aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/extraconfig
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/extraconfig')
-rw-r--r--puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml92
-rw-r--r--puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml83
-rw-r--r--puppet/extraconfig/tls/ca-inject.yaml66
-rw-r--r--puppet/extraconfig/tls/no-ca.yaml17
-rw-r--r--puppet/extraconfig/tls/no-tls.yaml34
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml95
6 files changed, 387 insertions, 0 deletions
diff --git a/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml b/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml
new file mode 100644
index 00000000..96368e37
--- /dev/null
+++ b/puppet/extraconfig/pre_deploy/compute/nova-nuage.yaml
@@ -0,0 +1,92 @@
+heat_template_version: 2015-04-30
+
+description: Configure hieradata for Nuage configuration on the Compute
+
+parameters:
+ server:
+ description: ID of the compute node to apply this config to
+ type: string
+
+ NuageActiveController:
+ description: IP address of the Active Virtualized Services Controller (VSC)
+ type: string
+ NuageStandbyController:
+ description: IP address of the Standby Virtualized Services Controller (VSC)
+ type: string
+ NuageMetadataPort:
+ description: TCP Port to listen for metadata server requests
+ type: string
+ default: '9697'
+ NuageNovaMetadataPort:
+ description: TCP Port used by Nova metadata server
+ type: string
+ default: '8775'
+ NuageMetadataProxySharedSecret:
+ description: Shared secret to sign the instance-id request
+ type: string
+ NuageNovaClientVersion:
+ description: Client Version Nova
+ type: string
+ default: '2'
+ NuageNovaOsUsername:
+ description: Nova username in keystone_authtoken
+ type: string
+ default: 'nova'
+ NuageMetadataAgentStartWithOvs:
+ description: Set to True if nuage-metadata-agent needs to be started with nuage-openvswitch-switch
+ type: string
+ default: 'True'
+ NuageNovaApiEndpoint:
+ description: One of publicURL, internalURL, adminURL in "keystone endpoint-list"
+ type: string
+ default: 'publicURL'
+ NuageNovaRegionName:
+ description: Region name in "keystone endpoint-list"
+ type: string
+ default: 'regionOne'
+
+# Declaration of resources for the template.
+resources:
+ NovaNuageConfig:
+ type: OS::Heat::StructuredConfig
+ properties:
+ group: os-apply-config
+ config:
+ hiera:
+ datafiles:
+ nova_nuage_data:
+ mapped_data:
+ nuage::vrs::active_controller: {get_input: ActiveController}
+ nuage::vrs::standby_controller: {get_input: StandbyController}
+ nuage::metadataagent::metadata_port: {get_input: MetadataPort}
+ nuage::metadataagent::nova_metadata_port: {get_input: NovaMetadataPort}
+ nuage::metadataagent::metadata_secret: {get_input: SharedSecret}
+ nuage::metadataagent::nova_client_version: {get_input: NovaClientVersion}
+ nuage::metadataagent::nova_os_username: {get_input: NovaOsUsername}
+ nuage::metadataagent::metadata_agent_start_with_ovs: {get_input: MetadataAgentStartWithOvs}
+ nuage::metadataagent::nova_api_endpoint_type: {get_input: NovaApiEndpointType}
+ nuage::metadataagent::nova_region_name: {get_input: NovaRegionName}
+
+ NovaNuageDeployment:
+ type: OS::Heat::StructuredDeployment
+ properties:
+ config: {get_resource: NovaNuageConfig}
+ server: {get_param: server}
+ input_values:
+ ActiveController: {get_param: NuageActiveController}
+ StandbyController: {get_param: NuageStandbyController}
+ MetadataPort: {get_param: NuageMetadataPort}
+ NovaMetadataPort: {get_param: NuageNovaMetadataPort}
+ SharedSecret: {get_param: NuageMetadataProxySharedSecret}
+ NovaClientVersion: {get_param: NuageNovaClientVersion}
+ NovaOsUsername: {get_param: NuageNovaOsUsername}
+ MetadataAgentStartWithOvs: {get_param: NuageMetadataAgentStartWithOvs}
+ NovaApiEndpointType: {get_param: NuageNovaApiEndpoint}
+ NovaRegionName: {get_param: NuageNovaRegionName}
+
+# Specify output parameters that will be available
+# after the template is instantiated.
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: {get_attr: [NovaNuageDeployment, deploy_stdout]}
diff --git a/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml b/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml
new file mode 100644
index 00000000..60f02bf8
--- /dev/null
+++ b/puppet/extraconfig/pre_deploy/controller/neutron-nuage.yaml
@@ -0,0 +1,83 @@
+heat_template_version: 2015-04-30
+
+description: Configure hieradata for Nuage configuration on the Controller
+
+parameters:
+ server:
+ description: ID of the controller node to apply this config to
+ type: string
+
+ # Config specific parameters, to be provided via parameter_defaults
+ NeutronNuageOSControllerIp:
+ description: IP address of the OpenStack Controller
+ type: string
+
+ NeutronNuageNetPartitionName:
+ description: Specifies the title that you will see on the VSD
+ type: string
+ default: 'default_name'
+
+ NeutronNuageVSDIp:
+ description: IP address and port of the Virtual Services Directory
+ type: string
+
+ NeutronNuageVSDUsername:
+ description: Username to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDPassword:
+ description: Password to be used to log into VSD
+ type: string
+
+ NeutronNuageVSDOrganization:
+ description: Organization parameter required to log into VSD
+ type: string
+ default: 'organization'
+
+ NeutronNuageBaseURIVersion:
+ description: URI version to be used based on the VSD release
+ type: string
+ default: 'default_uri_version'
+
+ NeutronNuageCMSId:
+ description: Cloud Management System ID (CMS ID) to distinguish between OS instances on the same VSD
+ type: string
+
+resources:
+ NeutronNuageConfig:
+ type: OS::Heat::StructuredConfig
+ properties:
+ group: os-apply-config
+ config:
+ hiera:
+ datafiles:
+ neutron_nuage_data:
+ mapped_data:
+ neutron::plugins::nuage::nuage_oscontroller_ip: {get_input: NuageOSControllerIp}
+ neutron::plugins::nuage::nuage_net_partition_name: {get_input: NuageNetPartitionName}
+ neutron::plugins::nuage::nuage_vsd_ip: {get_input: NuageVSDIp}
+ neutron::plugins::nuage::nuage_vsd_username: {get_input: NuageVSDUsername}
+ neutron::plugins::nuage::nuage_vsd_password: {get_input: NuageVSDPassword}
+ neutron::plugins::nuage::nuage_vsd_organization: {get_input: NuageVSDOrganization}
+ neutron::plugins::nuage::nuage_base_uri_version: {get_input: NuageBaseURIVersion}
+ neutron::plugins::nuage::nuage_cms_id: {get_input: NuageCMSId}
+
+ NeutronNuageDeployment:
+ type: OS::Heat::StructuredDeployment
+ properties:
+ config: {get_resource: NeutronNuageConfig}
+ server: {get_param: server}
+ input_values:
+ NuageOSControllerIp: {get_param: NeutronNuageOSControllerIp}
+ NuageNetPartitionName: {get_param: NeutronNuageNetPartitionName}
+ NuageVSDIp: {get_param: NeutronNuageVSDIp}
+ NuageVSDUsername: {get_param: NeutronNuageVSDUsername}
+ NuageVSDPassword: {get_param: NeutronNuageVSDPassword}
+ NuageVSDOrganization: {get_param: NeutronNuageVSDOrganization}
+ NuageBaseURIVersion: {get_param: NeutronNuageBaseURIVersion}
+ NuageCMSId: {get_param: NeutronNuageCMSId}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: {get_attr: [NeutronNuageDeployment, deploy_stdout]}
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
new file mode 100644
index 00000000..7e34f071
--- /dev/null
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -0,0 +1,66 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will inject the trusted anchor.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLRootCertificate:
+ description: >
+ The content of a CA's SSL certificate file in PEM format.
+ This is evaluated on the client side.
+ type: string
+ SSLRootCertificatePath:
+ default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+ description: >
+ The filepath of the root certificate as it will be stored in the nodes.
+ Note that the path has to be one that can be picked up by the update
+ trust anchor command. e.g. in RHEL it would be
+ /etc/pki/ca-trust/source/anchors/ca.crt.pem
+ type: string
+ UpdateTrustAnchorsCommand:
+ default: update-ca-trust extract
+ description: >
+ command that will be executed to update the trust anchors.
+ type: string
+
+ # Passed in by controller.yaml
+ server:
+ description: ID of the node to apply this config to
+ type: string
+
+resources:
+ CAConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cacert_path
+ - name: cacert_content
+ - name: update_anchor_command
+ outputs:
+ - name: root_cert_md5sum
+ config: |
+ #!/bin/sh
+ cat > ${cacert_path} << EOF
+ ${cacert_content}
+ EOF
+ chmod 0440 ${cacert_path}
+ chown root:root ${cacert_path}
+ ${update_anchor_command}
+ md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+ CADeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: CAConfig}
+ server: {get_param: server}
+ input_values:
+ cacert_path: {get_param: SSLRootCertificatePath}
+ cacert_content: {get_param: SSLRootCertificate}
+ update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [CADeployment, root_cert_md5sum]}
diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template which can be passed to the
+ OS::Nova::Server resources. This template can be replaced with
+ a different implementation via the resource registry, such that
+ deployers may customize their configuration.
+
+parameters:
+ server: # Here for compatibility with controller.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'Root CA cert injection not enabled.'
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..2da209cb
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,34 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a default no-op template. This defines the parameters that
+ need to be passed in order to have TLS enabled in the controller
+ nodes. This template can be replaced with a different
+ implementation via the resource registry, such that deployers
+ may customize their configuration.
+
+parameters:
+ DeployedSSLCertificatePath:
+ default: ''
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+ NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+ default: 0
+ type: number
+ server: # Here for compatibility with tls-cert-inject.yaml
+ description: ID of the controller node to apply this config to
+ type: string
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference, used to trigger puppet apply on changes
+ value: 'TLS not enabled.'
+ deployed_ssl_certificate_path:
+ value: ''
+ key_modulus_md5:
+ description: Key SSL Modulus
+ value: ''
+ cert_modulus_md5:
+ description: Certificate SSL Modulus
+ value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..739a51ad
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,95 @@
+heat_template_version: 2015-04-30
+
+description: >
+ This is a template which will build the TLS Certificates necessary
+ for the load balancer using the given parameters.
+
+parameters:
+ # Can be overriden via parameter_defaults in the environment
+ SSLCertificate:
+ default: ''
+ description: >
+ The content of the SSL certificate (without Key) in PEM format.
+ type: string
+ SSLIntermediateCertificate:
+ default: ''
+ description: >
+ The content of an SSL intermediate CA certificate in PEM format.
+ type: string
+ SSLKey:
+ default: ''
+ description: >
+ The content of the SSL Key in PEM format.
+ type: string
+ hidden: true
+
+ # Can be overriden by parameter_defaults if the user wants to try deploying
+ # this in a distro that doesn't support this path.
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
+
+ # Passed in by the controller
+ NodeIndex:
+ default: 0
+ type: number
+ server:
+ description: ID of the controller node to apply this config to
+ type: string
+
+resources:
+ ControllerTLSConfig:
+ type: OS::Heat::SoftwareConfig
+ properties:
+ group: script
+ inputs:
+ - name: cert_path
+ - name: cert_chain_content
+ outputs:
+ - name: chain_md5sum
+ - name: cert_modulus
+ - name: key_modulus
+ config: |
+ #!/bin/sh
+ cat << EOF | tee ${cert_path} > /dev/null
+ ${cert_chain_content}
+ EOF
+ chmod 0440 ${cert_path}
+ chown root:haproxy ${cert_path}
+ md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+ openssl x509 -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.cert_modulus
+ openssl rsa -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.key_modulus
+
+ ControllerTLSDeployment:
+ type: OS::Heat::SoftwareDeployment
+ properties:
+ config: {get_resource: ControllerTLSConfig}
+ server: {get_param: server}
+ input_values:
+ cert_path: {get_param: DeployedSSLCertificatePath}
+ cert_chain_content:
+ list_join:
+ - ''
+ - - {get_param: SSLCertificate}
+ - {get_param: SSLIntermediateCertificate}
+ - {get_param: SSLKey}
+
+outputs:
+ deploy_stdout:
+ description: Deployment reference
+ value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+ deployed_ssl_certificate_path:
+ description: The location that the TLS certificate was deployed to.
+ value: {get_param: DeployedSSLCertificatePath}
+ key_modulus_md5:
+ description: MD5 checksum of the Key SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+ cert_modulus_md5:
+ description: MD5 checksum of the Certificate SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, cert_modulus]}