Generate internal TLS hieradata for apache services

This adds an environment file that can be used to enable TLS in the internal endpoints via certmonger if used. This will include a nested stack that will create the hash that will be used to create the certmonger certificates. When setting up a service over apache via puppet, we used to disable explicitly ssl (which sets modd_ssl-related fields for that vhost). We now make this depend on the EnableInternalTLS flag. This has only been done for keystone, but more services will be added as the puppet code lands bp tls-via-certmonger Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039 Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
author: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2016-09-26 15:34:10 +0000
committer: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2016-10-20 12:22:42 +0300
commit: debbfbbf8fe8702fd3202f75e049496ee9bb3ddf (patch)
tree: 1f9fa5dff8468427fbac54ef35bb80a2377f4eb9
parent: 81aa47d3143bf58cffdb0bd9fbacfd0e05e195e4 (diff)
5 files changed, 104 insertions, 20 deletions
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 801dcde9..5116c6da 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -1,2 +1,6 @@
+# A Heat environment file which can be used to enable a
+# a TLS for in the internal network via certmonger
 parameter_defaults:
   EnableInternalTLS: true
+resource_registry:
+  OS::TripleO::Services::ApacheTLS: ../../puppet/services/apache-internal-tls-certmonger.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 218cd2d3..9b9cd581 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -99,6 +99,7 @@ resource_registry:
   # services
   OS::TripleO::Services: puppet/services/services.yaml
   OS::TripleO::Services::Apache: puppet/services/apache.yaml
+  OS::TripleO::Services::ApacheTLS: OS::Heat::None
   OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
   OS::TripleO::Services::CephMon: OS::Heat::None
   OS::TripleO::Services::CephRgw: OS::Heat::None
diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..87e53f13
--- /dev/null
+++ b/puppet/services/apache-internal-tls-certmonger.yaml
@@ -0,0 +1,50 @@
+heat_template_version: 2016-10-14
+
+description: >
+  Apache service TLS configurations.
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  # The following parameters are not needed by the template but are
+  # required to pass the pep8 tests
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the Apache role.
+    value:
+      service_name: apache_internal_tls_certmonger
+      config_settings:
+        generate_service_certificates: true
+        apache_certificates_specs:
+          map_merge:
+            repeat:
+              template:
+                httpd-NETWORK:
+                  service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+                  service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+                  hostname: "%{::fqdn_NETWORK}"
+                  principal: "HTTP/%{::fqdn_NETWORK}"
+              for_each:
+                NETWORK:
+                  # NOTE(jaosorior) Get unique network names to create
+                  # certificates for those. We skip the tenant network since
+                  # we don't need a certificate for that, and the external
+                  # network will be handled in another template.
+                  yaql:
+                    expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+                    data:
+                      map:
+                        get_param: ServiceNetMap
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index c9792019..382e0ff9 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -27,6 +27,17 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+
+resources:
+
+  ApacheTLS:
+    type: OS::TripleO::Services::ApacheTLS
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
 
 outputs:
   role_data:
@@ -34,19 +45,22 @@ outputs:
     value:
       service_name: apache
       config_settings:
-        # for the given network; replacement examples (eg. for internal_api):
-        # internal_api -> IP
-        # internal_api_uri -> [IP]
-        # internal_api_subnet - > IP/CIDR
-        apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
-        apache::server_signature: 'Off'
-        apache::server_tokens: 'Prod'
-        apache_remote_proxy_ips_network:
-          str_replace:
-            template: "NETWORK_subnet"
-            params:
-              NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
-        apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
-        apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
-        apache::mod::remoteip::proxy_ips:
-          - "%{hiera('apache_remote_proxy_ips_network')}"
+        map_merge:
+          - get_attr: [ApacheTLS, role_data, config_settings]
+          -
+            # for the given network; replacement examples (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
+            apache::server_signature: 'Off'
+            apache::server_tokens: 'Prod'
+            apache_remote_proxy_ips_network:
+              str_replace:
+                template: "NETWORK_subnet"
+                params:
+                  NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
+            apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
+            apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
+            apache::mod::remoteip::proxy_ips:
+              - "%{hiera('apache_remote_proxy_ips_network')}"
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index e3531636..d424a0e8 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -98,6 +98,9 @@ parameters:
     default:
       tag: openstack.keystone
       path: /var/log/keystone/keystone.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -107,6 +110,7 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
 
 outputs:
   role_data:
@@ -163,7 +167,8 @@ outputs:
               ec2/driver:
                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
             keystone::service_name: 'httpd'
-            keystone::wsgi::apache::ssl: false
+            keystone::enable_ssl: {get_param: EnableInternalTLS}
+            keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             keystone::wsgi::apache::servername:
               str_replace:
                 template:
@@ -188,15 +193,25 @@ outputs:
                   - 13000
                   - 35357
                   - 13357
+            keystone::admin_bind_host:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::public_bind_host:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
             # NOTE: bind IP is found in Heat replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            # NOTE: this applies to all 4 bind IP settings below...
-            keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-            keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            # NOTE: this applies to all 2 bind IP settings below...
             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
       step_config: |
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2016-09-26 15:34:10 +0000
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2016-10-20 12:22:42 +0300
commit	debbfbbf8fe8702fd3202f75e049496ee9bb3ddf (patch)
tree	1f9fa5dff8468427fbac54ef35bb80a2377f4eb9
parent	81aa47d3143bf58cffdb0bd9fbacfd0e05e195e4 (diff)