diff options
| -rw-r--r-- | manifests/haproxy.pp | 85 | ||||
| -rw-r--r-- | manifests/haproxy/endpoint.pp | 25 | ||||
| -rw-r--r-- | manifests/haproxy/horizon_endpoint.pp | 154 | ||||
| -rw-r--r-- | manifests/profile/base/barbican/api.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/database/mysql.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/horizon.pp | 45 | ||||
| -rw-r--r-- | metadata.json | 2 | ||||
| -rw-r--r-- | releasenotes/source/conf.py | 4 | ||||
| -rw-r--r-- | spec/classes/tripleo_profile_base_barbican_api_spec.rb | 3 |
9 files changed, 244 insertions, 81 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 697f9ff..9939ca9 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -402,6 +402,10 @@ # (optional) Specify the network heat_cloudwatch is running on. # Defaults to hiera('heat_api_cloudwatch_network', undef) # +# [*horizon_network*] +# (optional) Specify the network horizon is running on. +# Defaults to hiera('horizon_network', undef) +# # [*ironic_inspector_network*] # (optional) Specify the network ironic_inspector is running on. # Defaults to hiera('ironic_inspector_network', undef) @@ -520,7 +524,6 @@ # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) -# 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) @@ -644,6 +647,7 @@ class tripleo::haproxy ( $heat_api_network = hiera('heat_api_network', undef), $heat_cfn_network = hiera('heat_api_cfn_network', undef), $heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $horizon_network = hiera('horizon_network', undef), $ironic_inspector_network = hiera('ironic_inspector_network', undef), $ironic_network = hiera('ironic_api_network', undef), $keystone_admin_network = hiera('keystone_admin_api_network', undef), @@ -708,7 +712,6 @@ class tripleo::haproxy ( ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, @@ -772,43 +775,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) - if $service_certificate { - # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the - # same, the first option takes precedence. Which is the case when network - # isolation is not enabled. This is not a problem as both options are - # identical. If network isolation is enabled, this works correctly and - # will add a TLS binding to both the horizon_vip and the - # public_virtual_ip. - # Even though for the public_virtual_ip the port 80 is listening, we - # redirect to https in the horizon_options below. - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => 'scheme https code 301 if !{ ssl_fc }', - 'option' => [ 'forwardfor', 'httpchk' ], - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - } - } else { - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'option' => [ 'forwardfor', 'httpchk' ], - } - } - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -894,16 +860,14 @@ class tripleo::haproxy ( if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), - mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), - public_ssl_port => $ports[keystone_admin_api_ssl_port], - service_network => $keystone_admin_network, - member_options => union($haproxy_member_options, $internal_tls_member_options), + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1275,18 +1239,17 @@ class tripleo::haproxy ( } if $horizon { - haproxy::listen { 'horizon': - bind => $horizon_bind_opts, - options => $horizon_options, - mode => 'http', - collect_exported => false, - } - haproxy::balancermember { 'horizon': - listening_service => 'horizon', - ports => '80', - ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), - server_names => hiera('horizon_node_names', $controller_hosts_names_real), - options => union($haproxy_member_options, ["cookie ${::hostname}"]), + class { '::tripleo::haproxy::horizon_endpoint': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('horizon_vip', $controller_virtual_ip), + haproxy_listen_bind_param => $haproxy_listen_bind_param, + ip_addresses => hiera('horizon_node_ips', $controller_hosts_real), + server_names => hiera('horizon_node_names', $controller_hosts_names_real), + member_options => union($haproxy_member_options, $internal_tls_member_options), + public_certificate => $service_certificate, + use_internal_certificates => $use_internal_certificates, + internal_certificates_specs => $internal_certificates_specs, + service_network => $horizon_network, } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index bc00f2d..4436e19 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -140,15 +140,28 @@ define tripleo::haproxy::endpoint ( if !$service_network { fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") } - # NOTE(jaosorior): The key of the internal_certificates_specs hash must - # must match the convention haproxy-<network name> or else this - # will fail. Futherly, it must contain the path that we'll use under - # 'service_pem'. - $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + + if $service_network == 'external' and $public_certificate { + # NOTE(jaosorior): This service has been configured to use the external + # network. We should use the public certificate in this case. + $internal_cert_path = $public_certificate + } else { + # NOTE(jaosorior): This service is configured for the internal network. + # We use the certificate spec hash. The key of the + # internal_certificates_specs hash must must match the convention + # haproxy-<network name> or else this will fail. Futherly, it must + # contain the path that we'll use under 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + } $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + if $service_network == 'external' and $public_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), + union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) diff --git a/manifests/haproxy/horizon_endpoint.pp b/manifests/haproxy/horizon_endpoint.pp new file mode 100644 index 0000000..c7dfd88 --- /dev/null +++ b/manifests/haproxy/horizon_endpoint.pp @@ -0,0 +1,154 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommitted. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +# [*use_internal_certificates*] +# Flag that indicates if we'll use an internal certificate for this specific +# service. When set, enables SSL on the internal API endpoints using the file +# that certmonger is tracking; this is derived from the network the service is +# listening on. +# Defaults to false +# +# [*internal_certificates_specs*] +# A hash that should contain the specs that were used to create the +# certificates. As the name indicates, only the internal certificates will be +# fetched from here. And the keys should follow the following pattern +# "haproxy-<network name>". The network name should be as it was defined in +# tripleo-heat-templates. +# Note that this is only taken into account if the $use_internal_certificates +# flag is set. +# Defaults to {} +# +# [*service_network*] +# (optional) Indicates the network that the service is running on. Used for +# fetching the certificate for that specific network. +# Defaults to undef +# +class tripleo::haproxy::horizon_endpoint ( + $internal_ip, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip, + $haproxy_listen_bind_param = undef, + $public_certificate = undef, + $use_internal_certificates = false, + $internal_certificates_specs = {}, + $service_network = undef, +) { + # service exposed to the public network + if $public_certificate { + if $use_internal_certificates { + if !$service_network { + fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") + } + # NOTE(jaosorior): The key of the internal_certificates_specs hash must + # must match the convention haproxy-<network name> or else this + # will fail. Futherly, it must contain the path that we'll use under + # 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]) + } else { + # If no internal cert is given, we still configure TLS for the internal + # network, however, we expect that the public certificate has appropriate + # subjectaltnames set. + $internal_bind_opts = union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]) + } + # NOTE(jaosorior): If the internal_ip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the internal_ip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${internal_ip}:443" => $internal_bind_opts, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => 'scheme https code 301 if !{ ssl_fc }', + 'option' => [ 'forwardfor', 'httpchk' ], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } + } else { + $horizon_bind_opts = { + "${internal_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'option' => [ 'forwardfor', 'httpchk' ], + } + } + + if $use_internal_certificates { + # Use SSL port if TLS in the internal network is enabled. + $backend_port = '443' + } else { + $backend_port = '80' + } + + haproxy::listen { 'horizon': + bind => $horizon_bind_opts, + options => $horizon_options, + mode => 'http', + collect_exported => false, + } + haproxy::balancermember { 'horizon': + listening_service => 'horizon', + ports => $backend_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => union($member_options, ["cookie ${::hostname}"]), + } +} diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp index 40a0a99..48bf4b8 100644 --- a/manifests/profile/base/barbican/api.pp +++ b/manifests/profile/base/barbican/api.pp @@ -129,10 +129,6 @@ class tripleo::profile::base::barbican::api ( include ::tripleo::profile::base::barbican - if $step >= 3 and $sync_db { - include ::barbican::db::mysql - } - if $step >= 4 or ( $step >= 3 and $sync_db ) { $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl))) class { '::barbican::api': diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 7e7d68b..7bb8c74 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -171,6 +171,9 @@ class tripleo::profile::base::database::mysql ( if hiera('cinder_api_enabled', false) { include ::cinder::db::mysql } + if hiera('barbican_api_enabled', false) { + include ::barbican::db::mysql + } if hiera('congress_enabled', false) { include ::congress::db::mysql } diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp index 3f01d01..9441329 100644 --- a/manifests/profile/base/horizon.pp +++ b/manifests/profile/base/horizon.pp @@ -27,6 +27,27 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*horizon_network*] +# (Optional) The network name where the horizon endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('horizon_network', undef) +# # [*neutron_options*] # (Optional) A hash of parameters to enable features specific to Neutron # Defaults to hiera('horizon::neutron_options', {}) @@ -36,10 +57,13 @@ # Defaults to hiera('memcached_node_ips') # class tripleo::profile::base::horizon ( - $step = Integer(hiera('step')), - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $neutron_options = hiera('horizon::neutron_options', {}), - $memcached_ips = hiera('memcached_node_ips') + $step = Integer(hiera('step')), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $horizon_network = hiera('horizon_network', undef), + $neutron_options = hiera('horizon::neutron_options', {}), + $memcached_ips = hiera('memcached_node_ips') ) { if $::hostname == downcase($bootstrap_node) { $is_bootstrap = true @@ -47,6 +71,17 @@ class tripleo::profile::base::horizon ( $is_bootstrap = false } + if $enable_internal_tls { + if !$horizon_network { + fail('horizon_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { # Horizon include ::apache::mod::remoteip @@ -68,6 +103,8 @@ class tripleo::profile::base::horizon ( class { '::horizon': cache_server_ip => $horizon_memcached_servers, neutron_options => $neutron_options_real, + horizon_cert => $tls_certfile, + horizon_key => $tls_keyfile, } } } diff --git a/metadata.json b/metadata.json index 821ce7c..82284f4 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "openstack-tripleo", - "version": "7.2.0", + "version": "7.3.0", "author": "OpenStack Contributors", "summary": "Puppet module for TripleO", "license": "Apache-2.0", diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py index bba17b6..7224ef2 100644 --- a/releasenotes/source/conf.py +++ b/releasenotes/source/conf.py @@ -53,9 +53,9 @@ copyright = u'2017, Puppet TripleO Developers' # built documents. # # The short X.Y version. -version = '7.2.0' +version = '7.3.0' # The full version, including alpha/beta/rc tags. -release = '7.2.0' +release = '7.3.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/spec/classes/tripleo_profile_base_barbican_api_spec.rb b/spec/classes/tripleo_profile_base_barbican_api_spec.rb index 169642e..881cc0a 100644 --- a/spec/classes/tripleo_profile_base_barbican_api_spec.rb +++ b/spec/classes/tripleo_profile_base_barbican_api_spec.rb @@ -45,7 +45,6 @@ describe 'tripleo::profile::base::barbican::api' do it 'should trigger complete configuration' do is_expected.to contain_class('tripleo::profile::base::barbican::api') is_expected.to contain_class('tripleo::profile::base::barbican') - is_expected.to contain_class('barbican::db::mysql') is_expected.to contain_class('barbican::db::sync') is_expected.to contain_class('barbican::api') is_expected.to contain_class('barbican::api::logging') @@ -64,7 +63,6 @@ describe 'tripleo::profile::base::barbican::api' do it 'should not trigger any configuration' do is_expected.to contain_class('tripleo::profile::base::barbican::api') is_expected.to contain_class('tripleo::profile::base::barbican') - is_expected.to_not contain_class('barbican::db::mysql') is_expected.to_not contain_class('barbican::db::sync') is_expected.to_not contain_class('barbican::api') is_expected.to_not contain_class('barbican::api::logging') @@ -81,7 +79,6 @@ describe 'tripleo::profile::base::barbican::api' do } } it 'should trigger complete configuration with out db items' do - is_expected.to_not contain_class('barbican::db::mysql') # TODO(aschultz): barbican::api includes this automatically #is_expected.to_not contain_class('barbican::db::sync') is_expected.to contain_class('barbican::api') |