7 files changed, 212 insertions, 26 deletions

diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
new file mode 100644
index 0000000..94b48b7
--- /dev/null
+++ b/manifests/certmonger/httpd.pp
@@ -0,0 +1,62 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::httpd
+#
+# Request a certificate for the httpd service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+#   The haproxy service principal that is set for HAProxy in kerberos.
+#
+define tripleo::certmonger::httpd (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
+) {
+  include ::certmonger
+  include ::apache::params
+
+  $postsave_cmd = "systemctl reload ${::apache::params::service_name}"
+  certmonger_certificate { $name :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+
+  Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index c4d018d..3ad10eb 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -106,6 +106,11 @@
 #  flag is set.
 #  Defaults to {}
 #
+# [*enable_internal_tls*]
+#  A flag that indicates if the servers in the internal network are using TLS.
+#  This enables the 'ssl' option for the server members that are proxied.
+#  Defaults to hiera('enable_internal_tls', false)
+#
 # [*ssl_cipher_suite*]
 #  The default string describing the list of cipher algorithms ("cipher suite")
 #  that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -427,6 +432,7 @@ class tripleo::haproxy (
   $service_certificate         = undef,
   $use_internal_certificates   = false,
   $internal_certificates_specs = {},
+  $enable_internal_tls         = hiera('enable_internal_tls', false),
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $haproxy_stats_certificate   = undef,
@@ -541,6 +547,13 @@ class tripleo::haproxy (
   }
   $ports = merge($default_service_ports, $service_ports)
 
+  if $enable_internal_tls {
+    # TODO(jaosorior): change verify none to verify required.
+    $internal_tls_member_options = ['ssl', 'verify none']
+  } else {
+    $internal_tls_member_options = []
+  }
+
   $controller_hosts_real = any2array(split($controller_hosts, ','))
   if ! $controller_hosts_names {
     $controller_hosts_names_real = $controller_hosts_real
@@ -680,6 +693,7 @@ class tripleo::haproxy (
       },
       public_ssl_port   => $ports[keystone_admin_api_ssl_port],
       service_network   => $keystone_admin_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
@@ -709,6 +723,7 @@ class tripleo::haproxy (
       listen_options    => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
       public_ssl_port   => $ports[keystone_public_api_ssl_port],
       service_network   => $keystone_public_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index fbccdda..8a70110 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -18,18 +18,48 @@
 #
 # === Parameters
 #
+# [*admin_endpoint_network*]
+#   (Optional) The network name where the admin endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('keystone_admin_api_network', undef)
+#
 # [*bootstrap_node*]
 #   (Optional) The hostname of the node responsible for bootstrapping tasks
 #   Defaults to hiera('bootstrap_nodeid')
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   HAProxy. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Note that this doesn't configure the certificates in haproxy, it merely
+#   creates the certificates.
+#   Defaults to hiera('generate_service_certificate', false).
+#
 # [*manage_db_purge*]
 #   (Optional) Whether keystone token flushing should be enabled
 #   Defaults to hiera('keystone_enable_db_purge', true)
 #
-# [*step*]
-#   (Optional) The current step in deployment. See tripleo-heat-templates
-#   for more details.
-#   Defaults to hiera('step')
+# [*public_endpoint_network*]
+#   (Optional) The network name where the admin endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('keystone_public_api_network', undef)
+#
 #
 # [*rabbit_hosts*]
 #   list of the rabbbit host IPs
@@ -38,13 +68,23 @@
 # [*rabbit_port*]
 #   IP port for rabbitmq service
 #   Defaults to hiera('keystone::rabbit_port', 5672)
-
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
 class tripleo::profile::base::keystone (
-  $bootstrap_node  = hiera('bootstrap_nodeid', undef),
-  $manage_db_purge = hiera('keystone_enable_db_purge', true),
-  $step            = hiera('step'),
-  $rabbit_hosts    = hiera('rabbitmq_node_ips', undef),
-  $rabbit_port     = hiera('keystone::rabbit_port', 5672),
+  $admin_endpoint_network        = hiera('keystone_admin_api_network', undef),
+  $bootstrap_node                = hiera('bootstrap_nodeid', undef),
+  $certificates_specs            = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls           = hiera('enable_internal_tls', false),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $manage_db_purge               = hiera('keystone_enable_db_purge', true),
+  $public_endpoint_network       = hiera('keystone_public_api_network', undef),
+  $rabbit_hosts                  = hiera('rabbitmq_node_ips', undef),
+  $rabbit_port                   = hiera('keystone::rabbit_port', 5672),
+  $step                          = hiera('step'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -58,6 +98,29 @@ class tripleo::profile::base::keystone (
     $manage_domain = false
   }
 
+  if $enable_internal_tls {
+    if $generate_service_certificates {
+      ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+    }
+
+    if !$public_endpoint_network {
+      fail('keystone_public_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key']
+
+    if !$admin_endpoint_network {
+      fail('keystone_admin_api_network is not set in the hieradata.')
+    }
+    $tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate']
+    $tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+    $tls_certfile_admin = undef
+    $tls_keyfile_admin = undef
+  }
+
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
     class { '::keystone':
       sync_db          => $sync_db,
@@ -66,7 +129,12 @@ class tripleo::profile::base::keystone (
     }
 
     include ::keystone::config
-    include ::keystone::wsgi::apache
+    class { '::keystone::wsgi::apache':
+      ssl_cert       => $tls_certfile,
+      ssl_key        => $tls_keyfile,
+      ssl_cert_admin => $tls_certfile_admin,
+      ssl_key_admin  => $tls_keyfile_admin,
+    }
     include ::keystone::cors
 
     if $manage_roles {
@@ -153,6 +221,10 @@ class tripleo::profile::base::keystone (
     if hiera('trove_api_enabled', false) {
       include ::trove::keystone::auth
     }
+    if hiera('zaqar_enabled', false) {
+      include ::zaqar::keystone::auth
+      include ::zaqar::keystone::auth_websocket
+    }
   }
 }
 
diff --git a/manifests/profile/base/neutron/opendaylight.pp b/manifests/profile/base/neutron/opendaylight.pp
index ffe28ce..a3f46ec 100644
--- a/manifests/profile/base/neutron/opendaylight.pp
+++ b/manifests/profile/base/neutron/opendaylight.pp
@@ -39,7 +39,7 @@ class tripleo::profile::base::neutron::opendaylight (
 
   if $step >= 1 {
     # Configure ODL only on first controller
-    if hiera('odl_on_controller') and $primary_controller == downcase($::hostname) {
+    if $primary_controller == downcase($::hostname) {
       include ::opendaylight
     }
   }
diff --git a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
index 43ff87e..2eb09ae 100644
--- a/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ml2/opendaylight.pp
@@ -48,12 +48,7 @@ class tripleo::profile::base::neutron::plugins::ml2::opendaylight (
 ) {
 
   if $step >= 4 {
-    # Figure out ODL IP
-    if hiera('odl_on_controller') {
-      $odl_url_ip = hiera('opendaylight_api_vip')
-    } else {
-      $odl_url_ip = hiera('opendaylight::odl_bind_ip')
-    }
+    $odl_url_ip = hiera('opendaylight_api_vip')
 
     if ! $odl_url_ip { fail('OpenDaylight Controller IP/VIP is Empty') }
 
diff --git a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
index 7548046..91c5168 100644
--- a/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
+++ b/manifests/profile/base/neutron/plugins/ovs/opendaylight.pp
@@ -48,14 +48,8 @@ class tripleo::profile::base::neutron::plugins::ovs::opendaylight (
 ) {
 
   if $step >= 4 {
-    # Figure out ODL IP (and VIP if on controller)
-    if hiera('odl_on_controller') {
-      $opendaylight_controller_ip = $odl_api_ips[0]
-      $odl_url_ip = hiera('opendaylight_api_vip')
-    } else {
-      $opendaylight_controller_ip = hiera('opendaylight::odl_bind_ip')
-      $odl_url_ip = $opendaylight_controller_ip
-    }
+    $opendaylight_controller_ip = $odl_api_ips[0]
+    $odl_url_ip = hiera('opendaylight_api_vip')
 
     if ! $opendaylight_controller_ip { fail('OpenDaylight Controller IP is Empty') }
 
diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp
new file mode 100644
index 0000000..6794742
--- /dev/null
+++ b/manifests/profile/base/zaqar.pp
@@ -0,0 +1,48 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::zaqar
+#
+# Zaqar profile for tripleo
+#
+# === Parameters
+#
+# [*sync_db*]
+#   (Optional) Whether to run db sync
+#   Defaults to true
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+class tripleo::profile::base::zaqar (
+  $step             = hiera('step'),
+) {
+  if $step >= 4  {
+    include ::zaqar
+    include ::zaqar::management::mongodb
+    include ::zaqar::messaging::mongodb
+    include ::zaqar::transport::websocket
+    include ::zaqar::transport::wsgi
+
+    # TODO (bcrochet): At some point, the transports should be split out to
+    # seperate services.
+    include ::zaqar::server
+    zaqar::server_instance{ '1':
+      transport => 'websocket'
+    }
+  }
+}
+