $sahara_bind_certificate = $sahara_certificate
- } else {
- $sahara_bind_certificate = $service_certificate
- }
- if $trove_certificate {
- $trove_bind_certificate = $trove_certificate
- } else {
- $trove_bind_certificate = $trove_certificate
- }
- if $manila_certificate {
- $manila_bind_certificate = $manila_certificate
- } else {
- $manila_bind_certificate = $service_certificate
- }
- if $glance_certificate {
- $glance_bind_certificate = $glance_certificate
- } else {
- $glance_bind_certificate = $service_certificate
- }
- if $nova_certificate {
- $nova_bind_certificate = $nova_certificate
- } else {
- $nova_bind_certificate = $service_certificate
- }
- if $ceilometer_certificate {
- $ceilometer_bind_certificate = $ceilometer_certificate
- } else {
- $ceilometer_bind_certificate = $service_certificate
- }
- if $aodh_certificate {
- $aodh_bind_certificate = $aodh_certificate
- } else {
- $aodh_bind_certificate = $service_certificate
- }
- if $gnocchi_certificate {
- $gnocchi_bind_certificate = $gnocchi_certificate
- } else {
- $gnocchi_bind_certificate = $service_certificate
- }
- if $swift_certificate {
- $swift_bind_certificate = $swift_certificate
- } else {
- $swift_bind_certificate = $service_certificate
- }
- if $heat_certificate {
- $heat_bind_certificate = $heat_certificate
- } else {
- $heat_bind_certificate = $service_certificate
- }
- if $horizon_certificate {
- $horizon_bind_certificate = $horizon_certificate
- } else {
- $horizon_bind_certificate = $service_certificate
- }
- if $ironic_certificate {
- $ironic_bind_certificate = $ironic_certificate
- } else {
- $ironic_bind_certificate = $service_certificate
- }
# TODO(bnemec): When we have support for SSL on private and admin endpoints,
# have the haproxy stats endpoint use that certificate by default.
if $haproxy_stats_certificate {
@@ -660,14 +495,14 @@ class tripleo::loadbalancer (
$keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip)
$keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip)
- if $keystone_bind_certificate {
+ if $service_certificate {
$keystone_public_bind_opts = {
"${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
+ "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$keystone_admin_bind_opts = {
"${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
+ "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$keystone_public_bind_opts = {
@@ -681,10 +516,10 @@ class tripleo::loadbalancer (
}
$neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip)
- if $neutron_bind_certificate {
+ if $service_certificate {
$neutron_bind_opts = {
"${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $neutron_bind_certificate]),
+ "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$neutron_bind_opts = {
@@ -694,10 +529,10 @@ class tripleo::loadbalancer (
}
$cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip)
- if $cinder_bind_certificate {
+ if $service_certificate {
$cinder_bind_opts = {
"${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $cinder_bind_certificate]),
+ "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$cinder_bind_opts = {
@@ -707,10 +542,10 @@ class tripleo::loadbalancer (
}
$manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip)
- if $manila_bind_certificate {
+ if $service_certificate {
$manila_bind_opts = {
"${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $manila_bind_certificate]),
+ "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$manila_bind_opts = {
@@ -720,10 +555,10 @@ class tripleo::loadbalancer (
}
$glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip)
- if $glance_bind_certificate {
+ if $service_certificate {
$glance_bind_opts = {
"${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $glance_bind_certificate]),
+ "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$glance_bind_opts = {
@@ -738,10 +573,10 @@ class tripleo::loadbalancer (
}
$sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip)
- if $sahara_bind_certificate {
+ if $service_certificate {
$sahara_bind_opts = {
"${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $sahara_bind_certificate]),
+ "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$sahara_bind_opts = {
@@ -751,10 +586,10 @@ class tripleo::loadbalancer (
}
$trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip)
- if $trove_bind_certificate {
+ if $service_certificate {
$trove_bind_opts = {
"${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $trove_bind_certificate]),
+ "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$trove_bind_opts = {
@@ -764,18 +599,18 @@ class tripleo::loadbalancer (
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $nova_bind_certificate {
+ if $service_certificate {
$nova_osapi_bind_opts = {
"${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$nova_ec2_bind_opts = {
"${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$nova_novnc_bind_opts = {
"${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$nova_osapi_bind_opts = {
@@ -798,10 +633,10 @@ class tripleo::loadbalancer (
}
$ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip)
- if $ceilometer_bind_certificate {
+ if $service_certificate {
$ceilometer_bind_opts = {
"${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ceilometer_bind_certificate]),
+ "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$ceilometer_bind_opts = {
@@ -811,10 +646,10 @@ class tripleo::loadbalancer (
}
$aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip)
- if $aodh_bind_certificate {
+ if $service_certificate {
$aodh_bind_opts = {
"${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $aodh_bind_certificate]),
+ "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$aodh_bind_opts = {
@@ -824,10 +659,10 @@ class tripleo::loadbalancer (
}
$gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip)
- if $gnocchi_bind_certificate {
+ if $service_certificate {
$gnocchi_bind_opts = {
"${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => [],
- "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => ['ssl', 'crt', $gnocchi_bind_certificate],
+ "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => ['ssl', 'crt', $service_certificate],
}
} else {
$gnocchi_bind_opts = {
@@ -837,10 +672,10 @@ class tripleo::loadbalancer (
}
$swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
- if $swift_bind_certificate {
+ if $service_certificate {
$swift_bind_opts = {
"${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $swift_bind_certificate]),
+ "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$swift_bind_opts = {
@@ -854,10 +689,10 @@ class tripleo::loadbalancer (
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
- if $heat_bind_certificate {
+ if $service_certificate {
$heat_bind_opts = {
"${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
@@ -865,11 +700,11 @@ class tripleo::loadbalancer (
$heat_options = merge($heat_base_options, $heat_ssl_options)
$heat_cw_bind_opts = {
"${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$heat_cfn_bind_opts = {
"${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$heat_bind_opts = {
@@ -888,7 +723,7 @@ class tripleo::loadbalancer (
}
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
- if $horizon_bind_certificate {
+ if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
# same, the first option takes precedence. Which is the case when network
# isolation is not enabled. This is not a problem as both options are
@@ -899,9 +734,9 @@ class tripleo::loadbalancer (
# redirect to https in the horizon_options below.
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
@@ -920,10 +755,10 @@ class tripleo::loadbalancer (
}
$ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip)
- if $ironic_bind_certificate {
+ if $service_certificate {
$ironic_bind_opts = {
"${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ironic_bind_certificate]),
+ "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$ironic_bind_opts = {