aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile')
-rw-r--r--manifests/profile/base/barbican/api.pp57
-rw-r--r--manifests/profile/base/ceph/rgw.pp20
-rw-r--r--manifests/profile/base/cinder/api.pp57
-rw-r--r--manifests/profile/base/keystone.pp41
4 files changed, 146 insertions, 29 deletions
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index 470e649..b464317 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -18,18 +18,51 @@
#
# === Parameters
#
+# [*barbican_network*]
+# (Optional) The network name where the barbican endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('barbican_api_network', undef)
+#
# [*bootstrap_node*]
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::barbican::api (
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $step = hiera('step'),
+ $barbican_network = hiera('barbican_api_network', undef),
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -37,6 +70,21 @@ class tripleo::profile::base::barbican::api (
$sync_db = false
}
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$barbican_network {
+ fail('barbican_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${barbican_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${barbican_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
include ::tripleo::profile::base::barbican
if $step >= 3 and $sync_db {
@@ -51,6 +99,9 @@ class tripleo::profile::base::barbican::api (
include ::barbican::api::logging
include ::barbican::keystone::notification
include ::barbican::quota
- include ::barbican::wsgi::apache
+ class { '::barbican::wsgi::apache':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
}
}
diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 7cd2b6a..2ecca52 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -18,6 +18,14 @@
#
# === Parameters
#
+# [*civetweb_bind_ip*]
+# IP address where to bind the RGW civetweb instance
+# (Optional) Defaults to 127.0.0.1
+#
+# [*civetweb_bind_port*]
+# PORT where to bind the RGW civetweb instance
+# (Optional) Defaults to 8080
+#
# [*keystone_admin_token*]
# The keystone admin token
#
@@ -36,14 +44,22 @@ class tripleo::profile::base::ceph::rgw (
$keystone_admin_token,
$keystone_url,
$rgw_key,
- $step = hiera('step'),
+ $civetweb_bind_ip = '127.0.0.1',
+ $civetweb_bind_port = '8080',
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::ceph
if $step >= 3 {
- include ::ceph::profile::rgw
$rgw_name = hiera('ceph::profile::params::rgw_name', 'radosgw.gateway')
+ $civetweb_bind_ip_real = normalize_ip_for_uri($civetweb_bind_ip)
+ include ::ceph::params
+ include ::ceph::profile::base
+ ceph::rgw { $rgw_name:
+ frontend_type => 'civetweb',
+ rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}"
+ }
ceph::key { "client.${rgw_name}":
secret => $rgw_key,
cap_mon => 'allow *',
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index 8fcc7d6..5ea2058 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -22,14 +22,47 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*cinder_api_network*]
+# (Optional) The network name where the cinder API endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('cinder_api_network', undef)
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::api (
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $step = hiera('step'),
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $cinder_api_network = hiera('cinder_api_network', undef),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
@@ -39,9 +72,27 @@ class tripleo::profile::base::cinder::api (
include ::tripleo::profile::base::cinder
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$cinder_api_network {
+ fail('cinder_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::cinder::api
- include ::cinder::wsgi::apache
+ class { '::cinder::wsgi::apache':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ }
include ::cinder::ceilometer
include ::cinder::glance
}
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index e72798d..ff8d790 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -51,6 +51,22 @@
# creates the certificates.
# Defaults to hiera('generate_service_certificate', false).
#
+# [*heat_admin_domain*]
+# domain name for heat admin
+# Defaults to undef
+#
+# [*heat_admin_email*]
+# heat admin email address
+# Defaults to undef
+#
+# [*heat_admin_password*]
+# heat admin password
+# Defaults to undef
+#
+# [*heat_admin_user*]
+# heat admin user name
+# Defaults to undef
+#
# [*manage_db_purge*]
# (Optional) Whether keystone token flushing should be enabled
# Defaults to hiera('keystone_enable_db_purge', true)
@@ -74,38 +90,21 @@
# for more details.
# Defaults to hiera('step')
#
-# [*heat_admin_domain*]
-# domain name for heat admin
-# Defaults to hiera('heat::keystone::domain::domain_name', 'heat')
-#
-# [*heat_admin_user*]
-# heat admin user name
-# Defaults to hiera('heat::keystone::domain::domain_admin', 'heat_admin')
-#
-# [*heat_admin_email*]
-# heat admin email address
-# Defaults to hiera('heat::keystone::domain::domain_admin_email',
-# 'heat_admin@localhost')
-#
-# [*heat_admin_password*]
-# heat admin password
-# Defaults to hiera('heat::keystone::domain::domain_password')
-#
class tripleo::profile::base::keystone (
$admin_endpoint_network = hiera('keystone_admin_api_network', undef),
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_service_certificates = hiera('generate_service_certificates', false),
+ $heat_admin_domain = undef,
+ $heat_admin_email = undef,
+ $heat_admin_password = undef,
+ $heat_admin_user = undef,
$manage_db_purge = hiera('keystone_enable_db_purge', true),
$public_endpoint_network = hiera('keystone_public_api_network', undef),
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
$rabbit_port = hiera('keystone::rabbit_port', 5672),
$step = hiera('step'),
- $heat_admin_domain = hiera('heat::keystone::domain::domain_name', 'heat'),
- $heat_admin_user = hiera('heat::keystone::domain::domain_admin', 'heat_admin'),
- $heat_admin_email = hiera('heat::keystone::domain::domain_admin_email', 'heat_admin@localhost'),
- $heat_admin_password = hiera('heat::keystone::domain::domain_password'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true