4 files changed, 218 insertions, 44 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 3bde942..4436e19 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -133,6 +133,7 @@ define tripleo::haproxy::endpoint (
   } else {
     # internal service only
     $public_bind_opts = {}
+    $listen_options_real = $listen_options
   }
 
   if $use_internal_certificates {
diff --git a/manifests/profile/base/logging/logrotate.pp b/manifests/profile/base/logging/logrotate.pp
new file mode 100644
index 0000000..1545875
--- /dev/null
+++ b/manifests/profile/base/logging/logrotate.pp
@@ -0,0 +1,112 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::logging::logrotate
+#
+# Installs a cron job that rotates containerized services logs.
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) String. The current step of the deployment
+#   Defaults to hiera('step')
+#
+#  [*ensure*]
+#    (optional) Defaults to present.
+#    Valid values are present, absent.
+#
+#  [*minute*]
+#    (optional) Defaults to '0'. Configures cron job for logrotate.
+#
+#  [*hour*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*monthday*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*month*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*weekday*]
+#    (optional) Defaults to '*'. Configures cron job for logrotate.
+#
+#  [*maxdelay*]
+#    (optional) Seconds. Defaults to 90. Should be a positive integer.
+#    Induces a random delay before running the cronjob to avoid running all
+#    cron jobs at the same time on all hosts this job is configured.
+#
+#  [*user*]
+#    (optional) Defaults to 'root'. Configures cron job for logrotate.
+#
+#  [*delaycompress*]
+#    (optional) Defaults to True.
+#    Configures the logrotate delaycompress parameter.
+#
+#  [*size*]
+#    (optional) Defaults to '10M'.
+#    Configures the logrotate size parameter.
+#
+#  [*rotate*]
+#    (optional) Defaults to 14.
+#    Configures the logrotate rotate parameter.
+#
+class tripleo::profile::base::logging::logrotate (
+  $step             = Integer(hiera('step')),
+  $ensure           = present,
+  $minute           = 0,
+  $hour             = '*',
+  $monthday         = '*',
+  $month            = '*',
+  $weekday          = '*',
+  Integer $maxdelay = 90,
+  $user             = 'root',
+  $delaycompress    = true,
+  $size             = '10M',
+  $rotate           = 14,
+) {
+
+  if $step >= 4 {
+    if $maxdelay == 0 {
+      $sleep = ''
+    } else {
+      $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+    }
+
+    $svc = 'logrotate-crond'
+    $config = "/etc/${svc}.conf"
+    $state = "/var/lib/logrotate/${svc}.status"
+    $cmd = "${sleep}/usr/sbin/logrotate -s ${state} ${config}"
+
+    file { "${config}":
+      ensure  => $ensure,
+      owner   => $user,
+      group   => $user,
+      mode    => '0640',
+      content => template('tripleo/logrotate/containers_logrotate.conf.erb'),
+    }
+
+    cron { "${svc}":
+      ensure      => $ensure,
+      command     => "${cmd} 2>&1|logger -t ${svc}",
+      environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+      user        => $user,
+      minute      => $minute,
+      hour        => $hour,
+      monthday    => $monthday,
+      month       => $month,
+      weekday     => $weekday,
+    }
+  }
+}
diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp
index b785ea7..1b9a191 100644
--- a/manifests/profile/pacemaker/haproxy_bundle.pp
+++ b/manifests/profile/pacemaker/haproxy_bundle.pp
@@ -30,10 +30,34 @@
 #   (Optional) Whether load balancing is enabled for this cluster
 #   Defaults to hiera('enable_load_balancer', true)
 #
+# [*ca_bundle*]
+#   (Optional) The path to the CA file that will be used for the TLS
+#   configuration. It's only used if internal TLS is enabled.
+#   Defaults to hiera('tripleo::haproxy::ca_bundle', undef)
+#
+# [*crl_file*]
+#   (Optional) The path to the file that contains the certificate
+#   revocation list. It's only used if internal TLS is enabled.
+#   Defaults to hiera('tripleo::haproxy::crl_file', undef)
+#
 # [*deployed_ssl_cert_path*]
 #   (Optional) The filepath of the certificate as it will be stored in
 #   the controller.
-#   Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem'
+#   Defaults to hiera('tripleo::haproxy::service_certificate', undef)
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*internal_certs_directory*]
+#   (Optional) Directory the holds the certificates to be used when
+#   when TLS is enabled in the internal network
+#   Defaults to undef
+#
+# [*internal_keys_directory*]
+#   (Optional) Directory the holds the certificates to be used when
+#   when TLS is enabled in the internal network
+#   Defaults to undef
 #
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
@@ -45,12 +69,17 @@
 #   Defaults to hiera('pcs_tries', 20)
 #
 class tripleo::profile::pacemaker::haproxy_bundle (
-  $haproxy_docker_image   = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef),
-  $bootstrap_node         = hiera('haproxy_short_bootstrap_node_name'),
-  $enable_load_balancer   = hiera('enable_load_balancer', true),
-  $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem',
-  $step                   = Integer(hiera('step')),
-  $pcs_tries              = hiera('pcs_tries', 20),
+  $haproxy_docker_image     = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef),
+  $bootstrap_node           = hiera('haproxy_short_bootstrap_node_name'),
+  $enable_load_balancer     = hiera('enable_load_balancer', true),
+  $ca_bundle                = hiera('tripleo::haproxy::ca_bundle', undef),
+  $crl_file                 = hiera('tripleo::haproxy::crl_file', undef),
+  $enable_internal_tls      = hiera('enable_internal_tls', false),
+  $internal_certs_directory = undef,
+  $internal_keys_directory  = undef,
+  $deployed_ssl_cert_path   = hiera('tripleo::haproxy::service_certificate', undef),
+  $step                     = Integer(hiera('step')),
+  $pcs_tries                = hiera('pcs_tries', 20),
 ) {
   include ::tripleo::profile::base::haproxy
 
@@ -90,14 +119,8 @@ class tripleo::profile::pacemaker::haproxy_bundle (
       $haproxy_nodes = hiera('haproxy_short_node_names')
       $haproxy_nodes_count = count($haproxy_nodes)
 
-      pacemaker::resource::bundle { 'haproxy-bundle':
-        image             => $haproxy_docker_image,
-        replicas          => $haproxy_nodes_count,
-        location_rule     => $haproxy_location_rule,
-        container_options => 'network=host',
-        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
-        run_command       => '/bin/bash /usr/local/bin/kolla_start',
-        storage_maps      => {
+
+      $storage_maps = {
           'haproxy-cfg-files'               => {
             'source-dir' => '/var/lib/kolla/config_files/haproxy.json',
             'target-dir' => '/var/lib/kolla/config_files/config.json',
@@ -143,12 +166,68 @@ class tripleo::profile::pacemaker::haproxy_bundle (
             'target-dir' => '/dev/log',
             'options'    => 'rw',
           },
-          'haproxy-cert'                    => {
+      };
+
+      if $deployed_ssl_cert_path {
+        $cert_storage_maps = {
+          'haproxy-cert' => {
             'source-dir' => $deployed_ssl_cert_path,
-            'target-dir' => $deployed_ssl_cert_path,
+            'target-dir' => "/var/lib/kolla/config_files/src-tls${deployed_ssl_cert_path}",
             'options'    => 'ro',
           },
-        },
+        }
+      } else {
+        $cert_storage_maps = {}
+      }
+
+      if $enable_internal_tls {
+        $haproxy_storage_maps = {
+          'haproxy-pki-certs'  => {
+            'source-dir' => $internal_certs_directory,
+            'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_certs_directory}",
+            'options'    => 'ro',
+          },
+          'haproxy-pki-keys' => {
+            'source-dir' => $internal_keys_directory,
+            'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_keys_directory}",
+            'options'    => 'ro',
+          },
+        }
+        if $ca_bundle {
+          $ca_storage_maps = {
+            'haproxy-pki-ca-file' => {
+              'source-dir' => $ca_bundle,
+              'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_bundle}",
+              'options'    => 'ro',
+            },
+          }
+        } else {
+          $ca_storage_maps = {}
+        }
+        if $crl_file {
+          $crl_storage_maps = {
+            'haproxy-pki-crl-file' => {
+              'source-dir' => $crl_file,
+              'target-dir' => $crl_file,
+              'options'    => 'ro',
+            },
+          }
+        } else {
+          $crl_storage_maps = {}
+        }
+        $storage_maps_internal_tls = merge($haproxy_storage_maps, $ca_storage_maps, $crl_storage_maps)
+      } else {
+        $storage_maps_internal_tls = {}
+      }
+
+      pacemaker::resource::bundle { 'haproxy-bundle':
+        image             => $haproxy_docker_image,
+        replicas          => $haproxy_nodes_count,
+        location_rule     => $haproxy_location_rule,
+        container_options => 'network=host',
+        options           => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
+        run_command       => '/bin/bash /usr/local/bin/kolla_start',
+        storage_maps      => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls),
       }
       $control_vip = hiera('controller_virtual_ip')
       tripleo::pacemaker::haproxy_with_vip { 'haproxy_and_control_vip':
diff --git a/manifests/ui.pp b/manifests/ui.pp
index d744044..cb1da21 100644
--- a/manifests/ui.pp
+++ b/manifests/ui.pp
@@ -31,19 +31,9 @@
 #  The port on which the UI is listening.
 #  Defaults to 3000
 #
-# [*enabled_languages*]
-#  Which languages to show in the UI.
-#  A hash.
-#  Defaults to
-#  {
-#    'de'    => 'German',
-#    'en'    => 'English',
-#    'es'    => 'Spanish',
-#    'id'    => 'Indonesian',
-#    'ja'    => 'Japanese',
-#    'ko-KR' => 'Korean',
-#    'zh-CN' => 'Simplified Chinese'
-#  }
+# [*excluded_languages*]
+#  A list of languages that shouldn't be enabled in the UI, e.g. ['en', 'de']
+#  Defaults to []
 #
 # [*endpoint_proxy_keystone*]
 #  The keystone proxy endpoint url
@@ -107,19 +97,11 @@
 #  Defaults to 'tripleo'
 #
 class tripleo::ui (
-  $servername               = $::fqdn,
-  $bind_host                = hiera('controller_host'),
-  $ui_port                  = 3000,
-  $zaqar_default_queue      = 'tripleo',
-  $enabled_languages        = {
-    'de'    => 'German',
-    'en'    => 'English',
-    'es'    => 'Spanish',
-    'id'    => 'Indonesian',
-    'ja'    => 'Japanese',
-    'ko-KR' => 'Korean',
-    'zh-CN' => 'Simplified Chinese'
-  },
+  $servername                       = $::fqdn,
+  $bind_host                        = hiera('controller_host'),
+  $ui_port                          = 3000,
+  $zaqar_default_queue              = 'tripleo',
+  $excluded_languages               = [],
   $endpoint_proxy_zaqar             = undef,
   $endpoint_proxy_keystone          = undef,
   $endpoint_proxy_heat              = undef,