diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-10-21 12:05:31 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-10-21 12:05:31 +0000 |
commit | d3c0678dcd6468969cd2047e21f2095d23690008 (patch) | |
tree | 5ae8cad9e2255b8eafeea77f6e39049f0e9b9a6f /manifests | |
parent | 39bdd043be41f8aa98ebdf720ac6e5faebde7ac9 (diff) | |
parent | 76bf2f532f9541eaf9cd7242ad2bf520f6788033 (diff) |
Merge "Enable TLS in the internal network for keystone"
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/certmonger/httpd.pp | 62 | ||||
-rw-r--r-- | manifests/haproxy.pp | 15 | ||||
-rw-r--r-- | manifests/profile/base/keystone.pp | 90 |
3 files changed, 156 insertions, 11 deletions
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp new file mode 100644 index 0000000..94b48b7 --- /dev/null +++ b/manifests/certmonger/httpd.pp @@ -0,0 +1,62 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::httpd +# +# Request a certificate for the httpd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# The haproxy service principal that is set for HAProxy in kerberos. +# +define tripleo::certmonger::httpd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::apache::params + + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index c4d018d..3ad10eb 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -106,6 +106,11 @@ # flag is set. # Defaults to {} # +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -427,6 +432,7 @@ class tripleo::haproxy ( $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -541,6 +547,13 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + # TODO(jaosorior): change verify none to verify required. + $internal_tls_member_options = ['ssl', 'verify none'] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -680,6 +693,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -709,6 +723,7 @@ class tripleo::haproxy ( listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index fbccdda..a0e5538 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -18,18 +18,48 @@ # # === Parameters # +# [*admin_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_admin_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) # -# [*step*] -# (Optional) The current step in deployment. See tripleo-heat-templates -# for more details. -# Defaults to hiera('step') +# [*public_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_public_api_network', undef) +# # # [*rabbit_hosts*] # list of the rabbbit host IPs @@ -38,13 +68,23 @@ # [*rabbit_port*] # IP port for rabbitmq service # Defaults to hiera('keystone::rabbit_port', 5672) - +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# class tripleo::profile::base::keystone ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_db_purge = hiera('keystone_enable_db_purge', true), - $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('keystone::rabbit_port', 5672), + $admin_endpoint_network = hiera('keystone_admin_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_db_purge = hiera('keystone_enable_db_purge', true), + $public_endpoint_network = hiera('keystone_public_api_network', undef), + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('keystone::rabbit_port', 5672), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -58,6 +98,29 @@ class tripleo::profile::base::keystone ( $manage_domain = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$public_endpoint_network { + fail('keystone_public_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key'] + + if !$admin_endpoint_network { + fail('keystone_admin_api_network is not set in the hieradata.') + } + $tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate'] + $tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + $tls_certfile_admin = undef + $tls_keyfile_admin = undef + } + if $step >= 4 or ( $step >= 3 and $sync_db ) { class { '::keystone': sync_db => $sync_db, @@ -66,7 +129,12 @@ class tripleo::profile::base::keystone ( } include ::keystone::config - include ::keystone::wsgi::apache + class { '::keystone::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + ssl_cert_admin => $tls_certfile_admin, + ssl_key_admin => $tls_keyfile_admin, + } include ::keystone::cors if $manage_roles { |