diff options
| -rw-r--r-- | manifests/certmonger/httpd.pp | 62 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 15 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 94 | ||||
| -rw-r--r-- | manifests/profile/base/logging/fluentd.pp | 160 | ||||
| -rw-r--r-- | manifests/profile/base/monitoring/sensu.pp | 8 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/opendaylight.pp | 2 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/plugins/ml2/opendaylight.pp | 27 | ||||
| -rw-r--r-- | manifests/profile/base/neutron/plugins/ovs/opendaylight.pp | 10 | ||||
| -rw-r--r-- | manifests/profile/base/zaqar.pp | 48 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 12 |
10 files changed, 321 insertions, 117 deletions
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp new file mode 100644 index 0000000..94b48b7 --- /dev/null +++ b/manifests/certmonger/httpd.pp @@ -0,0 +1,62 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::httpd +# +# Request a certificate for the httpd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# The haproxy service principal that is set for HAProxy in kerberos. +# +define tripleo::certmonger::httpd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::apache::params + + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 77dabf5..4747d57 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -106,6 +106,11 @@ # flag is set. # Defaults to {} # +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -437,6 +442,7 @@ class tripleo::haproxy ( $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -555,6 +561,13 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + # TODO(jaosorior): change verify none to verify required. + $internal_tls_member_options = ['ssl', 'verify none'] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -694,6 +707,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -723,6 +737,7 @@ class tripleo::haproxy ( listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index fbccdda..8a70110 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -18,18 +18,48 @@ # # === Parameters # +# [*admin_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_admin_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) # -# [*step*] -# (Optional) The current step in deployment. See tripleo-heat-templates -# for more details. -# Defaults to hiera('step') +# [*public_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_public_api_network', undef) +# # # [*rabbit_hosts*] # list of the rabbbit host IPs @@ -38,13 +68,23 @@ # [*rabbit_port*] # IP port for rabbitmq service # Defaults to hiera('keystone::rabbit_port', 5672) - +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# class tripleo::profile::base::keystone ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_db_purge = hiera('keystone_enable_db_purge', true), - $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('keystone::rabbit_port', 5672), + $admin_endpoint_network = hiera('keystone_admin_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_db_purge = hiera('keystone_enable_db_purge', true), + $public_endpoint_network = hiera('keystone_public_api_network', undef), + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('keystone::rabbit_port', 5672), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -58,6 +98,29 @@ class tripleo::profile::base::keystone ( $manage_domain = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$public_endpoint_network { + fail('keystone_public_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key'] + + if !$admin_endpoint_network { + fail('keystone_admin_api_network is not set in the hieradata.') + } + $tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate'] + $tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + $tls_certfile_admin = undef + $tls_keyfile_admin = undef + } + if $step >= 4 or ( $step >= 3 and $sync_db ) { class { '::keystone': sync_db => $sync_db, @@ -66,7 +129,12 @@ class tripleo::profile::base::keystone ( } include ::keystone::config - include ::keystone::wsgi::apache + class { '::keystone::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + ssl_cert_admin => $tls_certfile_admin, + ssl_key_admin => $tls_keyfile_admin, + } include ::keystone::cors if $manage_roles { @@ -153,6 +221,10 @@ class tripleo::profile::base::keystone ( if hiera('trove_api_enabled', false) { include ::trove::keystone::auth } + if hiera('zaqar_enabled', false) { + include ::zaqar::keystone::auth + include ::zaqar::keystone::auth_websocket + } } } diff --git a/manifests/profile/base/logging/fluentd.pp b/manifests/profile/base/logging/fluentd.pp index 3ed7d88..9e1aa8d 100644 --- a/manifests/profile/base/logging/fluentd.pp +++ b/manifests/profile/base/logging/fluentd.pp @@ -52,7 +52,7 @@ # secure-foward plugin. # # [*fluentd_listen_syslog*] -# (Optional, default true) When true, fluentd will listen for syslog +# (Optional, default true) When true, fluentd will listen for syslog # messages on a local UDP port. # # [*fluentd_syslog_port*] @@ -71,107 +71,105 @@ class tripleo::profile::base::logging::fluentd ( $fluentd_listen_syslog = true, $fluentd_syslog_port = 42185 ) { - if $step == undef or $step >= 3 { - include ::fluentd + include ::fluentd - if $fluentd_groups { - user { $::fluentd::config_owner: - ensure => present, - groups => $fluentd_groups, - membership => 'minimum', - } + if $fluentd_groups { + user { $::fluentd::config_owner: + ensure => present, + groups => $fluentd_groups, + membership => 'minimum', } + } - if $fluentd_pos_file_path { - file { $fluentd_pos_file_path: - ensure => 'directory', - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0750', - } + if $fluentd_pos_file_path { + file { $fluentd_pos_file_path: + ensure => 'directory', + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0750', } + } - ::fluentd::plugin { 'rubygem-fluent-plugin-add': - plugin_provider => 'yum', - } + ::fluentd::plugin { 'rubygem-fluent-plugin-add': + plugin_provider => 'yum', + } - if $fluentd_sources { - ::fluentd::config { '100-openstack-sources.conf': - config => { - 'source' => $fluentd_sources, - } + if $fluentd_sources { + ::fluentd::config { '100-openstack-sources.conf': + config => { + 'source' => $fluentd_sources, } } + } - if $fluentd_listen_syslog { - # fluentd will receive syslog messages by listening on a local udp - # socket. - ::fluentd::config { '110-system-sources.conf': - config => { - 'source' => { - 'type' => 'syslog', - 'tag' => 'system.messages', - 'port' => $fluentd_syslog_port, - } + if $fluentd_listen_syslog { + # fluentd will receive syslog messages by listening on a local udp + # socket. + ::fluentd::config { '110-system-sources.conf': + config => { + 'source' => { + 'type' => 'syslog', + 'tag' => 'system.messages', + 'port' => $fluentd_syslog_port, } } + } - file { '/etc/rsyslog.d/fluentd.conf': - content => "*.* @127.0.0.1:${fluentd_syslog_port}", - owner => 'root', - group => 'root', - mode => '0644', - } ~> exec { 'reload rsyslog': - command => '/bin/systemctl restart rsyslog', - } + file { '/etc/rsyslog.d/fluentd.conf': + content => "*.* @127.0.0.1:${fluentd_syslog_port}", + owner => 'root', + group => 'root', + mode => '0644', + } ~> exec { 'reload rsyslog': + command => '/bin/systemctl restart rsyslog', } + } - if $fluentd_filters { - ::fluentd::config { '200-openstack-filters.conf': - config => { - 'filter' => $fluentd_filters, - } + if $fluentd_filters { + ::fluentd::config { '200-openstack-filters.conf': + config => { + 'filter' => $fluentd_filters, } } + } - if $fluentd_servers and !empty($fluentd_servers) { - if $fluentd_use_ssl { - ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': - plugin_provider => 'yum', - } + if $fluentd_servers and !empty($fluentd_servers) { + if $fluentd_use_ssl { + ::fluentd::plugin { 'rubygem-fluent-plugin-secure-forward': + plugin_provider => 'yum', + } - file {'/etc/fluentd/ca_cert.pem': - content => $fluentd_ssl_certificate, - owner => $::fluentd::config_owner, - group => $::fluentd::config_group, - mode => '0444', - } + file {'/etc/fluentd/ca_cert.pem': + content => $fluentd_ssl_certificate, + owner => $::fluentd::config_owner, + group => $::fluentd::config_group, + mode => '0444', + } - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - # lint:ignore:single_quote_string_with_variables - # lint:ignore:quoted_booleans - 'type' => 'secure_forward', - 'tag_pattern' => '**', - 'self_hostname' => '${hostname}', - 'secure' => 'true', - 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', - 'shared_key' => $fluentd_shared_key, - 'server' => $fluentd_servers, - # lint:endignore - # lint:endignore - } + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + # lint:ignore:single_quote_string_with_variables + # lint:ignore:quoted_booleans + 'type' => 'secure_forward', + 'tag_pattern' => '**', + 'self_hostname' => '${hostname}', + 'secure' => 'true', + 'ca_cert_path' => '/etc/fluentd/ca_cert.pem', + 'shared_key' => $fluentd_shared_key, + 'server' => $fluentd_servers, + # lint:endignore + # lint:endignore } } - } else { - ::fluentd::config { '300-openstack-matches.conf': - config => { - 'match' => { - 'type' => 'forward', - 'tag_pattern' => '**', - 'server' => $fluentd_servers, - } + } + } else { + ::fluentd::config { '300-openstack-matches.conf': + config => { + 'match' => { + 'type' => 'forward', + 'tag_pattern' => '**', + 'server' => $fluentd_servers, } } } diff --git a/manifests/profile/base/monitoring/sensu.pp b/manifests/profile/base/monitoring/sensu.pp index a6872b3..91b7ac7 100644 --- a/manifests/profile/base/monitoring/sensu.pp +++ b/manifests/profile/base/monitoring/sensu.pp @@ -25,10 +25,8 @@ class tripleo::profile::base::monitoring::sensu ( $step = hiera('step', undef), ) { - if $step == undef or $step >= 3 { - include ::sensu - package { 'osops-tools-monitoring-oschecks': - ensure => 'present' - } + include ::sensu + package { 'osops-tools-monitoring-oschecks': + ensure => 'present' } } diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp index ffe28ce..a3f46ec 100644 --- a/manifests/profile/base/neutron/opendaylight.pp +++ b/manifests/profile/base/neutron/opendaylight.pp @@ -39,7 +39,7 @@ class tripleo::profile::base::neutron::opendaylight ( if $step >= 1 { # Configure ODL only on first controller - if hiera('odl_on_controller') and $primary_controller == downcase($::hostname) { + if $primary_controller == downcase($::hostname) { include ::opendaylight } } diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp index f25aea6..2eb09ae 100644 --- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp @@ -22,6 +22,14 @@ # (Optional) Port to use for OpenDaylight # Defaults to hiera('opendaylight::odl_rest_port') # +# [*odl_username*] +# (Optional) Username to configure for OpenDaylight +# Defaults to 'admin' +# +# [*odl_password*] +# (Optional) Password to configure for OpenDaylight +# Defaults to 'admin' +# # [*conn_proto*] # (Optional) Protocol to use to for ODL REST access # Defaults to hiera('opendaylight::nb_connection_protocol') @@ -32,23 +40,22 @@ # Defaults to hiera('step') # class tripleo::profile::base::neutron::plugins::ml2::opendaylight ( - $odl_port = hiera('opendaylight::odl_rest_port'), - $conn_proto = hiera('opendaylight::nb_connection_protocol'), - $step = hiera('step'), + $odl_port = hiera('opendaylight::odl_rest_port'), + $odl_username = hiera('opendaylight::username'), + $odl_password = hiera('opendaylight::password'), + $conn_proto = hiera('opendaylight::nb_connection_protocol'), + $step = hiera('step'), ) { if $step >= 4 { - # Figure out ODL IP - if hiera('odl_on_controller') { - $odl_url_ip = hiera('opendaylight_api_vip') - } else { - $odl_url_ip = hiera('opendaylight::odl_bind_ip') - } + $odl_url_ip = hiera('opendaylight_api_vip') if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') } class { '::neutron::plugins::ml2::opendaylight': - odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; + odl_username => $odl_username, + odl_password => $odl_password, + odl_url => "${conn_proto}://${odl_url_ip}:${odl_port}/controller/nb/v2/neutron"; } } } diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp index 7548046..91c5168 100644 --- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp +++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp @@ -48,14 +48,8 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight ( ) { if $step >= 4 { - # Figure out ODL IP (and VIP if on controller) - if hiera('odl_on_controller') { - $opendaylight_controller_ip = $odl_api_ips[0] - $odl_url_ip = hiera('opendaylight_api_vip') - } else { - $opendaylight_controller_ip = hiera('opendaylight::odl_bind_ip') - $odl_url_ip = $opendaylight_controller_ip - } + $opendaylight_controller_ip = $odl_api_ips[0] + $odl_url_ip = hiera('opendaylight_api_vip') if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') } diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp new file mode 100644 index 0000000..6794742 --- /dev/null +++ b/manifests/profile/base/zaqar.pp @@ -0,0 +1,48 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::zaqar +# +# Zaqar profile for tripleo +# +# === Parameters +# +# [*sync_db*] +# (Optional) Whether to run db sync +# Defaults to true +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::zaqar ( + $step = hiera('step'), +) { + if $step >= 4 { + include ::zaqar + include ::zaqar::management::mongodb + include ::zaqar::messaging::mongodb + include ::zaqar::transport::websocket + include ::zaqar::transport::wsgi + + # TODO (bcrochet): At some point, the transports should be split out to + # seperate services. + include ::zaqar::server + zaqar::server_instance{ '1': + transport => 'websocket' + } + } +} + diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 7464854..a353e5f 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -89,9 +89,19 @@ class tripleo::profile::pacemaker::database::mysql ( } } + # remove_default_accounts parameter will execute some mysql commands + # to remove the default accounts created by MySQL package. + # We need MySQL running to run the commands successfully, so better to + # wait step 2 before trying to run the commands. + if $step >= 2 and $pacemaker_master { + $remove_default_accounts = true + } else { + $remove_default_accounts = false + } + class { '::tripleo::profile::base::database::mysql': manage_resources => false, - remove_default_accounts => $pacemaker_master, + remove_default_accounts => $remove_default_accounts, mysql_server_options => $mysqld_options, } |