4 files changed, 212 insertions, 0 deletions
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
new file mode 100644
index 00000000..7e34f071
--- /dev/null
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -0,0 +1,66 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a template which will inject the trusted anchor.
+
+parameters:
+  # Can be overriden via parameter_defaults in the environment
+  SSLRootCertificate:
+    description: >
+      The content of a CA's SSL certificate file in PEM format.
+      This is evaluated on the client side.
+    type: string
+  SSLRootCertificatePath:
+    default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+    description: >
+      The filepath of the root certificate as it will be stored in the nodes.
+      Note that the path has to be one that can be picked up by the update
+      trust anchor command. e.g. in RHEL it would be
+      /etc/pki/ca-trust/source/anchors/ca.crt.pem
+    type: string
+  UpdateTrustAnchorsCommand:
+    default: update-ca-trust extract
+    description: >
+        command that will be executed to update the trust anchors.
+    type: string
+
+  # Passed in by controller.yaml
+  server:
+    description: ID of the node to apply this config to
+    type: string
+
+resources:
+  CAConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: cacert_path
+        - name: cacert_content
+        - name: update_anchor_command
+      outputs:
+        - name: root_cert_md5sum
+      config: |
+        #!/bin/sh
+        cat > ${cacert_path} << EOF
+        ${cacert_content}
+        EOF
+        chmod 0440 ${cacert_path}
+        chown root:root ${cacert_path}
+        ${update_anchor_command}
+        md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+  CADeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      config: {get_resource: CAConfig}
+      server: {get_param: server}
+      input_values:
+        cacert_path: {get_param: SSLRootCertificatePath}
+        cacert_content: {get_param: SSLRootCertificate}
+        update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference
+    value: {get_attr: [CADeployment, root_cert_md5sum]}
diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template which can be passed to the
+  OS::Nova::Server resources. This template can be replaced with
+  a different implementation via the resource registry, such that
+  deployers may customize their configuration.
+
+parameters:
+  server:    # Here for compatibility with controller.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'Root CA cert injection not enabled.'
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..2da209cb
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,34 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template. This defines the parameters that
+  need to be passed in order to have TLS enabled in the controller
+  nodes. This template can be replaced with a different
+  implementation via the resource registry, such that deployers
+  may customize their configuration.
+
+parameters:
+  DeployedSSLCertificatePath:
+    default: ''
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+  NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+    default: 0
+    type: number
+  server:    # Here for compatibility with tls-cert-inject.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'TLS not enabled.'
+  deployed_ssl_certificate_path:
+    value: ''
+  key_modulus_md5:
+    description: Key SSL Modulus
+    value: ''
+  cert_modulus_md5:
+    description: Certificate SSL Modulus
+    value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..739a51ad
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,95 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a template which will build the TLS Certificates necessary
+  for the load balancer using the given parameters.
+
+parameters:
+  # Can be overriden via parameter_defaults in the environment
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  SSLIntermediateCertificate:
+    default: ''
+    description: >
+      The content of an SSL intermediate CA certificate in PEM format.
+    type: string
+  SSLKey:
+    default: ''
+    description: >
+      The content of the SSL Key in PEM format.
+    type: string
+    hidden: true
+
+  # Can be overriden by parameter_defaults if the user wants to try deploying
+  # this in a distro that doesn't support this path.
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+
+  # Passed in by the controller
+  NodeIndex:
+    default: 0
+    type: number
+  server:
+    description: ID of the controller node to apply this config to
+    type: string
+
+resources:
+  ControllerTLSConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: cert_path
+        - name: cert_chain_content
+      outputs:
+        - name: chain_md5sum
+        - name: cert_modulus
+        - name: key_modulus
+      config: |
+        #!/bin/sh
+        cat << EOF | tee ${cert_path} > /dev/null
+        ${cert_chain_content}
+        EOF
+        chmod 0440 ${cert_path}
+        chown root:haproxy ${cert_path}
+        md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+        openssl x509 -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.cert_modulus
+        openssl rsa -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.key_modulus
+
+  ControllerTLSDeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      config: {get_resource: ControllerTLSConfig}
+      server: {get_param: server}
+      input_values:
+        cert_path: {get_param: DeployedSSLCertificatePath}
+        cert_chain_content:
+          list_join:
+            - ''
+            - - {get_param: SSLCertificate}
+              - {get_param: SSLIntermediateCertificate}
+              - {get_param: SSLKey}
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference
+    value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+  deployed_ssl_certificate_path:
+    description: The location that the TLS certificate was deployed to.
+    value: {get_param: DeployedSSLCertificatePath}
+  key_modulus_md5:
+    description: MD5 checksum of the Key SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+  cert_modulus_md5:
+    description: MD5 checksum of the Certificate SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, cert_modulus]}