diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/ceph-storage.yaml | 10 | ||||
-rw-r--r-- | puppet/cinder-storage.yaml | 10 | ||||
-rw-r--r-- | puppet/compute.yaml | 10 | ||||
-rw-r--r-- | puppet/controller.yaml | 61 | ||||
-rw-r--r-- | puppet/extraconfig/tls/ca-inject.yaml | 66 | ||||
-rw-r--r-- | puppet/extraconfig/tls/no-ca.yaml | 17 | ||||
-rw-r--r-- | puppet/extraconfig/tls/no-tls.yaml | 34 | ||||
-rw-r--r-- | puppet/extraconfig/tls/tls-cert-inject.yaml | 95 | ||||
-rw-r--r-- | puppet/hieradata/controller.yaml | 106 | ||||
-rw-r--r-- | puppet/manifests/overcloud_cephstorage.pp | 1 | ||||
-rw-r--r-- | puppet/manifests/overcloud_compute.pp | 1 | ||||
-rw-r--r-- | puppet/manifests/overcloud_controller.pp | 1 | ||||
-rw-r--r-- | puppet/manifests/overcloud_controller_pacemaker.pp | 1 | ||||
-rw-r--r-- | puppet/manifests/overcloud_object.pp | 1 | ||||
-rw-r--r-- | puppet/manifests/overcloud_volume.pp | 1 | ||||
-rw-r--r-- | puppet/swift-storage.yaml | 10 |
16 files changed, 406 insertions, 19 deletions
diff --git a/puppet/ceph-storage.yaml b/puppet/ceph-storage.yaml index 0bf0fde4..7d36b46c 100644 --- a/puppet/ceph-storage.yaml +++ b/puppet/ceph-storage.yaml @@ -176,6 +176,13 @@ resources: ceph::profile::params::cluster_network: {get_input: ceph_cluster_network} ceph::profile::params::public_network: {get_input: ceph_public_network} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: CephStorageDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: CephStorage} + # Hook for site-specific additional pre-deployment config, e.g extra hieradata CephStorageExtraConfigPre: depends_on: CephStorageDeployment @@ -186,7 +193,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: CephStorageExtraConfigPre + depends_on: [CephStorageExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: CephStorage} @@ -227,5 +234,6 @@ outputs: list_join: - ',' - - {get_attr: [CephStorageDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_attr: [CephStorageExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml index b500e43b..19d5bb51 100644 --- a/puppet/cinder-storage.yaml +++ b/puppet/cinder-storage.yaml @@ -257,10 +257,17 @@ resources: snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name} snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: BlockStorageDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: BlockStorage} + # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: BlockStorageDeployment + depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: BlockStorage} @@ -304,4 +311,5 @@ outputs: list_join: - '' - - {get_attr: [BlockStorageDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/compute.yaml b/puppet/compute.yaml index 6ae39132..1d16a254 100644 --- a/puppet/compute.yaml +++ b/puppet/compute.yaml @@ -540,6 +540,13 @@ resources: enable_package_install: {get_param: EnablePackageInstall} enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: NovaComputeDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: NovaCompute} + # Hook for site-specific additional pre-deployment config, e.g extra hieradata ComputeExtraConfigPre: depends_on: NovaComputeDeployment @@ -550,7 +557,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: ComputeExtraConfigPre + depends_on: [ComputeExtraConfigPre, NodeTLSCAData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: NovaCompute} @@ -602,5 +609,6 @@ outputs: list_join: - ',' - - {get_attr: [NovaComputeDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_attr: [ComputeExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 0c921eb6..9792e7dc 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -278,6 +278,14 @@ parameters: type: string default: 'regionOne' description: Keystone region for endpoint + ManageFirewall: + default: false + description: Whether to manage IPtables rules. + type: boolean + PurgeFirewallRules: + default: false + description: Whether IPtables rules should be purged before setting up the new ones. + type: boolean MysqlClusterUniquePart: description: A unique identifier of the MySQL cluster the controller is in. type: string @@ -514,20 +522,6 @@ parameters: description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true - SSLCACertificate: - default: '' - description: If set, the contents of an SSL certificate authority file. - type: string - SSLCertificate: - default: '' - description: If set, the contents of an SSL certificate .crt file for encrypting SSL endpoints. - type: string - hidden: true - SSLKey: - default: '' - description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints. - type: string - hidden: true SwiftHashSuffix: default: unset description: A random string to be used as a salt when hashing to determine mappings @@ -611,6 +605,9 @@ parameters: description: > Heat action when to apply network configuration changes default: ['CREATE'] + NodeIndex: + type: number + default: 0 resources: @@ -712,6 +709,21 @@ resources: bridge_name: br-ex interface_name: {get_param: NeutronPublicInterface} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: NetworkDeployment + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: Controller} + + # Hook for site-specific passing of private keys/certificates + NodeTLSData: + depends_on: NodeTLSCAData + type: OS::TripleO::NodeTLSData + properties: + server: {get_resource: Controller} + NodeIndex: {get_param: NodeIndex} + ControllerDeployment: type: OS::TripleO::SoftwareDeployment depends_on: NetworkDeployment @@ -825,6 +837,8 @@ resources: enable_galera: {get_param: EnableGalera} enable_ceph_storage: {get_param: EnableCephStorage} enable_swift_storage: {get_param: EnableSwiftStorage} + manage_firewall: {get_param: ManageFirewall} + purge_firewall_rules: {get_param: PurgeFirewallRules} mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize} mysql_max_connections: {get_param: MysqlMaxConnections} mysql_root_password: {get_param: MysqlRootPassword} @@ -1280,6 +1294,9 @@ resources: # Redis redis::bind: {get_input: redis_network} redis_vip: {get_input: redis_vip} + # Firewall + tripleo::firewall::manage_firewall: {get_input: manage_firewall} + tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules} # Misc memcached::listen_ip: {get_input: memcached_network} neutron_public_interface_ip: {get_input: neutron_public_interface_ip} @@ -1289,6 +1306,12 @@ resources: tripleo::loadbalancer::control_virtual_interface: {get_input: control_virtual_interface} tripleo::loadbalancer::public_virtual_interface: {get_input: public_virtual_interface} tripleo::loadbalancer::haproxy_log_address: {get_input: haproxy_log_address} + # NOTE(jaosorior): The service certificate configuration for + # HAProxy was left commented because to properly use this, we + # need to be able to set up the keystone endpoints. And + # currently that is not possible, but is being addressed by + # other commits. A subsequent commit will uncomment this. + #tripleo::loadbalancer::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]} tripleo::packages::enable_install: {get_input: enable_package_install} tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade} @@ -1302,7 +1325,7 @@ resources: # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: ControllerExtraConfigPre + depends_on: [ControllerExtraConfigPre, NodeTLSData] type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: Controller} @@ -1382,5 +1405,13 @@ outputs: list_join: - ',' - - {get_attr: [ControllerDeployment, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} + - {get_attr: [NodeTLSData, deploy_stdout]} - {get_attr: [ControllerExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} + tls_key_modulus_md5: + description: MD5 checksum of the TLS Key Modulus + value: {get_attr: [NodeTLSData, key_modulus_md5]} + tls_cert_modulus_md5: + description: MD5 checksum of the TLS Certificate Modulus + value: {get_attr: [NodeTLSData, cert_modulus_md5]} diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml new file mode 100644 index 00000000..7e34f071 --- /dev/null +++ b/puppet/extraconfig/tls/ca-inject.yaml @@ -0,0 +1,66 @@ +heat_template_version: 2015-04-30 + +description: > + This is a template which will inject the trusted anchor. + +parameters: + # Can be overriden via parameter_defaults in the environment + SSLRootCertificate: + description: > + The content of a CA's SSL certificate file in PEM format. + This is evaluated on the client side. + type: string + SSLRootCertificatePath: + default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem' + description: > + The filepath of the root certificate as it will be stored in the nodes. + Note that the path has to be one that can be picked up by the update + trust anchor command. e.g. in RHEL it would be + /etc/pki/ca-trust/source/anchors/ca.crt.pem + type: string + UpdateTrustAnchorsCommand: + default: update-ca-trust extract + description: > + command that will be executed to update the trust anchors. + type: string + + # Passed in by controller.yaml + server: + description: ID of the node to apply this config to + type: string + +resources: + CAConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: cacert_path + - name: cacert_content + - name: update_anchor_command + outputs: + - name: root_cert_md5sum + config: | + #!/bin/sh + cat > ${cacert_path} << EOF + ${cacert_content} + EOF + chmod 0440 ${cacert_path} + chown root:root ${cacert_path} + ${update_anchor_command} + md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum + + CADeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: CAConfig} + server: {get_param: server} + input_values: + cacert_path: {get_param: SSLRootCertificatePath} + cacert_content: {get_param: SSLRootCertificate} + update_anchor_command: {get_param: UpdateTrustAnchorsCommand} + +outputs: + deploy_stdout: + description: Deployment reference + value: {get_attr: [CADeployment, root_cert_md5sum]} diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml new file mode 100644 index 00000000..5862a85c --- /dev/null +++ b/puppet/extraconfig/tls/no-ca.yaml @@ -0,0 +1,17 @@ +heat_template_version: 2015-04-30 + +description: > + This is a default no-op template which can be passed to the + OS::Nova::Server resources. This template can be replaced with + a different implementation via the resource registry, such that + deployers may customize their configuration. + +parameters: + server: # Here for compatibility with controller.yaml + description: ID of the controller node to apply this config to + type: string + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: 'Root CA cert injection not enabled.' diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml new file mode 100644 index 00000000..2da209cb --- /dev/null +++ b/puppet/extraconfig/tls/no-tls.yaml @@ -0,0 +1,34 @@ +heat_template_version: 2015-04-30 + +description: > + This is a default no-op template. This defines the parameters that + need to be passed in order to have TLS enabled in the controller + nodes. This template can be replaced with a different + implementation via the resource registry, such that deployers + may customize their configuration. + +parameters: + DeployedSSLCertificatePath: + default: '' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string + NodeIndex: # Here for compatibility with tls-cert-inject.yaml + default: 0 + type: number + server: # Here for compatibility with tls-cert-inject.yaml + description: ID of the controller node to apply this config to + type: string + +outputs: + deploy_stdout: + description: Deployment reference, used to trigger puppet apply on changes + value: 'TLS not enabled.' + deployed_ssl_certificate_path: + value: '' + key_modulus_md5: + description: Key SSL Modulus + value: '' + cert_modulus_md5: + description: Certificate SSL Modulus + value: '' diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml new file mode 100644 index 00000000..739a51ad --- /dev/null +++ b/puppet/extraconfig/tls/tls-cert-inject.yaml @@ -0,0 +1,95 @@ +heat_template_version: 2015-04-30 + +description: > + This is a template which will build the TLS Certificates necessary + for the load balancer using the given parameters. + +parameters: + # Can be overriden via parameter_defaults in the environment + SSLCertificate: + default: '' + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + SSLIntermediateCertificate: + default: '' + description: > + The content of an SSL intermediate CA certificate in PEM format. + type: string + SSLKey: + default: '' + description: > + The content of the SSL Key in PEM format. + type: string + hidden: true + + # Can be overriden by parameter_defaults if the user wants to try deploying + # this in a distro that doesn't support this path. + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string + + # Passed in by the controller + NodeIndex: + default: 0 + type: number + server: + description: ID of the controller node to apply this config to + type: string + +resources: + ControllerTLSConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: cert_path + - name: cert_chain_content + outputs: + - name: chain_md5sum + - name: cert_modulus + - name: key_modulus + config: | + #!/bin/sh + cat << EOF | tee ${cert_path} > /dev/null + ${cert_chain_content} + EOF + chmod 0440 ${cert_path} + chown root:haproxy ${cert_path} + md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum + openssl x509 -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.cert_modulus + openssl rsa -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.key_modulus + + ControllerTLSDeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: ControllerTLSConfig} + server: {get_param: server} + input_values: + cert_path: {get_param: DeployedSSLCertificatePath} + cert_chain_content: + list_join: + - '' + - - {get_param: SSLCertificate} + - {get_param: SSLIntermediateCertificate} + - {get_param: SSLKey} + +outputs: + deploy_stdout: + description: Deployment reference + value: {get_attr: [ControllerTLSDeployment, chain_md5sum]} + deployed_ssl_certificate_path: + description: The location that the TLS certificate was deployed to. + value: {get_param: DeployedSSLCertificatePath} + key_modulus_md5: + description: MD5 checksum of the Key SSL Modulus + value: {get_attr: [ControllerTLSDeployment, key_modulus]} + cert_modulus_md5: + description: MD5 checksum of the Certificate SSL Modulus + value: {get_attr: [ControllerTLSDeployment, cert_modulus]} diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml index a4914c0e..f42ddf6c 100644 --- a/puppet/hieradata/controller.yaml +++ b/puppet/hieradata/controller.yaml @@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true tripleo::loadbalancer::horizon: true controller_classes: [] +# firewall +tripleo::firewall::firewall_rules: + '101 mongodb_config': + port: 27019 + '102 mongodb_sharding': + port: 27018 + '103 mongod': + port: 27017 + '104 mysql galera': + port: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 + '105 ntp': + port: 123 + proto: udp + '106 vrrp': + proto: vrrp + '107 haproxy stats': + port: 1993 + '108 redis': + port: + - 6379 + - 26379 + '109 rabbitmq': + port: + - 5672 + - 35672 + '110 ceph': + port: + - 6789 + - '6800-6810' + '111 keystone': + port: + - 5000 + - 13000 + - 35357 + - 13357 + '112 glance': + port: + - 9292 + - 9191 + - 13292 + '113 nova': + port: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 + '114 neutron server': + port: + - 9696 + - 13696 + '115 neutron dhcp input': + proto: 'udp' + port: 67 + '116 neutron dhcp output': + proto: 'udp' + chain: 'OUTPUT' + port: 68 + '118 neutron vxlan networks': + proto: 'udp' + port: 4789 + '119 cinder': + port: + - 8776 + - 13776 + '120 iscsi initiator': + port: 3260 + '121 memcached': + port: 11211 + '122 swift proxy': + port: + - 8080 + - 13808 + '123 swift storage': + port: + - 873 + - 6000 + - 6001 + - 6002 + '124 ceilometer': + port: + - 8777 + - 13777 + '125 heat': + port: + - 8000 + - 13800 + - 8003 + - 13003 + - 8004 + - 13004 + '126 horizon': + port: + - 80 + - 443 + '127 snmp': + port: 161 + proto: 'udp' diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp index 51f5e88d..7f8970cc 100644 --- a/puppet/manifests/overcloud_cephstorage.pp +++ b/puppet/manifests/overcloud_cephstorage.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp index cd41cc79..58182346 100644 --- a/puppet/manifests/overcloud_compute.pp +++ b/puppet/manifests/overcloud_compute.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp index 570c43ba..f758c55a 100644 --- a/puppet/manifests/overcloud_controller.pp +++ b/puppet/manifests/overcloud_controller.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall if hiera('step') >= 1 { diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp index 2a3f1f92..95b7992c 100644 --- a/puppet/manifests/overcloud_controller_pacemaker.pp +++ b/puppet/manifests/overcloud_controller_pacemaker.pp @@ -19,6 +19,7 @@ Pcmk_resource <| |> { } include ::tripleo::packages +include ::tripleo::firewall if $::hostname == downcase(hiera('bootstrap_nodeid')) { $pacemaker_master = true diff --git a/puppet/manifests/overcloud_object.pp b/puppet/manifests/overcloud_object.pp index 5f0b4c82..1eabddf1 100644 --- a/puppet/manifests/overcloud_object.pp +++ b/puppet/manifests/overcloud_object.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/manifests/overcloud_volume.pp b/puppet/manifests/overcloud_volume.pp index 7f24959a..2bdd8a9c 100644 --- a/puppet/manifests/overcloud_volume.pp +++ b/puppet/manifests/overcloud_volume.pp @@ -14,6 +14,7 @@ # under the License. include ::tripleo::packages +include ::tripleo::firewall create_resources(sysctl::value, hiera('sysctl_settings'), {}) diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml index 19a7c7a3..b1746dcb 100644 --- a/puppet/swift-storage.yaml +++ b/puppet/swift-storage.yaml @@ -218,10 +218,17 @@ resources: enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]} swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]} + # Resource for site-specific injection of root certificate + NodeTLSCAData: + depends_on: SwiftStorageHieraDeploy + type: OS::TripleO::NodeTLSCAData + properties: + server: {get_resource: SwiftStorage} + # Hook for site-specific additional pre-deployment config, # applying to all nodes, e.g node registration/unregistration NodeExtraConfig: - depends_on: SwiftStorageHieraDeploy + depends_on: NodeTLSCAData type: OS::TripleO::NodeExtraConfig properties: server: {get_resource: SwiftStorage} @@ -272,4 +279,5 @@ outputs: list_join: - ',' - - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]} + - {get_attr: [NodeTLSCAData, deploy_stdout]} - {get_param: UpdateIdentifier} |