diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-04-05 19:53:07 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-04-05 19:53:07 +0000 |
commit | da8f651cd4ad54b12d6a208ce837df5d95605f91 (patch) | |
tree | fd9cfa9ed6fbe8b074c746c63571b4f68c1d68d6 /manifests | |
parent | ed9c09bb1efd2f73ee5ab1a85262071c1ca386b8 (diff) | |
parent | 52925ba9cf329a7f029ca7ed196071b29d69ac08 (diff) |
Merge "Add TLS in the internal network for Swift Proxy"
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/haproxy.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/swift/proxy.pp | 69 |
2 files changed, 69 insertions, 1 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index e5d57e5..0b69245 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1236,6 +1236,7 @@ class tripleo::haproxy ( listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..3c1734b 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to hiera('swift::proxy::proxy_local_net_ip') +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,14 +103,45 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + # FIXME(jaosorior): This will be undef when we pass this to t-h-t + $tls_proxy_bind_ip = hiera('swift::proxy::proxy_local_net_ip', '127.0.0.1'), + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + # FIXME(jaosorior): This will be cleaned up in a subsequent commit. + servername => hiera("fqdn_${swift_proxy_network}", $tls_proxy_fqdn), + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = 'localhost' + } else { + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = $tls_proxy_bind_ip + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config - include ::swift::proxy + class { '::swift::proxy' : + proxy_local_net_ip => $proxy_bind_ip, + } include ::swift::proxy::proxy_logging include ::swift::proxy::healthcheck class { '::swift::proxy::cache': |