6 files changed, 209 insertions, 18 deletions

diff --git a/manifests/profile/base/ironic/api.pp b/manifests/profile/base/ironic/api.pp
index 94b7efe..bbc91f5 100644
--- a/manifests/profile/base/ironic/api.pp
+++ b/manifests/profile/base/ironic/api.pp
@@ -18,16 +18,68 @@
 #
 # === Parameters
 #
+# [*bootstrap_node*]
+#   (Optional) The hostname of the node responsible for bootstrapping tasks
+#   Defaults to hiera('bootstrap_nodeid')
+#
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*ironic_api_network*]
+#   (Optional) The network name where the ironic API endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('ironic_api_network', undef)
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*step*]
 #   (Optional) The current step of the deployment
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::ironic::api (
-  $step = Integer(hiera('step')),
+  $bootstrap_node      = hiera('bootstrap_nodeid', undef),
+  $certificates_specs  = hiera('apache_certificates_specs', {}),
+  $ironic_api_network  = hiera('ironic_api_network', undef),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $step                = Integer(hiera('step')),
 ) {
   include ::tripleo::profile::base::ironic
 
-  if $step >= 4 {
-      include ::ironic::api
+  if $::hostname == downcase($bootstrap_node) {
+    $is_bootstrap = true
+  } else {
+    $is_bootstrap = false
   }
+
+  if $enable_internal_tls {
+    if !$ironic_api_network {
+      fail('ironic_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${ironic_api_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${ironic_api_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
+  if $step >= 4 or ( $step >= 3 and $is_bootstrap ) {
+    include ::ironic::api
+    include ::apache::mod::ssl
+    class { '::ironic::wsgi::apache':
+      ssl_cert => $tls_certfile,
+      ssl_key  => $tls_keyfile,
+    }
+  }
+
 }
diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp
index df13a98..48caf37 100644
--- a/manifests/profile/base/kernel.pp
+++ b/manifests/profile/base/kernel.pp
@@ -17,14 +17,32 @@
 #
 # Load and configure Kernel modules.
 #
-class tripleo::profile::base::kernel {
+# === Parameters
+#
+# [*module_list*]
+#   (Optional) List of kernel modules to load.
+#   Defaults to hiera('kernel_modules')
+#
+# [*sysctl_settings*]
+#   (Optional) List of sysctl settings to load.
+#   Defaults to hiera('sysctl_settings')
+#
+class tripleo::profile::base::kernel (
+  $module_list     = hiera('kernel_modules', undef),
+  $sysctl_settings = hiera('sysctl_settings', undef),
+) {
 
-  if hiera('kernel_modules', undef) {
-    create_resources(kmod::load, hiera('kernel_modules'), { })
+  if $module_list {
+    create_resources(kmod::load, $module_list, { })
   }
-  if hiera('sysctl_settings', undef) {
-    create_resources(sysctl::value, hiera('sysctl_settings'), { })
+  if $sysctl_settings {
+    create_resources(sysctl::value, $sysctl_settings, { })
   }
   Exec <| tag == 'kmod::load' |> -> Sysctl <| |>
 
+  # RHEL 7.4+ workaround where this functionality is built into the
+  # kernel instead of being built as a module.
+  # That way, we can support both 7.3 and 7.4 RHEL versions.
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1387537
+  Exec <| title == 'modprobe nf_conntrack_proto_sctp' |> { returns => [0,1] }
 }
diff --git a/manifests/profile/base/neutron/opendaylight/configure_cluster.pp b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
new file mode 100644
index 0000000..022e8ae
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/configure_cluster.pp
@@ -0,0 +1,45 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Function: tripleo::profile::base::neutron::opendaylight::configure_cluster
+#
+# == Parameters
+#
+# [*node_name*]
+#   The short hostname of node
+#
+# [*odl_api_ips*] Array of IPs per ODL node
+#   Defaults to empty array
+#
+define tripleo::profile::base::neutron::opendaylight::configure_cluster(
+  $node_name,
+  $odl_api_ips = [],
+) {
+  validate_array($odl_api_ips)
+  if size($odl_api_ips) > 2 {
+    $node_string = split($node_name, '-')
+    $ha_node_index = $node_string[-1] + 1
+    $ha_node_ip_str = join($odl_api_ips, ' ')
+    exec { 'Configure ODL Clustering':
+      command => "configure_cluster.sh ${ha_node_index} ${ha_node_ip_str}",
+      path    => '/opt/opendaylight/bin/:/usr/sbin:/usr/bin:/sbin:/bin',
+      creates => '/opt/opendaylight/configuration/initial/akka.conf'
+    }
+  }
+}
+
diff --git a/manifests/profile/base/neutron/opendaylight/create_cluster.pp b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
new file mode 100644
index 0000000..c3e4f7f
--- /dev/null
+++ b/manifests/profile/base/neutron/opendaylight/create_cluster.pp
@@ -0,0 +1,43 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Configures an OpenDaylight cluster.
+# It creates the akka configuration file for ODL to cluster correctly
+# It will not configure clustering if less than 3 nodes
+#
+# == Class: tripleo::profile::base::neutron::opendaylight::create_cluster
+#
+# OpenDaylight class only used for creating clusters with container deployments
+#
+# === Parameters
+#
+# [*odl_api_ips*]
+#   (Optional) List of OpenStack Controller IPs for ODL API
+#   Defaults to hiera('opendaylight_api_node_ips')
+#
+# [*node_name*]
+#   (Optional) The short hostname of node
+#   Defaults to hiera('bootstack_nodeid')
+#
+class tripleo::profile::base::neutron::opendaylight::create_cluster (
+  $odl_api_ips  = hiera('opendaylight_api_node_ips'),
+  $node_name    = hiera('bootstack_nodeid')
+) {
+
+  tripleo::profile::base::neutron::opendaylight::configure_cluster {'ODL cluster':
+    node_name   => $node_name,
+    odl_api_ips => $odl_api_ips,
+  }
+
+}
diff --git a/manifests/profile/base/ui.pp b/manifests/profile/base/ui.pp
index 681496a..710c210 100644
--- a/manifests/profile/base/ui.pp
+++ b/manifests/profile/base/ui.pp
@@ -17,10 +17,6 @@
 # UI profile for tripleo
 #
 class tripleo::profile::base::ui () {
-  package {'openstack-tripleo-ui': }
-
-  include ::apache
-
   include ::tripleo::ui
 }
 
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index 3aff62f..22adbe9 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -26,6 +26,27 @@
 #   (Optional) The address that the local mysql instance should bind to.
 #   Defaults to $::hostname
 #
+# [*ca_file*]
+#   (Optional) The path to the CA file that will be used for the TLS
+#   configuration. It's only used if internal TLS is enabled.
+#   Defaults to undef
+#
+# [*certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate
+#   it will create. Note that the certificate nickname must be 'mysql' in
+#   the case of this service.
+#   Example with hiera:
+#     tripleo::profile::base::database::mysql::certificate_specs:
+#       hostname: <overcloud controller fqdn>
+#       service_certificate: <service certificate path>
+#       service_key: <service key path>
+#       principal: "mysql/<overcloud controller fqdn>"
+#   Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*gmcast_listen_addr*]
 #   (Optional) This variable defines the address on which the node listens to
 #   connections from other nodes in the cluster.
@@ -41,11 +62,14 @@
 #   Defaults to hiera('pcs_tries', 20)
 #
 class tripleo::profile::pacemaker::database::mysql (
-  $bootstrap_node     = hiera('mysql_short_bootstrap_node_name'),
-  $bind_address       = $::hostname,
-  $gmcast_listen_addr = hiera('mysql_bind_host'),
-  $step               = Integer(hiera('step')),
-  $pcs_tries          = hiera('pcs_tries', 20),
+  $bootstrap_node      = hiera('mysql_short_bootstrap_node_name'),
+  $bind_address        = $::hostname,
+  $ca_file             = undef,
+  $certificate_specs   = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $gmcast_listen_addr  = hiera('mysql_bind_host'),
+  $step                = Integer(hiera('step')),
+  $pcs_tries           = hiera('pcs_tries', 20),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $pacemaker_master = true
@@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql (
   $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') }
   $cluster_host_map = join($processed_galera_name_pairs, ';')
 
+  if $enable_internal_tls {
+    $tls_certfile = $certificate_specs['service_certificate']
+    $tls_keyfile = $certificate_specs['service_key']
+    if $ca_file {
+      $tls_ca_options = "socket.ssl_ca=${ca_file}"
+    } else {
+      $tls_ca_options = ''
+    }
+    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+  } else {
+    $tls_options = ''
+  }
+
   $mysqld_options = {
     'mysqld' => {
       'skip-name-resolve'             => '1',
@@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql (
       'wsrep_drupal_282555_workaround'=> '0',
       'wsrep_causal_reads'            => '0',
       'wsrep_sst_method'              => 'rsync',
-      'wsrep_provider_options'        => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+      'wsrep_provider_options'        => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
     }
   }