diff options
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | manifests/certmonger/haproxy.pp | 5 | ||||
| -rw-r--r-- | manifests/certmonger/haproxy_dirs.pp | 55 | ||||
| -rw-r--r-- | manifests/profile/base/certmonger_user.pp | 1 | ||||
| -rw-r--r-- | manifests/profile/base/docker.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/pacemaker.pp | 20 | ||||
| -rw-r--r-- | releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml | 6 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 2 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_swift_proxy_spec.rb | 4 | ||||
| -rw-r--r-- | test-requirements.txt | 2 |
10 files changed, 95 insertions, 10 deletions
@@ -1,7 +1,7 @@ Team and repository tags ======================== -[](http://governance.openstack.org/reference/tags/index.html) +[](https://governance.openstack.org/tc/reference/tags/index.html) <!-- Change things from this point on --> @@ -15,5 +15,5 @@ Lightweight composition layer for Puppet TripleO. * Source: http://git.openstack.org/cgit/openstack/puppet-tripleo * Bugs: http://bugs.launchpad.net/tripleo (tag: puppet) * Documentation: - * TripleO: http://docs.openstack.org/developer/tripleo-docs/index.html - * Testing with puppet: https://docs.openstack.org/developer/puppet-openstack-guide/testing.html + * TripleO: https://docs.openstack.org/tripleo-docs/latest/ + * Testing with puppet: https://docs.openstack.org/developer/puppet-openstack-guide/contributor/testing.html diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index a5d1bf8..3def337 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -84,6 +84,7 @@ define tripleo::certmonger::haproxy ( postsave_cmd => $postsave_cmd, principal => $principal, wait => true, + tag => 'haproxy-cert', require => Class['::certmonger'], } concat { $service_pem : @@ -91,12 +92,14 @@ define tripleo::certmonger::haproxy ( mode => '0640', owner => 'haproxy', group => 'haproxy', + tag => 'haproxy-cert', require => Package[$::haproxy::params::package_name], } concat::fragment { "${title}-cert-fragment": target => $service_pem, source => $service_certificate, order => '01', + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } @@ -106,6 +109,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $ca_pem, order => '10', + tag => 'haproxy-cert', require => Class['tripleo::certmonger::ca::local'], } } @@ -114,6 +118,7 @@ define tripleo::certmonger::haproxy ( target => $service_pem, source => $service_key, order => 20, + tag => 'haproxy-cert', require => Certmonger_certificate["${title}-cert"], } } diff --git a/manifests/certmonger/haproxy_dirs.pp b/manifests/certmonger/haproxy_dirs.pp new file mode 100644 index 0000000..86058c3 --- /dev/null +++ b/manifests/certmonger/haproxy_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the haproxy License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.haproxy.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::haproxy_dirs +# +# Creates the necessary directories for haproxy's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where haproxy's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where haproxy's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::haproxy_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> + } +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 7a6559e..231a1d0 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -98,6 +98,7 @@ class tripleo::profile::base::certmonger_user ( ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs) } unless empty($haproxy_certificates_specs) { + include ::tripleo::certmonger::haproxy_dirs ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs) # The haproxy fronends (or listen resources) depend on the certificate # existing and need to be refreshed if it changed. diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp index 5f6d97c..d230366 100644 --- a/manifests/profile/base/docker.pp +++ b/manifests/profile/base/docker.pp @@ -32,7 +32,7 @@ # OPTIONS that are used to startup the docker service. NOTE: # --selinux-enabled is dropped due to recommendations here: # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html -# Defaults to '--log-driver=journald --signature-verification=false' +# Defaults to '--log-driver=journald --signature-verification=false --iptables=false' # # [*configure_storage*] # Boolean. Whether to configure a docker storage backend. Defaults to true. @@ -57,7 +57,7 @@ class tripleo::profile::base::docker ( $insecure_registry_address = undef, $registry_mirror = false, - $docker_options = '--log-driver=journald --signature-verification=false', + $docker_options = '--log-driver=journald --signature-verification=false --iptables=false', $configure_storage = true, $storage_options = '-s overlay2', $step = Integer(hiera('step')), diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index d468110..de7e069 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -63,6 +63,10 @@ # be set to 60s. # Defaults to hiera('pacemaker_cluster_recheck_interval', undef) # +# [*encryption*] +# (Optional) Whether or not to enable encryption of the pacemaker traffic +# Defaults to true +# class tripleo::profile::base::pacemaker ( $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), @@ -74,6 +78,7 @@ class tripleo::profile::base::pacemaker ( $remote_tries = hiera('pacemaker_remote_tries', 5), $remote_try_sleep = hiera('pacemaker_remote_try_sleep', 60), $cluster_recheck_interval = hiera('pacemaker_cluster_recheck_interval', undef), + $encryption = true, ) { if count($remote_short_node_names) != count($remote_node_ips) { @@ -98,9 +103,20 @@ class tripleo::profile::base::pacemaker ( $pacemaker_cluster_members = downcase(regsubst($pacemaker_short_node_names, ',', ' ', 'G')) $corosync_ipv6 = str2bool(hiera('corosync_ipv6', false)) if $corosync_ipv6 { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000), '--ipv6' => '' } + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000), + '--ipv6' => '' + } + } else { + $cluster_setup_extras_pre = { + '--token' => hiera('corosync_token_timeout', 1000) + } + } + + if $encryption { + $cluster_setup_extras = merge($cluster_setup_extras_pre, {'--encryption' => '1'}) } else { - $cluster_setup_extras = { '--token' => hiera('corosync_token_timeout', 1000) } + $cluster_setup_extras = $cluster_setup_extras_pre } class { '::pacemaker': hacluster_pwd => hiera('hacluster_pwd'), diff --git a/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml new file mode 100644 index 0000000..65b0316 --- /dev/null +++ b/releasenotes/notes/Use-encryption-for-pacemaker-by-default-ca887dca02a21705.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Encryption is used for pacemaker traffic by default. This is achieved by + using a pre shared key for all the pacemaker cluster nodes (same as the one + that was used for the pacemaker remote communication). diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index e0947dc..2a15362 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -28,7 +28,7 @@ describe 'tripleo::profile::base::docker' do it { is_expected.to contain_service('docker') } it { is_expected.to contain_augeas('docker-sysconfig-options').with_changes([ - "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'", + "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false\"'", ]) } end diff --git a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb index 68d7dde..0252237 100644 --- a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb +++ b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb @@ -30,7 +30,9 @@ describe 'tripleo::profile::base::swift::proxy' do include ::memcached class { '::swift::proxy': proxy_local_net_ip => '127.0.0.1', - }" + } + include ::swift::proxy::tempauth + " end context 'with ipv4 memcache servers' do diff --git a/test-requirements.txt b/test-requirements.txt index a23c7e7..629ab00 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,6 +1,6 @@ # This is required for the docs build jobs sphinx>=1.6.2 # BSD -openstackdocstheme>=1.11.0 # Apache-2.0 +openstackdocstheme>=1.16.0 # Apache-2.0 # This is required for the releasenotes build jobs # FIXME: reno is manually pinned to !=2.0.0 because of bug #1651995 |