From a173a030aa97ae17b457206cab3e657c28c04880 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 27 Sep 2016 07:15:53 +0000 Subject: Enable TLS in the internal network for ceilometer This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the ceilometer service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496 --- manifests/profile/base/ceilometer/api.pp | 55 ++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) (limited to 'manifests/profile/base/ceilometer/api.pp') diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp index da94da2..6ef4748 100644 --- a/manifests/profile/base/ceilometer/api.pp +++ b/manifests/profile/base/ceilometer/api.pp @@ -18,18 +18,69 @@ # # === Parameters # +# [*ceilometer_network*] +# (Optional) The network name where the ceilometer endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('ceilometer_api_network', undef) +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: +# service_certificate: +# service_key: +# principal: "haproxy/" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::ceilometer::api ( - $step = hiera('step'), + $ceilometer_network = hiera('ceilometer_api_network', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $step = hiera('step'), ) { include ::tripleo::profile::base::ceilometer + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$ceilometer_network { + fail('ceilometer_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${ceilometer_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${ceilometer_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 4 { include ::ceilometer::api - include ::ceilometer::wsgi::apache + class { '::ceilometer::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } } } -- cgit 1.2.3-korg