Merge "Inject TLS certificate and keys for the Overcloud"

6 files changed, 138 insertions, 31 deletions

diff --git a/environments/enable-tls.yaml b/environments/enable-tls.yaml
new file mode 100644
index 00000000..5c2506e9
--- /dev/null
+++ b/environments/enable-tls.yaml
@@ -0,0 +1,9 @@
+parameter_defaults:
+  SSLCertificate: |
+    The contents of your certificate go here
+  SSLIntermediateCertificate: ''
+  SSLKey: |
+    The contents of the private key go here
+
+resource_registry:
+  OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml
diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index 4cfed6b4..bf1cc25c 100644
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -33,6 +33,7 @@ resource_registry:
   # NodeExtraConfig == All nodes configuration pre service deployment
   # NodeExtraConfigPost == All nodes configuration post service deployment
   OS::TripleO::NodeUserData: firstboot/userdata_default.yaml
+  OS::TripleO::NodeTLSData: puppet/extraconfig/tls/no-tls.yaml
   OS::TripleO::ControllerExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
   OS::TripleO::ComputeExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
   OS::TripleO::CephStorageExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index 8efdc173..a0fc7581 100644
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -498,20 +498,6 @@ parameters:
         Specifies the interface where the public-facing virtual ip will be assigned.
         This should be int_public when a VLAN is being used.
     type: string
-  SSLCertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
-    type: string
-    hidden: true
-  SSLKey:
-    default: ''
-    description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
-    type: string
-    hidden: true
-  SSLCACertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate authority file.
-    type: string
   SwiftHashSuffix:
     default: unset
     description: A random string to be used as a salt when hashing to determine mappings in the ring.
@@ -890,9 +876,6 @@ resources:
           SnmpdReadonlyUserName: {get_param: SnmpdReadonlyUserName}
           SnmpdReadonlyUserPassword: {get_param: SnmpdReadonlyUserPassword}
           RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
-          SSLCertificate: {get_param: SSLCertificate}
-          SSLKey: {get_param: SSLKey}
-          SSLCACertificate: {get_param: SSLCACertificate}
           SwiftHashSuffix: {get_param: SwiftHashSuffix}
           SwiftMountCheck: {get_param: SwiftMountCheck}
           SwiftMinPartHours: {get_param: SwiftMinPartHours}
@@ -921,6 +904,7 @@ resources:
               template: {get_param: ControllerHostnameFormat}
               params:
                 '%stackname%': {get_param: 'OS::stack_name'}
+          NodeIndex: '%index%'
 
   Compute:
     type: OS::Heat::ResourceGroup
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index d47e013e..01ff76e0 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -522,20 +522,6 @@ parameters:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
     hidden: true
-  SSLCACertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate authority file.
-    type: string
-  SSLCertificate:
-    default: ''
-    description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints.
-    type: string
-    hidden: true
-  SSLKey:
-    default: ''
-    description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
-    type: string
-    hidden: true
   SwiftHashSuffix:
     default: unset
     description: A random string to be used as a salt when hashing to determine mappings
@@ -619,6 +605,9 @@ parameters:
     description: >
       Heat action when to apply network configuration changes
     default: ['CREATE']
+  NodeIndex:
+    type: number
+    default: 0
 
 resources:
 
@@ -720,6 +709,14 @@ resources:
         bridge_name: br-ex
         interface_name: {get_param: NeutronPublicInterface}
 
+  # Hook for site-specific passing of private keys/certificates
+  NodeTLSData:
+    depends_on: NetworkDeployment
+    type: OS::TripleO::NodeTLSData
+    properties:
+      server: {get_resource: Controller}
+      NodeIndex: {get_param: NodeIndex}
+
   ControllerDeployment:
     type: OS::TripleO::SoftwareDeployment
     depends_on: NetworkDeployment
@@ -1302,6 +1299,12 @@ resources:
                 tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface}
                 tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface}
                 tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address}
+                # NOTE(jaosorior): The service certificate configuration for
+                # HAProxy was left commented because to properly use this, we
+                # need to be able to set up the keystone endpoints. And
+                # currently that is not possible, but is being addressed by
+                # other commits.  A subsequent commit will uncomment this.
+                #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
                 tripleo::packages::enable_install: {get_input: enable_package_install}
                 tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
 
@@ -1395,5 +1398,6 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [ControllerDeployment, deploy_stdout]}
+          - {get_attr: [NodeTLSData, deploy_stdout]}
           - {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
           - {get_param: UpdateIdentifier}
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..d2dfdfa4
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,28 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template. This defines the parameters that
+  need to be passed in order to have TLS enabled in the controller
+  nodes. This template can be replaced with a different
+  implementation via the resource registry, such that deployers
+  may customize their configuration.
+
+parameters:
+  DeployedSSLCertificatePath:
+    default: ''
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+  NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+    default: 0
+    type: number
+  server:    # Here for compatibility with tls-cert-inject.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'TLS not enabled.'
+  deployed_ssl_certificate_path:
+    value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..b4564fc7
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,81 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a template which will build the TLS Certificates necessary
+  for the load balancer using the given parameters.
+
+parameters:
+  # Can be overriden via parameter_defaults in the environment
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  SSLIntermediateCertificate:
+    default: ''
+    description: >
+      The content of an SSL intermediate CA certificate in PEM format.
+    type: string
+  SSLKey:
+    default: ''
+    description: >
+      The content of the SSL Key in PEM format.
+    type: string
+    hidden: true
+
+  # Can be overriden by parameter_defaults if the user wants to try deploying
+  # this in a distro that doesn't support this path.
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+
+  # Passed in by the controller
+  NodeIndex:
+    default: 0
+    type: number
+  server:
+    description: ID of the controller node to apply this config to
+    type: string
+
+resources:
+  ControllerTLSConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: cert_path
+        - name: cert_chain_content
+      outputs:
+        - name: chain_md5sum
+      config: |
+        #!/bin/sh
+        cat << EOF | tee ${cert_path} > /dev/null
+        ${cert_chain_content}
+        EOF
+        chmod 0440 ${cert_path}
+        chown root:haproxy ${cert_path}
+        md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+
+  ControllerTLSDeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      config: {get_resource: ControllerTLSConfig}
+      server: {get_param: server}
+      input_values:
+        cert_path: {get_param: DeployedSSLCertificatePath}
+        cert_chain_content:
+          list_join:
+            - ''
+            - - {get_param: SSLCertificate}
+              - {get_param: SSLIntermediateCertificate}
+              - {get_param: SSLKey}
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference
+    value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+  deployed_ssl_certificate_path:
+    description: The location that the TLS certificate was deployed to.
+    value: {get_param: DeployedSSLCertificatePath}