5 files changed, 313 insertions, 1 deletions
diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp
new file mode 100644
index 0000000..59a3681
--- /dev/null
+++ b/manifests/certmonger/ca/crl.pp
@@ -0,0 +1,149 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == class: tripleo::certmonger::ca::crl
+#
+# Class that downloads the appropriate CRL file from the CA. This can
+# furtherly be used by services in order for proper certificate revocation to
+# come into effect. The class also sets up a cron job that will refresh the CRL
+# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
+# use DER format to distribute the CRLs, while services such as HAProxy expect
+# the CRL to be in PEM format.
+#
+# === Parameters
+#
+# [*crl_dest*]
+#   (Optional) The file where the CRL file will be stored.
+#   Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
+#
+# [*crl_source*]
+#   (Optional) The URI where the CRL file will be fetched from.
+#   Defaults to undef
+#
+# [*process*]
+#   (Optional) Whether the CRL needs processing before being used. This means
+#   transforming from DER to PEM format or viceversa. This is because most CRLs
+#   by default come in DER format, so most likely it needs to be transformed.
+#   Defaults to true
+#
+# [*crl_preprocessed*]
+#   (Optional) The pre-processed CRL file which will be transformed.
+#   Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
+#
+# [*crl_preprocessed_format*]
+#   (Optional) The pre-processed CRL file's format which will be transformed.
+#   Defaults to 'DER'
+#
+#  [*minute*]
+#   (optional) Defaults to '0'.
+#
+#  [*hour*]
+#   (optional) Defaults to '1'.
+#
+#  [*monthday*]
+#   (optional) Defaults to '*'.
+#
+#  [*month*]
+#   (optional) Defaults to '*'.
+#
+#  [*weekday*]
+#   (optional) Defaults to '6'.
+#
+#  [*maxdelay*]
+#   (optional) Seconds. Defaults to 0. Should be a positive integer.
+#   Induces a random delay before running the cronjob to avoid running all
+#   cron jobs at the same time on all hosts this job is configured.
+#
+# [*reload_cmds*]
+#   (Optional) list of commands to be executed after fetching the CRL list in
+#   the cron job. This will usually be a list of reload commands issued to
+#   services that use the CRL.
+#   Defaults to []
+#
+class tripleo::certmonger::ca::crl (
+  $crl_dest                   = '/etc/pki/CA/crl/overcloud-crl.pem',
+  $crl_source                 = undef,
+  $process                    = true,
+  $crl_preprocessed           = '/etc/pki/CA/crl/overcloud-crl.bin',
+  $crl_preprocessed_format    = 'DER',
+  $minute                     = '0',
+  $hour                       = '1',
+  $monthday                   = '*',
+  $month                      = '*',
+  $weekday                    = '6',
+  $maxdelay                   = 0,
+  $reload_cmds                = [],
+) {
+  if $crl_source {
+    $ensure = 'present'
+  } else {
+    $ensure = 'absent'
+  }
+
+  if $maxdelay == 0 {
+    $sleep = ''
+  } else {
+    $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
+  }
+
+  if $process {
+    $fetched_crl = $crl_preprocessed
+  } else {
+    $fetched_crl = $crl_dest
+  }
+
+  file { 'tripleo-ca-crl' :
+    ensure => $ensure,
+    path   => $fetched_crl,
+    source => $crl_source,
+    mode   => '0644',
+  }
+
+  if $process and $ensure == 'present' {
+    $crl_dest_format = $crl_preprocessed_format ? {
+      'PEM' => 'DER',
+      'DER' => 'PEM'
+    }
+    # transform CRL from DER to PEM or viceversa
+    $process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
+    exec { 'tripleo-ca-crl-process-command' :
+      command     => $process_cmd,
+      path        => '/usr/bin',
+      refreshonly => true,
+      subscribe   => File['tripleo-ca-crl']
+    }
+  } else {
+    $process_cmd = []
+  }
+
+  if $ensure == 'present' {
+    # Fetch CRL in cron job and notify needed services
+    $cmd_list = concat(["${sleep}curl -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
+    $cron_cmd = join($cmd_list, ' && ')
+  } else {
+    $cron_cmd = absent
+  }
+
+  cron { 'tripleo-refresh-crl-file':
+    ensure      => $ensure,
+    command     => $cron_cmd,
+    environment => 'PATH=/usr/bin SHELL=/bin/sh',
+    user        => 'root',
+    minute      => $minute,
+    hour        => $hour,
+    monthday    => $monthday,
+    month       => $month,
+    weekday     => $weekday,
+  }
+}
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 5f70647..208f328 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,6 +146,10 @@
 #  the servers it balances
 #  Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 #
+# [*crl_file*]
+#  Path to the CRL file to be used for checking revoked certificates.
+#  Defaults to undef
+#
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -565,6 +569,7 @@ class tripleo::haproxy (
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+  $crl_file                    = undef,
   $haproxy_stats_certificate   = undef,
   $keystone_admin              = hiera('keystone_enabled', false),
   $keystone_public             = hiera('keystone_enabled', false),
@@ -728,7 +733,13 @@ class tripleo::haproxy (
   $ports = merge($default_service_ports, $service_ports)
 
   if $enable_internal_tls {
-    $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+    if $crl_file {
+      $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+    } else {
+      $internal_tls_member_options = $base_internal_tls_member_options
+    }
     Haproxy::Balancermember {
       verifyhost => true
     }
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 4ba51ec..7a6559e 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user (
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
   $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
+  unless empty($haproxy_certificates_specs) {
+    $reload_haproxy = ['systemctl reload haproxy']
+    Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
+    Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+  } else {
+    $reload_haproxy = []
+  }
+  class { '::tripleo::certmonger::ca::crl' :
+    reload_cmds => $reload_haproxy,
+  }
   include ::tripleo::certmonger::ca::libvirt
 
   unless empty($apache_certificates_specs) {
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 29f8b75..67fbd71 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -47,6 +47,18 @@
 # [*step*]
 #   step defaults to hiera('step')
 #
+# [*configure_libvirt_polkit*]
+#   Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
+#   Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
+#
+# [*docker_nova_uid*]
+#   When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
+#   Defaults to 42436
+#
+# [*services_enabled*]
+#   List of TripleO services enabled on the role.
+#   Defaults to hiera('services_names')
+#
 class tripleo::profile::base::docker (
   $docker_namespace = undef,
   $insecure_registry = false,
@@ -55,7 +67,17 @@ class tripleo::profile::base::docker (
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = hiera('step'),
+  $configure_libvirt_polkit = undef,
+  $docker_nova_uid = 42436,
+  $services_enabled = hiera('service_names', [])
 ) {
+
+  if $configure_libvirt_polkit == undef {
+    $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
+  } else {
+    $configure_libvirt_polkit_real = $configure_libvirt_polkit
+  }
+
   if $step >= 1 {
     package {'docker':
       ensure => installed,
@@ -130,4 +152,41 @@ class tripleo::profile::base::docker (
     }
 
   }
+  if ($step >= 4 and $configure_libvirt_polkit_real) {
+    # Workaround for polkit authorization for libvirtd socket on host
+    #
+    # This creates a local user with the kolla nova uid, and sets the polkit rule to
+    # allow both it and the nova user from the nova rpms, should it exist (uid 162).
+
+    group { 'docker_nova_group':
+      name => 'docker_nova',
+      gid  => $docker_nova_uid
+    } ->
+    user { 'docker_nova_user':
+      name    => 'docker_nova',
+      uid     => $docker_nova_uid,
+      gid     => $docker_nova_uid,
+      shell   => '/sbin/nologin',
+      comment => 'OpenStack Nova Daemons',
+      groups  => ['nobody']
+    }
+
+    # Similar to the polkit rule in the openstack-nova rpm spec
+    # but allow both the 'docker_nova' and 'nova' user
+    $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.libvirt.unix.manage" &&
+        /^(docker_)?nova$/.test(subject.user)) {
+        return polkit.Result.YES;
+    }
+});
+'
+    package {'polkit':
+      ensure => installed,
+    } ->
+    file {'/etc/polkit-1/rules.d/50-nova.rules':
+      content => $docker_nova_polkit_rule,
+      mode    => '0644'
+    }
+  }
 }
diff --git a/manifests/profile/base/novajoin.pp b/manifests/profile/base/novajoin.pp
new file mode 100644
index 0000000..f9c1ea9
--- /dev/null
+++ b/manifests/profile/base/novajoin.pp
@@ -0,0 +1,83 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::novajoin
+#
+# novajoin vendordata plugin profile for tripleo
+#
+# === Parameters
+#
+# [*service_password*]
+#   The password for the novajoin service.
+#
+# [*enable_ipa_client_install*]
+#   Enable FreeIPA client installation for the node this runs on.
+#   Defaults to false
+#
+# [*oslomsg_rpc_hosts*]
+#   list of the oslo messaging rpc host fqdns
+#   Defaults to hiera('rabbitmq_node_names')
+#
+# [*oslomsg_rpc_proto*]
+#   Protocol driver for the oslo messaging rpc service
+#   Defaults to hiera('messaging_rpc_service_name', rabbit)
+#
+# [*oslomsg_rpc_password*]
+#   Password for oslo messaging rpc service
+#   Defaults to undef
+#
+# [*oslomsg_rpc_port*]
+#   IP port for oslo messaging rpc service
+#   Defaults to '5672'
+#
+# [*oslomsg_rpc_username*]
+#   Username for oslo messaging rpc service
+#   Defaults to 'guest'
+#
+# [*oslomsg_use_ssl*]
+#   Enable ssl oslo messaging services
+#   Defaults to '0'
+#
+# [*step*]
+#   (Optional) The current step of the deployment
+#   Defaults to hiera('step')
+#
+
+class tripleo::profile::base::novajoin (
+  $service_password,
+  $enable_ipa_client_install = false,
+  $oslomsg_rpc_hosts         = any2array(hiera('rabbitmq_node_names', undef)),
+  $oslomsg_rpc_proto         = hiera('messaging_rpc_service_name', 'rabbit'),
+  $oslomsg_rpc_password      = undef,
+  $oslomsg_rpc_port          = '5672',
+  $oslomsg_rpc_username      = 'guest',
+  $oslomsg_use_ssl           = '0',
+  $step                      = hiera('step'),
+) {
+  if $step >= 3 {
+    $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
+    class { '::nova::metadata::novajoin::api' :
+      service_password          => $service_password,
+      enable_ipa_client_install => $enable_ipa_client_install,
+      transport_url             => os_transport_url({
+        'transport' => $oslomsg_rpc_proto,
+        'hosts'     => $oslomsg_rpc_hosts,
+        'port'      => sprintf('%s', $oslomsg_rpc_port),
+        'username'  => $oslomsg_rpc_username,
+        'password'  => $oslomsg_rpc_password,
+        'ssl'       => $oslomsg_use_ssl_real,
+        }),
+    }
+  }
+}