diff options
-rw-r--r-- | manifests/certmonger/rabbitmq.pp | 79 | ||||
-rw-r--r-- | manifests/profile/base/panko.pp | 18 | ||||
-rw-r--r-- | manifests/profile/base/panko/api.pp | 18 | ||||
-rw-r--r-- | manifests/profile/base/rabbitmq.pp | 72 | ||||
-rw-r--r-- | manifests/profile/base/sahara.pp | 1 | ||||
-rw-r--r-- | metadata.json | 2 | ||||
-rw-r--r-- | releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml | 4 | ||||
-rw-r--r-- | releasenotes/source/conf.py | 12 | ||||
-rw-r--r-- | spec/classes/tripleo_certmonger_rabbitmq.rb | 64 |
9 files changed, 230 insertions, 40 deletions
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp new file mode 100644 index 0000000..344adef --- /dev/null +++ b/manifests/certmonger/rabbitmq.pp @@ -0,0 +1,79 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::rabbitmq +# +# Request a certificate for RabbitMQ and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::rabbitmq ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::rabbitmq::params + + $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}" + certmonger_certificate { 'rabbitmq' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + file { $service_certificate : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + file { $service_key : + owner => $::rabbitmq::params::rabbitmq_user, + group => $::rabbitmq::params::rabbitmq_group, + require => Certmonger_certificate['rabbitmq'], + } + + File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |> + File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |> +} diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp index 880cf7d..286e4ac 100644 --- a/manifests/profile/base/panko.pp +++ b/manifests/profile/base/panko.pp @@ -23,26 +23,12 @@ # for more details. # Defaults to hiera('step') # -# [*bootstrap_node*] -# (Optional) The hostname of the node responsible for bootstrapping tasks -# Defaults to hiera('bootstrap_nodeid') class tripleo::profile::base::panko ( - $step = hiera('step'), - $bootstrap_node = hiera('bootstrap_nodeid', undef), + $step = hiera('step'), ) { - - if $::hostname == downcase($bootstrap_node) { - $sync_db = true - } else { - $sync_db = false - } - - if $step >= 4 or ($step >= 3 and $sync_db) { + if $step >= 3 { include ::panko - include ::panko::db include ::panko::config - include ::panko::db::sync } - } diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp index 45ee0c0..a6643ce 100644 --- a/manifests/profile/base/panko/api.pp +++ b/manifests/profile/base/panko/api.pp @@ -18,6 +18,10 @@ # # === Parameters # +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# # [*certificates_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -53,12 +57,19 @@ # Defaults to hiera('step') # class tripleo::profile::base::panko::api ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificates_specs = hiera('apache_certificates_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $generate_service_certificates = hiera('generate_service_certificates', false), $panko_network = hiera('panko_api_network', undef), $step = hiera('step'), ) { + if $::hostname == downcase($bootstrap_node) { + $sync_db = true + } else { + $sync_db = false + } + include ::tripleo::profile::base::panko if $enable_internal_tls { @@ -76,8 +87,11 @@ class tripleo::profile::base::panko::api ( $tls_keyfile = undef } - if $step >= 4 { - include ::panko::api + if $step >= 4 or ( $step >= 3 and $sync_db ) { + include ::panko::db + class { '::panko::api': + sync_db => $sync_db, + } class { '::panko::wsgi::apache': ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index 1eaabf0..b04d721 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -18,14 +18,41 @@ # # === Parameters # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# # [*config_variables*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_config_variables'). # +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to undef +# # [*environment*] # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# MySQL. This could be as many as specified by the $certificates_specs +# variable. +# Defaults to hiera('generate_service_certificate', false). +# +# [*inet_dist_interface*] +# (Optional) Address to bind the inter-cluster interface +# to. It is the inet_dist_use_interface option in the kernel variables +# Defaults to hiera('rabbitmq::interface', undef). +# # [*ipv6*] # (Optional) Whether to deploy RabbitMQ on IPv6 network. # Defaults to str2bool(hiera('rabbit_ipv6', false)). @@ -34,11 +61,6 @@ # (Optional) RabbitMQ environment. # Defaults to hiera('rabbitmq_environment'). # -# [*inet_dist_interface*] -# (Optional) Address to bind the inter-cluster interface -# to. It is the inet_dist_use_interface option in the kernel variables -# Defaults to hiera('rabbitmq::interface', undef). -# # [*nodes*] # (Optional) Array of host(s) for RabbitMQ nodes. # Defaults to hiera('rabbitmq_node_names', []). @@ -61,17 +83,31 @@ # Defaults to hiera('step') # class tripleo::profile::base::rabbitmq ( - $config_variables = hiera('rabbitmq_config_variables'), - $environment = hiera('rabbitmq_environment'), - $ipv6 = str2bool(hiera('rabbit_ipv6', false)), - $kernel_variables = hiera('rabbitmq_kernel_variables'), - $inet_dist_interface = hiera('rabbitmq::interface', undef), - $nodes = hiera('rabbitmq_node_names', []), - $rabbitmq_pass = hiera('rabbitmq::default_pass'), - $rabbitmq_user = hiera('rabbitmq::default_user'), - $stack_action = hiera('stack_action'), - $step = hiera('step'), + $certificate_specs = {}, + $config_variables = hiera('rabbitmq_config_variables'), + $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t + $environment = hiera('rabbitmq_environment'), + $generate_service_certificates = hiera('generate_service_certificates', false), + $inet_dist_interface = hiera('rabbitmq::interface', undef), + $ipv6 = str2bool(hiera('rabbit_ipv6', false)), + $kernel_variables = hiera('rabbitmq_kernel_variables'), + $nodes = hiera('rabbitmq_node_names', []), + $rabbitmq_pass = hiera('rabbitmq::default_pass'), + $rabbitmq_user = hiera('rabbitmq::default_user'), + $stack_action = hiera('stack_action'), + $step = hiera('step'), ) { + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs) + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + # IPv6 environment, necessary for RabbitMQ. if $ipv6 { $rabbit_env = merge($environment, { @@ -100,6 +136,9 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } # when running multi-nodes without Pacemaker if $manage_service { @@ -116,6 +155,9 @@ class tripleo::profile::base::rabbitmq ( config_kernel_variables => $kernel_variables, config_variables => $config_variables, environment_variables => $rabbit_env, + # TLS options + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, } } # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index c9c656d..7f4ecbe 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -114,5 +114,6 @@ class tripleo::profile::base::sahara ( 'ssl' => $oslomsg_use_ssl_real, }), } + include ::sahara::keystone::authtoken } } diff --git a/metadata.json b/metadata.json index 0db84c7..32b5d95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "6.2.0", + "version": "7.0.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml new file mode 100644 index 0000000..c744e0f --- /dev/null +++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml @@ -0,0 +1,4 @@ +--- +features: + - Sahara is now deployed with keystone_authtoken parameters and move + forward with Keystone v3 version. diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index 5cc0c41..e293b07 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -45,16 +45,16 @@ master_doc = 'index' # General information about the project. project = u'puppet-tripleo Release Notes' -copyright = u'2016, Puppet TripleO Developers' +copyright = u'2017, Puppet TripleO Developers' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. -version = '6.2.0' +version = '7.0.0' # The full version, including alpha/beta/rc tags. -release = '6.2.0' +release = '7.0.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -198,7 +198,7 @@ latex_elements = { # author, documentclass [howto, manual, or own class]). latex_documents = [ ('index', 'puppet-tripleoReleaseNotes.tex', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'manual'), + u'2017, Puppet TripleO Developers', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of @@ -228,7 +228,7 @@ latex_documents = [ # (source start file, name, description, authors, manual section). man_pages = [ ('index', 'puppet-tripleoreleasenotes', u'puppet-tripleo Release Notes Documentation', - [u'2016, Puppet TripleO Developers'], 1) + [u'2017, Puppet TripleO Developers'], 1) ] # If true, show URL addresses after external links. @@ -242,7 +242,7 @@ man_pages = [ # dir menu entry, description, category) texinfo_documents = [ ('index', 'puppet-tripleoReleaseNotes', u'puppet-tripleo Release Notes Documentation', - u'2016, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', + u'2017, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.', 'Miscellaneous'), ] diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq.rb new file mode 100644 index 0000000..5c011ce --- /dev/null +++ b/spec/classes/tripleo_certmonger_rabbitmq.rb @@ -0,0 +1,64 @@ +# +# Copyright (C) 2017 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Unit tests for tripleo +# + +require 'spec_helper' + +describe 'tripleo::certmonger::rabbitmq' do + + shared_examples_for 'tripleo::certmonger::rabbitmq' do + let :params do + { + :hostname => 'localhost', + :service_certificate => '/etc/pki/cert.crt', + :service_key => '/etc/pki/key.pem', + } + end + + it 'should include the base for using certmonger' do + is_expected.to contain_class('certmonger') + end + + it 'should include the rabbitmq parameters' do + is_expected.to contain_class('rabbitmq::params') + end + + it 'should request a certificate' do + is_expected.to contain_certmonger_certificate('rabbitmq').with( + :ensure => 'present', + :certfile => '/etc/pki/cert.crt', + :keyfile => '/etc/pki/key.pem', + :hostname => 'localhost', + :dnsname => 'localhost', + :ca => 'local', + :wait => true, + ) + is_expected.to contain_file('/etc/pki/cert.crt') + is_expected.to contain_file('/etc/pki/key.pem') + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({}) + end + + it_behaves_like 'tripleo::certmonger::rabbitmq' + end + end +end |