aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/httpd.pp62
-rw-r--r--manifests/haproxy.pp15
-rw-r--r--manifests/profile/base/keystone.pp94
-rw-r--r--manifests/profile/base/neutron/opendaylight.pp2
-rw-r--r--manifests/profile/base/neutron/plugins/ml2/opendaylight.pp7
-rw-r--r--manifests/profile/base/neutron/plugins/ovs/opendaylight.pp10
-rw-r--r--manifests/profile/base/zaqar.pp48
7 files changed, 212 insertions, 26 deletions
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
new file mode 100644
index 0000000..94b48b7
--- /dev/null
+++ b/manifests/certmonger/httpd.pp
@@ -0,0 +1,62 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::httpd
+#
+# Request a certificate for the httpd service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+# The haproxy service principal that is set for HAProxy in kerberos.
+#
+define tripleo::certmonger::httpd (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::apache::params
+
+ $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+ certmonger_certificate { $name :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+
+ Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index c4d018d..3ad10eb 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -106,6 +106,11 @@
# flag is set.
# Defaults to {}
#
+# [*enable_internal_tls*]
+# A flag that indicates if the servers in the internal network are using TLS.
+# This enables the 'ssl' option for the server members that are proxied.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -427,6 +432,7 @@ class tripleo::haproxy (
$service_certificate = undef,
$use_internal_certificates = false,
$internal_certificates_specs = {},
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
@@ -541,6 +547,13 @@ class tripleo::haproxy (
}
$ports = merge($default_service_ports, $service_ports)
+ if $enable_internal_tls {
+ # TODO(jaosorior): change verify none to verify required.
+ $internal_tls_member_options = ['ssl', 'verify none']
+ } else {
+ $internal_tls_member_options = []
+ }
+
$controller_hosts_real = any2array(split($controller_hosts, ','))
if ! $controller_hosts_names {
$controller_hosts_names_real = $controller_hosts_real
@@ -680,6 +693,7 @@ class tripleo::haproxy (
},
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -709,6 +723,7 @@ class tripleo::haproxy (
listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index fbccdda..8a70110 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -18,18 +18,48 @@
#
# === Parameters
#
+# [*admin_endpoint_network*]
+# (Optional) The network name where the admin endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('keystone_admin_api_network', undef)
+#
# [*bootstrap_node*]
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
#
-# [*step*]
-# (Optional) The current step in deployment. See tripleo-heat-templates
-# for more details.
-# Defaults to hiera('step')
+# [*public_endpoint_network*]
+# (Optional) The network name where the admin endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('keystone_public_api_network', undef)
+#
#
# [*rabbit_hosts*]
# list of the rabbbit host IPs
@@ -38,13 +68,23 @@
# [*rabbit_port*]
# IP port for rabbitmq service
# Defaults to hiera('keystone::rabbit_port', 5672)
-
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
class tripleo::profile::base::keystone (
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $manage_db_purge = hiera('keystone_enable_db_purge', true),
- $step = hiera('step'),
- $rabbit_hosts = hiera('rabbitmq_node_ips', undef),
- $rabbit_port = hiera('keystone::rabbit_port', 5672),
+ $admin_endpoint_network = hiera('keystone_admin_api_network', undef),
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $manage_db_purge = hiera('keystone_enable_db_purge', true),
+ $public_endpoint_network = hiera('keystone_public_api_network', undef),
+ $rabbit_hosts = hiera('rabbitmq_node_ips', undef),
+ $rabbit_port = hiera('keystone::rabbit_port', 5672),
+ $step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -58,6 +98,29 @@ class tripleo::profile::base::keystone (
$manage_domain = false
}
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$public_endpoint_network {
+ fail('keystone_public_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key']
+
+ if !$admin_endpoint_network {
+ fail('keystone_admin_api_network is not set in the hieradata.')
+ }
+ $tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate']
+ $tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ $tls_certfile_admin = undef
+ $tls_keyfile_admin = undef
+ }
+
if $step >= 4 or ( $step >= 3 and $sync_db ) {
class { '::keystone':
sync_db => $sync_db,
@@ -66,7 +129,12 @@ class tripleo::profile::base::keystone (
}
include ::keystone::config
- include ::keystone::wsgi::apache
+ class { '::keystone::wsgi::apache':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ ssl_cert_admin => $tls_certfile_admin,
+ ssl_key_admin => $tls_keyfile_admin,
+ }
include ::keystone::cors
if $manage_roles {
@@ -153,6 +221,10 @@ class tripleo::profile::base::keystone (
if hiera('trove_api_enabled', false) {
include ::trove::keystone::auth
}
+ if hiera('zaqar_enabled', false) {
+ include ::zaqar::keystone::auth
+ include ::zaqar::keystone::auth_websocket
+ }
}
}
diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp
index ffe28ce..a3f46ec 100644
--- a/manifests/profile/base/neutron/opendaylight.pp
+++ b/manifests/profile/base/neutron/opendaylight.pp
@@ -39,7 +39,7 @@ class tripleo::profile::base::neutron::opendaylight (
if $step >= 1 {
# Configure ODL only on first controller
- if hiera('odl_on_controller') and $primary_controller == downcase($::hostname) {
+ if $primary_controller == downcase($::hostname) {
include ::opendaylight
}
}
diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
index 43ff87e..2eb09ae 100644
--- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
@@ -48,12 +48,7 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight (
) {
if $step >= 4 {
- # Figure out ODL IP
- if hiera('odl_on_controller') {
- $odl_url_ip = hiera('opendaylight_api_vip')
- } else {
- $odl_url_ip = hiera('opendaylight::odl_bind_ip')
- }
+ $odl_url_ip = hiera('opendaylight_api_vip')
if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') }
diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
index 7548046..91c5168 100644
--- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
@@ -48,14 +48,8 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight (
) {
if $step >= 4 {
- # Figure out ODL IP (and VIP if on controller)
- if hiera('odl_on_controller') {
- $opendaylight_controller_ip = $odl_api_ips[0]
- $odl_url_ip = hiera('opendaylight_api_vip')
- } else {
- $opendaylight_controller_ip = hiera('opendaylight::odl_bind_ip')
- $odl_url_ip = $opendaylight_controller_ip
- }
+ $opendaylight_controller_ip = $odl_api_ips[0]
+ $odl_url_ip = hiera('opendaylight_api_vip')
if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') }
diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp
new file mode 100644
index 0000000..6794742
--- /dev/null
+++ b/manifests/profile/base/zaqar.pp
@@ -0,0 +1,48 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::zaqar
+#
+# Zaqar profile for tripleo
+#
+# === Parameters
+#
+# [*sync_db*]
+# (Optional) Whether to run db sync
+# Defaults to true
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+class tripleo::profile::base::zaqar (
+ $step = hiera('step'),
+) {
+ if $step >= 4 {
+ include ::zaqar
+ include ::zaqar::management::mongodb
+ include ::zaqar::messaging::mongodb
+ include ::zaqar::transport::websocket
+ include ::zaqar::transport::wsgi
+
+ # TODO (bcrochet): At some point, the transports should be split out to
+ # seperate services.
+ include ::zaqar::server
+ zaqar::server_instance{ '1':
+ transport => 'websocket'
+ }
+ }
+}
+