From 52925ba9cf329a7f029ca7ed196071b29d69ac08 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 4 Apr 2017 09:54:21 +0300 Subject: Add TLS in the internal network for Swift Proxy This adds the necessary bits for a TLS Proxy to be placed in front of swift proxy when TLS-everywhere is enabled. This will be furtherly cleaned up once the t-h-t bits are added. bp tls-via-certmonger Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e --- manifests/haproxy.pp | 1 + manifests/profile/base/swift/proxy.pp | 69 +++++++++++++++++++++- .../tripleo_profile_base_swift_proxy_spec.rb | 5 +- 3 files changed, 70 insertions(+), 5 deletions(-) diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index ca83407..9d8190e 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1236,6 +1236,7 @@ class tripleo::haproxy ( listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 0d9ba68..3c1734b 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -46,6 +46,22 @@ # Username for messaging nova queue # Defaults to hiera('swift::proxy::ceilometer::rabbit_user', 'guest') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: +# service_certificate: +# service_key: +# principal: "haproxy/" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*memcache_port*] # (Optional) memcache port # Defaults to 11211 @@ -59,6 +75,26 @@ # for more details. # Defaults to hiera('step') # +# [*swift_proxy_network*] +# (Optional) The network name where the swift proxy endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to hiera('swift::proxy::proxy_local_net_ip') +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 8080 +# class tripleo::profile::base::swift::proxy ( $ceilometer_enabled = true, $ceilometer_messaging_driver = hiera('messaging_notify_service_name', 'rabbit'), @@ -67,14 +103,45 @@ class tripleo::profile::base::swift::proxy ( $ceilometer_messaging_port = hiera('tripleo::profile::base::swift::proxy::rabbit_port', '5672'), $ceilometer_messaging_use_ssl = '0', $ceilometer_messaging_username = hiera('swift::proxy::ceilometer::rabbit_user', 'guest'), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), $memcache_port = 11211, $memcache_servers = hiera('memcached_node_ips'), $step = hiera('step'), + $swift_proxy_network = hiera('swift_proxy_network', undef), + # FIXME(jaosorior): This will be undef when we pass this to t-h-t + $tls_proxy_bind_ip = hiera('swift::proxy::proxy_local_net_ip', '127.0.0.1'), + $tls_proxy_fqdn = undef, + $tls_proxy_port = 8080, ) { if $step >= 4 { + if $enable_internal_tls { + if !$swift_proxy_network { + fail('swift_proxy_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${swift_proxy_network}"]['service_key'] + + ::tripleo::tls_proxy { 'swift-proxy-api': + # FIXME(jaosorior): This will be cleaned up in a subsequent commit. + servername => hiera("fqdn_${swift_proxy_network}", $tls_proxy_fqdn), + ip => $tls_proxy_bind_ip, + port => $tls_proxy_port, + tls_cert => $tls_certfile, + tls_key => $tls_keyfile, + notify => Class['::neutron::server'], + } + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = 'localhost' + } else { + # FIXME(jaosorior): This will be cleaned up when we pass it via t-h-t + $proxy_bind_ip = $tls_proxy_bind_ip + } $swift_memcache_servers = suffix(any2array(normalize_ip_for_uri($memcache_servers)), ":${memcache_port}") include ::swift::config - include ::swift::proxy + class { '::swift::proxy' : + proxy_local_net_ip => $proxy_bind_ip, + } include ::swift::proxy::proxy_logging include ::swift::proxy::healthcheck class { '::swift::proxy::cache': diff --git a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb index 68d7dde..3c0ad91 100644 --- a/spec/classes/tripleo_profile_base_swift_proxy_spec.rb +++ b/spec/classes/tripleo_profile_base_swift_proxy_spec.rb @@ -27,10 +27,7 @@ describe 'tripleo::profile::base::swift::proxy' do "class { '::swift': swift_hash_path_prefix => 'foo', } - include ::memcached - class { '::swift::proxy': - proxy_local_net_ip => '127.0.0.1', - }" + include ::memcached" end context 'with ipv4 memcache servers' do -- cgit 1.2.3-korg