aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/rabbitmq.pp79
-rw-r--r--manifests/profile/base/panko.pp18
-rw-r--r--manifests/profile/base/panko/api.pp18
-rw-r--r--manifests/profile/base/rabbitmq.pp72
-rw-r--r--manifests/profile/base/sahara.pp1
-rw-r--r--metadata.json2
-rw-r--r--releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml4
-rw-r--r--releasenotes/source/conf.py12
-rw-r--r--spec/classes/tripleo_certmonger_rabbitmq.rb64
9 files changed, 230 insertions, 40 deletions
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
new file mode 100644
index 0000000..344adef
--- /dev/null
+++ b/manifests/certmonger/rabbitmq.pp
@@ -0,0 +1,79 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::rabbitmq
+#
+# Request a certificate for RabbitMQ and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+# (Optional) The user which the certificate and key files belong to.
+# Defaults to 'root'
+#
+# [*principal*]
+# (Optional) The service principal that is set for the service in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::rabbitmq (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::rabbitmq::params
+
+ $postsave_cmd = "systemctl restart ${::rabbitmq::params::service_name}"
+ certmonger_certificate { 'rabbitmq' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+
+ file { $service_certificate :
+ owner => $::rabbitmq::params::rabbitmq_user,
+ group => $::rabbitmq::params::rabbitmq_group,
+ require => Certmonger_certificate['rabbitmq'],
+ }
+ file { $service_key :
+ owner => $::rabbitmq::params::rabbitmq_user,
+ group => $::rabbitmq::params::rabbitmq_group,
+ require => Certmonger_certificate['rabbitmq'],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |>
+ File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |>
+}
diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp
index 880cf7d..286e4ac 100644
--- a/manifests/profile/base/panko.pp
+++ b/manifests/profile/base/panko.pp
@@ -23,26 +23,12 @@
# for more details.
# Defaults to hiera('step')
#
-# [*bootstrap_node*]
-# (Optional) The hostname of the node responsible for bootstrapping tasks
-# Defaults to hiera('bootstrap_nodeid')
class tripleo::profile::base::panko (
- $step = hiera('step'),
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $step = hiera('step'),
) {
-
- if $::hostname == downcase($bootstrap_node) {
- $sync_db = true
- } else {
- $sync_db = false
- }
-
- if $step >= 4 or ($step >= 3 and $sync_db) {
+ if $step >= 3 {
include ::panko
- include ::panko::db
include ::panko::config
- include ::panko::db::sync
}
-
}
diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp
index 45ee0c0..a6643ce 100644
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@@ -18,6 +18,10 @@
#
# === Parameters
#
+# [*bootstrap_node*]
+# (Optional) The hostname of the node responsible for bootstrapping tasks
+# Defaults to hiera('bootstrap_nodeid')
+#
# [*certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@@ -53,12 +57,19 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::panko::api (
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_service_certificates = hiera('generate_service_certificates', false),
$panko_network = hiera('panko_api_network', undef),
$step = hiera('step'),
) {
+ if $::hostname == downcase($bootstrap_node) {
+ $sync_db = true
+ } else {
+ $sync_db = false
+ }
+
include ::tripleo::profile::base::panko
if $enable_internal_tls {
@@ -76,8 +87,11 @@ class tripleo::profile::base::panko::api (
$tls_keyfile = undef
}
- if $step >= 4 {
- include ::panko::api
+ if $step >= 4 or ( $step >= 3 and $sync_db ) {
+ include ::panko::db
+ class { '::panko::api':
+ sync_db => $sync_db,
+ }
class { '::panko::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index 1eaabf0..b04d721 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -18,14 +18,41 @@
#
# === Parameters
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to {}.
+#
# [*config_variables*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_config_variables').
#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to undef
+#
# [*environment*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# MySQL. This could be as many as specified by the $certificates_specs
+# variable.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*inet_dist_interface*]
+# (Optional) Address to bind the inter-cluster interface
+# to. It is the inet_dist_use_interface option in the kernel variables
+# Defaults to hiera('rabbitmq::interface', undef).
+#
# [*ipv6*]
# (Optional) Whether to deploy RabbitMQ on IPv6 network.
# Defaults to str2bool(hiera('rabbit_ipv6', false)).
@@ -34,11 +61,6 @@
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
-# [*inet_dist_interface*]
-# (Optional) Address to bind the inter-cluster interface
-# to. It is the inet_dist_use_interface option in the kernel variables
-# Defaults to hiera('rabbitmq::interface', undef).
-#
# [*nodes*]
# (Optional) Array of host(s) for RabbitMQ nodes.
# Defaults to hiera('rabbitmq_node_names', []).
@@ -61,17 +83,31 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::rabbitmq (
- $config_variables = hiera('rabbitmq_config_variables'),
- $environment = hiera('rabbitmq_environment'),
- $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
- $kernel_variables = hiera('rabbitmq_kernel_variables'),
- $inet_dist_interface = hiera('rabbitmq::interface', undef),
- $nodes = hiera('rabbitmq_node_names', []),
- $rabbitmq_pass = hiera('rabbitmq::default_pass'),
- $rabbitmq_user = hiera('rabbitmq::default_user'),
- $stack_action = hiera('stack_action'),
- $step = hiera('step'),
+ $certificate_specs = {},
+ $config_variables = hiera('rabbitmq_config_variables'),
+ $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
+ $environment = hiera('rabbitmq_environment'),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $inet_dist_interface = hiera('rabbitmq::interface', undef),
+ $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
+ $kernel_variables = hiera('rabbitmq_kernel_variables'),
+ $nodes = hiera('rabbitmq_node_names', []),
+ $rabbitmq_pass = hiera('rabbitmq::default_pass'),
+ $rabbitmq_user = hiera('rabbitmq::default_user'),
+ $stack_action = hiera('stack_action'),
+ $step = hiera('step'),
) {
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs)
+ }
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
# IPv6 environment, necessary for RabbitMQ.
if $ipv6 {
$rabbit_env = merge($environment, {
@@ -100,6 +136,9 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $real_kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
# when running multi-nodes without Pacemaker
if $manage_service {
@@ -116,6 +155,9 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
}
# In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency
diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp
index c9c656d..7f4ecbe 100644
--- a/manifests/profile/base/sahara.pp
+++ b/manifests/profile/base/sahara.pp
@@ -114,5 +114,6 @@ class tripleo::profile::base::sahara (
'ssl' => $oslomsg_use_ssl_real,
}),
}
+ include ::sahara::keystone::authtoken
}
}
diff --git a/metadata.json b/metadata.json
index 0db84c7..32b5d95 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
{
"name": "openstack-tripleo",
- "version": "6.2.0",
+ "version": "7.0.0",
"author": "OpenStack Contributors",
"summary": "Puppet module for TripleO",
"license": "Apache-2.0",
diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml
new file mode 100644
index 0000000..c744e0f
--- /dev/null
+++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - Sahara is now deployed with keystone_authtoken parameters and move
+ forward with Keystone v3 version.
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index 5cc0c41..e293b07 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -45,16 +45,16 @@ master_doc = 'index'
# General information about the project.
project = u'puppet-tripleo Release Notes'
-copyright = u'2016, Puppet TripleO Developers'
+copyright = u'2017, Puppet TripleO Developers'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
-version = '6.2.0'
+version = '7.0.0'
# The full version, including alpha/beta/rc tags.
-release = '6.2.0'
+release = '7.0.0'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@@ -198,7 +198,7 @@ latex_elements = {
# author, documentclass [howto, manual, or own class]).
latex_documents = [
('index', 'puppet-tripleoReleaseNotes.tex', u'puppet-tripleo Release Notes Documentation',
- u'2016, Puppet TripleO Developers', 'manual'),
+ u'2017, Puppet TripleO Developers', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
@@ -228,7 +228,7 @@ latex_documents = [
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'puppet-tripleoreleasenotes', u'puppet-tripleo Release Notes Documentation',
- [u'2016, Puppet TripleO Developers'], 1)
+ [u'2017, Puppet TripleO Developers'], 1)
]
# If true, show URL addresses after external links.
@@ -242,7 +242,7 @@ man_pages = [
# dir menu entry, description, category)
texinfo_documents = [
('index', 'puppet-tripleoReleaseNotes', u'puppet-tripleo Release Notes Documentation',
- u'2016, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.',
+ u'2017, Puppet TripleO Developers', 'puppet-tripleoReleaseNotes', 'Puppet TripleO Project.',
'Miscellaneous'),
]
diff --git a/spec/classes/tripleo_certmonger_rabbitmq.rb b/spec/classes/tripleo_certmonger_rabbitmq.rb
new file mode 100644
index 0000000..5c011ce
--- /dev/null
+++ b/spec/classes/tripleo_certmonger_rabbitmq.rb
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::rabbitmq' do
+
+ shared_examples_for 'tripleo::certmonger::rabbitmq' do
+ let :params do
+ {
+ :hostname => 'localhost',
+ :service_certificate => '/etc/pki/cert.crt',
+ :service_key => '/etc/pki/key.pem',
+ }
+ end
+
+ it 'should include the base for using certmonger' do
+ is_expected.to contain_class('certmonger')
+ end
+
+ it 'should include the rabbitmq parameters' do
+ is_expected.to contain_class('rabbitmq::params')
+ end
+
+ it 'should request a certificate' do
+ is_expected.to contain_certmonger_certificate('rabbitmq').with(
+ :ensure => 'present',
+ :certfile => '/etc/pki/cert.crt',
+ :keyfile => '/etc/pki/key.pem',
+ :hostname => 'localhost',
+ :dnsname => 'localhost',
+ :ca => 'local',
+ :wait => true,
+ )
+ is_expected.to contain_file('/etc/pki/cert.crt')
+ is_expected.to contain_file('/etc/pki/key.pem')
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::rabbitmq'
+ end
+ end
+end