2 files changed, 94 insertions, 0 deletions
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index 0d9ba68..e80c8c9 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -46,6 +46,22 @@
 #   Username for messaging nova queue
 #   Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest')
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*memcache_port*]
 #   (Optional) memcache port
 #   Defaults to 11211
@@ -59,6 +75,26 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*swift_proxy_network*]
+#   (Optional) The network name where the swift proxy endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('swift_proxy_network', undef)
+#
+# [*tls_proxy_bind_ip*]
+#   IP on which the TLS proxy will listen on. Required only if
+#   enable_internal_tls is set.
+#   Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+#   fqdn on which the tls proxy will listen on. required only used if
+#   enable_internal_tls is set.
+#   defaults to undef
+#
+# [*tls_proxy_port*]
+#   port on which the tls proxy will listen on. Only used if
+#   enable_internal_tls is set.
+#   defaults to 8080
+#
 class tripleo::profile::base::swift::proxy (
   $ceilometer_enabled            = true,
   $ceilometer_messaging_driver   = hiera('messaging_notify_service_name', 'rabbit'),
@@ -67,11 +103,33 @@ class tripleo::profile::base::swift::proxy (
   $ceilometer_messaging_port     = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'),
   $ceilometer_messaging_use_ssl  = '0',
   $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'),
+  $certificates_specs            = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls           = hiera('enable_internal_tls', false),
   $memcache_port                 = 11211,
   $memcache_servers              = hiera('memcached_node_ips'),
   $step                          = hiera('step'),
+  $swift_proxy_network           = hiera('swift_proxy_network', undef),
+  $tls_proxy_bind_ip             = undef,
+  $tls_proxy_fqdn                = undef,
+  $tls_proxy_port                = 8080,
 ) {
   if $step >= 4 {
+    if $enable_internal_tls {
+      if !$swift_proxy_network {
+        fail('swift_proxy_network is not set in the hieradata.')
+      }
+      $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate']
+      $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key']
+
+      ::tripleo::tls_proxy { 'swift-proxy-api':
+        servername => $tls_proxy_fqdn,
+        ip         => $tls_proxy_bind_ip,
+        port       => $tls_proxy_port,
+        tls_cert   => $tls_certfile,
+        tls_key    => $tls_keyfile,
+        notify     => Class['::neutron::server'],
+      }
+    }
     $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}")
     include ::swift::config
     include ::swift::proxy
diff --git a/manifests/profile/base/swift/ringbuilder.pp b/manifests/profile/base/swift/ringbuilder.pp
index 7e5fc74..f7cfea4 100644
--- a/manifests/profile/base/swift/ringbuilder.pp
+++ b/manifests/profile/base/swift/ringbuilder.pp
@@ -63,6 +63,12 @@
 #  Minimum amount of time before partitions can be moved.
 #  Defaults to undef
 #
+# [*swift_ring_get_tempurl*]
+# GET tempurl to fetch Swift rings from
+#
+# [*swift_ring_put_tempurl*]
+# PUT tempurl to upload Swift rings to
+#
 class tripleo::profile::base::swift::ringbuilder (
   $replicas,
   $build_ring  = true,
@@ -74,7 +80,23 @@ class tripleo::profile::base::swift::ringbuilder (
   $swift_storage_node_ips = hiera('swift_storage_node_ips', []),
   $part_power = undef,
   $min_part_hours = undef,
+  $swift_ring_get_tempurl = hiera('swift_ring_get_tempurl', ''),
+  $swift_ring_put_tempurl = hiera('swift_ring_put_tempurl', ''),
 ) {
+
+  if $step == 2 and $swift_ring_get_tempurl != '' {
+    exec{'fetch_swift_ring_tarball':
+      path    => ['/usr/bin'],
+      command => "curl --insecure --silent '${swift_ring_get_tempurl}' -o /tmp/swift-rings.tar.gz",
+      returns => [0, 3]
+    } ~>
+    exec{'extract_swift_ring_tarball':
+      path    => ['/bin'],
+      command => 'tar xzf /tmp/swift-rings.tar.gz -C /',
+      returns => [0, 2]
+    }
+  }
+
   if $step >= 2 {
     # pre-install swift here so we can build rings
     include ::swift
@@ -112,4 +134,18 @@ class tripleo::profile::base::swift::ringbuilder (
       Ring_object_device<| |> ~> Exec['rebalance_container']
     }
   }
+
+  if $step == 5 and $build_ring and $swift_ring_put_tempurl != '' {
+    exec{'create_swift_ring_tarball':
+      path    => ['/bin', '/usr/bin'],
+      command => 'tar cvzf /tmp/swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/',
+      unless  => 'swift-recon --md5 | grep -q "doesn\'t match"'
+    } ~>
+    exec{'upload_swift_ring_tarball':
+      path        => ['/usr/bin'],
+      command     => "curl --insecure --silent -X PUT '${$swift_ring_put_tempurl}' --data-binary @/tmp/swift-rings.tar.gz",
+      require     => Exec['create_swift_ring_tarball'],
+      refreshonly => true,
+    }
+  }
 }