summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2015-11-25 17:57:38 +0000
committerGerrit Code Review <review@openstack.org>2015-11-25 17:57:38 +0000
commitd35f067ce1dc0bf48251f89cd1dcdeecbf35cc17 (patch)
tree6b59bb43977060186488e594d36047c912f7b057
parent83fd16ecf46f9848247ea9676cacf195db71da21 (diff)
parent97b12afbadeadac0be348b7cc263b090f6e6f0b8 (diff)
Merge "Inject TLS certificate and keys for the Overcloud"
-rw-r--r--environments/enable-tls.yaml9
-rw-r--r--overcloud-resource-registry-puppet.yaml1
-rw-r--r--overcloud-without-mergepy.yaml18
-rw-r--r--puppet/controller.yaml32
-rw-r--r--puppet/extraconfig/tls/no-tls.yaml28
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml81
6 files changed, 138 insertions, 31 deletions
diff --git a/environments/enable-tls.yaml b/environments/enable-tls.yaml
new file mode 100644
index 00000000..5c2506e9
--- /dev/null
+++ b/environments/enable-tls.yaml
@@ -0,0 +1,9 @@
+parameter_defaults:
+ SSLCertificate: |
+ The contents of your certificate go here
+ SSLIntermediateCertificate: ''
+ SSLKey: |
+ The contents of the private key go here
+
+resource_registry:
+ OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml
diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index 4cfed6b4..bf1cc25c 100644
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -33,6 +33,7 @@ resource_registry:
# NodeExtraConfig == All nodes configuration pre service deployment
# NodeExtraConfigPost == All nodes configuration post service deployment
OS::TripleO::NodeUserData: firstboot/userdata_default.yaml
+ OS::TripleO::NodeTLSData: puppet/extraconfig/tls/no-tls.yaml
OS::TripleO::ControllerExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
OS::TripleO::ComputeExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
OS::TripleO::CephStorageExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index 8efdc173..a0fc7581 100644
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -498,20 +498,6 @@ parameters:
Specifies the interface where the public-facing virtual ip will be assigned.
This should be int_public when a VLAN is being used.
type: string
- SSLCertificate:
- default: ''
- description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
- type: string
- hidden: true
- SSLKey:
- default: ''
- description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
- type: string
- hidden: true
- SSLCACertificate:
- default: ''
- description: If set, the contents of an SSL certificate authority file.
- type: string
SwiftHashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings in the ring.
@@ -890,9 +876,6 @@ resources:
SnmpdReadonlyUserName: {get_param: SnmpdReadonlyUserName}
SnmpdReadonlyUserPassword: {get_param: SnmpdReadonlyUserPassword}
RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
- SSLCertificate: {get_param: SSLCertificate}
- SSLKey: {get_param: SSLKey}
- SSLCACertificate: {get_param: SSLCACertificate}
SwiftHashSuffix: {get_param: SwiftHashSuffix}
SwiftMountCheck: {get_param: SwiftMountCheck}
SwiftMinPartHours: {get_param: SwiftMinPartHours}
@@ -921,6 +904,7 @@ resources:
template: {get_param: ControllerHostnameFormat}
params:
'%stackname%': {get_param: 'OS::stack_name'}
+ NodeIndex: '%index%'
Compute:
type: OS::Heat::ResourceGroup
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index d47e013e..01ff76e0 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -522,20 +522,6 @@ parameters:
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
- SSLCACertificate:
- default: ''
- description: If set, the contents of an SSL certificate authority file.
- type: string
- SSLCertificate:
- default: ''
- description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
- type: string
- hidden: true
- SSLKey:
- default: ''
- description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
- type: string
- hidden: true
SwiftHashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings
@@ -619,6 +605,9 @@ parameters:
description: >
Heat action when to apply network configuration changes
default: ['CREATE']
+ NodeIndex:
+ type: number
+ default: 0
resources:
@@ -720,6 +709,14 @@ resources:
bridge_name: br-ex
interface_name: {get_param: NeutronPublicInterface}
+ # Hook for site-specific passing of private keys/certificates
+ NodeTLSData:
+ depends_on: NetworkDeployment
+ type: OS::TripleO::NodeTLSData
+ properties:
+ server: {get_resource: Controller}
+ NodeIndex: {get_param: NodeIndex}
+
ControllerDeployment:
type: OS::TripleO::SoftwareDeployment
depends_on: NetworkDeployment
@@ -1302,6 +1299,12 @@ resources:
tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface}
tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface}
tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address}
+ # NOTE(jaosorior): The service certificate configuration for
+ # HAProxy was left commented because to properly use this, we
+ # need to be able to set up the keystone endpoints. And
+ # currently that is not possible, but is being addressed by
+ # other commits. A subsequent commit will uncomment this.
+ #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
tripleo::packages::enable_install: {get_input: enable_package_install}
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
@@ -1395,5 +1398,6 @@ outputs:
list_join:
- ','
- - {get_attr: [ControllerDeployment, deploy_stdout]}
+ - {get_attr: [NodeTLSData, deploy_stdout]}
- {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..d2dfdfa4
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,28 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template. This defines the parameters that
+ need to be passed in order to have TLS enabled in the controller
+ nodes. This template can be replaced with a different
+ implementation via the resource registry, such that deployers
+ may customize their configuration.
+
+parameters:
+ DeployedSSLCertificatePath:
+ default: ''
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+ NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+ default: 0
+ type: number
+ server: # Here for compatibility with tls-cert-inject.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'TLS not enabled.'
+ deployed_ssl_certificate_path:
+ value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..b4564fc7
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,81 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will build the TLS Certificates necessary
+ for the load balancer using the given parameters.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ SSLIntermediateCertificate:
+ default: ''
+ description: >
+ The content of an SSL intermediate CA certificate in PEM format.
+ type: string
+ SSLKey:
+ default: ''
+ description: >
+ The content of the SSL Key in PEM format.
+ type: string
+ hidden: true
+
+ # Can be overriden by parameter_defaults if the user wants to try deploying
+ # this in a distro that doesn't support this path.
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+
+ # Passed in by the controller
+ NodeIndex:
+ default: 0
+ type: number
+ server:
+ description: ID of the controller node to apply this config to
+ type: string
+
+resources:
+ ControllerTLSConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cert_path
+ - name: cert_chain_content
+ outputs:
+ - name: chain_md5sum
+ config: |
+ #!/bin/sh
+ cat << EOF | tee ${cert_path} > /dev/null
+ ${cert_chain_content}
+ EOF
+ chmod 0440 ${cert_path}
+ chown root:haproxy ${cert_path}
+ md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+
+ ControllerTLSDeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: ControllerTLSConfig}
+ server: {get_param: server}
+ input_values:
+ cert_path: {get_param: DeployedSSLCertificatePath}
+ cert_chain_content:
+ list_join:
+ - ''
+ - - {get_param: SSLCertificate}
+ - {get_param: SSLIntermediateCertificate}
+ - {get_param: SSLKey}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+ deployed_ssl_certificate_path:
+ description: The location that the TLS certificate was deployed to.
+ value: {get_param: DeployedSSLCertificatePath}