summaryrefslogtreecommitdiffstats
path: root/puppet/extraconfig/tls
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/extraconfig/tls')
-rw-r--r--puppet/extraconfig/tls/ca-inject.yaml66
-rw-r--r--puppet/extraconfig/tls/no-ca.yaml17
-rw-r--r--puppet/extraconfig/tls/no-tls.yaml34
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml95
4 files changed, 212 insertions, 0 deletions
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
new file mode 100644
index 00000000..7e34f071
--- /dev/null
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -0,0 +1,66 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will inject the trusted anchor.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLRootCertificate:
+ description: >
+ The content of a CA's SSL certificate file in PEM format.
+ This is evaluated on the client side.
+ type: string
+ SSLRootCertificatePath:
+ default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+ description: >
+ The filepath of the root certificate as it will be stored in the nodes.
+ Note that the path has to be one that can be picked up by the update
+ trust anchor command. e.g. in RHEL it would be
+ /etc/pki/ca-trust/source/anchors/ca.crt.pem
+ type: string
+ UpdateTrustAnchorsCommand:
+ default: update-ca-trust extract
+ description: >
+ command that will be executed to update the trust anchors.
+ type: string
+
+ # Passed in by controller.yaml
+ server:
+ description: ID of the node to apply this config to
+ type: string
+
+resources:
+ CAConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cacert_path
+ - name: cacert_content
+ - name: update_anchor_command
+ outputs:
+ - name: root_cert_md5sum
+ config: |
+ #!/bin/sh
+ cat > ${cacert_path} << EOF
+ ${cacert_content}
+ EOF
+ chmod 0440 ${cacert_path}
+ chown root:root ${cacert_path}
+ ${update_anchor_command}
+ md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+ CADeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: CAConfig}
+ server: {get_param: server}
+ input_values:
+ cacert_path: {get_param: SSLRootCertificatePath}
+ cacert_content: {get_param: SSLRootCertificate}
+ update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [CADeployment, root_cert_md5sum]}
diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template which can be passed to the
+ OS::Nova::Server resources. This template can be replaced with
+ a different implementation via the resource registry, such that
+ deployers may customize their configuration.
+
+parameters:
+ server: # Here for compatibility with controller.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'Root CA cert injection not enabled.'
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..2da209cb
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,34 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template. This defines the parameters that
+ need to be passed in order to have TLS enabled in the controller
+ nodes. This template can be replaced with a different
+ implementation via the resource registry, such that deployers
+ may customize their configuration.
+
+parameters:
+ DeployedSSLCertificatePath:
+ default: ''
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+ NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+ default: 0
+ type: number
+ server: # Here for compatibility with tls-cert-inject.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'TLS not enabled.'
+ deployed_ssl_certificate_path:
+ value: ''
+ key_modulus_md5:
+ description: Key SSL Modulus
+ value: ''
+ cert_modulus_md5:
+ description: Certificate SSL Modulus
+ value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..739a51ad
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,95 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will build the TLS Certificates necessary
+ for the load balancer using the given parameters.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ SSLIntermediateCertificate:
+ default: ''
+ description: >
+ The content of an SSL intermediate CA certificate in PEM format.
+ type: string
+ SSLKey:
+ default: ''
+ description: >
+ The content of the SSL Key in PEM format.
+ type: string
+ hidden: true
+
+ # Can be overriden by parameter_defaults if the user wants to try deploying
+ # this in a distro that doesn't support this path.
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+
+ # Passed in by the controller
+ NodeIndex:
+ default: 0
+ type: number
+ server:
+ description: ID of the controller node to apply this config to
+ type: string
+
+resources:
+ ControllerTLSConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cert_path
+ - name: cert_chain_content
+ outputs:
+ - name: chain_md5sum
+ - name: cert_modulus
+ - name: key_modulus
+ config: |
+ #!/bin/sh
+ cat << EOF | tee ${cert_path} > /dev/null
+ ${cert_chain_content}
+ EOF
+ chmod 0440 ${cert_path}
+ chown root:haproxy ${cert_path}
+ md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+ openssl x509 -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.cert_modulus
+ openssl rsa -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.key_modulus
+
+ ControllerTLSDeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: ControllerTLSConfig}
+ server: {get_param: server}
+ input_values:
+ cert_path: {get_param: DeployedSSLCertificatePath}
+ cert_chain_content:
+ list_join:
+ - ''
+ - - {get_param: SSLCertificate}
+ - {get_param: SSLIntermediateCertificate}
+ - {get_param: SSLKey}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+ deployed_ssl_certificate_path:
+ description: The location that the TLS certificate was deployed to.
+ value: {get_param: DeployedSSLCertificatePath}
+ key_modulus_md5:
+ description: MD5 checksum of the Key SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+ cert_modulus_md5:
+ description: MD5 checksum of the Certificate SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, cert_modulus]}