summaryrefslogtreecommitdiffstats
path: root/environments/enable-internal-tls.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-01-25Add novajoin entries to the TLS-everywhere environment fileJuan Antonio Osorio Robles1-0/+9
These metadata settings (the hardcoded metadata and the hook override) are used by the novajoin service when it's deployed in the undercloud, and will tell it to enroll the overcloud nodes and the services that are specified by the metadata hook. bp novajoin bp tls-via-certmonger Change-Id: Ia4645cc356688b7bcf82ed7765c0b74d53d64ed1
2017-01-24Pass parameters for TLS proxy in front of Glance-APIJuan Antonio Osorio Robles1-0/+2
If TLS in the internal network is enabled, we run glance-api beind a TLS proxy (which is actually httpd's mod_proxy). This passes the necessary hieradata. bp tls-via-certmonger Change-Id: I693213a1f35021b540202240e512d121cc1cd0eb Depends-On: Id35a846d43ecae8903a0d58306d9803d5ea00bee
2016-12-07Enable haproxy internal TLS through enable-internal-tls.yamlJuan Antonio Osorio Robles1-0/+1
For usability and to reduce the number of environments that need to be given when enabling TLS in the internal network, it's convenient to add the enabling of TLS in the internal front-ends for HAProxy, instead of doing that in a separate environment file. bp tls-via-certmonger Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
2016-11-25Enable TLS in the internal networkf or MysqlJuan Antonio Osorio Robles1-0/+1
This adds the necessary hieradata for enabling TLS for MySQL (which happens to run on the internal network). It also adds a template so this can be done via certmonger. As with other services, this will fill the necessary specs for the certificate to be requested in a hash that will be consumed in puppet-tripleo. Note that this only enables that we can now use TLS, however, we still need to configure the services (or limit the users the services use) to only connect via SSL. But that will be done in another patch, as there is some things that need to land before we can do this (changes in puppetlabs-mysql and puppet-openstacklib). Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118 Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-22Fix resource_registry path in enable-internal-tlsJuan Antonio Osorio Robles1-1/+1
It had a wrong path and thus crashed when one tried to use it. Change-Id: Ida4f899c76cce6e819d7e0effaf038f699763bee Closes-Bug: #1643863
2016-10-20Generate internal TLS hieradata for apache servicesJuan Antonio Osorio Robles1-0/+4
This adds an environment file that can be used to enable TLS in the internal endpoints via certmonger if used. This will include a nested stack that will create the hash that will be used to create the certmonger certificates. When setting up a service over apache via puppet, we used to disable explicitly ssl (which sets modd_ssl-related fields for that vhost). We now make this depend on the EnableInternalTLS flag. This has only been done for keystone, but more services will be added as the puppet code lands bp tls-via-certmonger Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039 Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
2016-09-30Add flag for internal TLSJuan Antonio Osorio Robles1-0/+2
This sets up a flag that tells the profiles to use TLS (this will happen in the internal network). bp tls-via-certmonger Change-Id: If47febb5b38b1c65f60f9de87a34cb31936a7c0d
} /* Name.Builtin.Pseudo */ .highlight .fm { color: #a6e22e } /* Name.Function.Magic */ .highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */ .highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */ .highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */ .highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */ .highlight .il { color: #ae81ff } /* Literal.Number.Integer.Long */ } @media (prefers-color-scheme: light) { .highlight .hll { background-color: #ffffcc } .highlight .c { color: #888888 } /* Comment */ .highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */ .highlight .k { color: #008800; font-weight: bold } /* Keyword */ .highlight .ch { color: #888888 } /* Comment.Hashbang */ .highlight .cm { color: #888888 } /* Comment.Multiline */ .highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */ .highlight .cpf { color: #888888 } /* Comment.PreprocFile */ .highlight .c1 { color: #888888 } /* Comment.Single */ .highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */ .highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gr { color: #aa0000 } /* Generic.Error */ .highlight .gh { color: #333333 } /* Generic.Heading */ .highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */ .highlight .go { color: #888888 } /* Generic.Output */ .highlight .gp { color: #555555 } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #666666 } /* Generic.Subheading */ .highlight .gt { color: #aa0000 } /* Generic.Traceback */ .highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008800 } /* Keyword.Pseudo */ .highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */ .highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */ .highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */ .highlight .na { color: #336699 } /* Name.Attribute */ .highlight .nb { color: #003388 } /* Name.Builtin */ .highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */ .highlight .no { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */ } 
# Copyright 2016 Red Hat Corporation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


"""
Network namespace emulation
"""

import logging
import os

from tools import tasks

_LOGGER = logging.getLogger(__name__)


def add_ip_to_namespace_eth(port, name, ip_addr, cidr):
    """
    Assign port ip address in namespace
    :param port: port to assign ip to
    :param name: namespace where port resides
    :param ip_addr: ip address in dot notation format
    :param cidr: cidr as string
    :return:
    """
    ip_string = '{}/{}'.format(ip_addr, cidr)
    tasks.run_task(['sudo', 'ip', 'netns', 'exec', name,
                    'ip', 'addr', 'add', ip_string, 'dev', port],
                   _LOGGER, 'Assigning ip to port {}...'.format(port), False)


def assign_port_to_namespace(port, name, port_up=False):
    """
    Assign NIC port to namespace
    :param port: port name as string
    :param name: namespace name as string
    :param port_up: Boolean if the port should be brought up on assignment
    :return: None
    """
    tasks.run_task(['sudo', 'ip', 'link', 'set',
                    'netns', name, 'dev', port],
                   _LOGGER, 'Assigning port {} to namespace {}...'.format(
                       port, name), False)
    if port_up:
        tasks.run_task(['sudo', 'ip', 'netns', 'exec', name,
                        'ip', 'link', 'set', port, 'up'],
                       _LOGGER, 'Bringing up port {}...'.format(port), False)


def create_namespace(name):
    """
    Create a linux namespace. Raises RuntimeError if namespace already exists
    in the system.
    :param name: name of the namespace to be created as string
    :return: None
    """
    if name in get_system_namespace_list():
        raise RuntimeError('Namespace already exists in system')

    # touch some files in a tmp area so we can track them separately from
    # the OS's internal namespace tracking. This allows us to track VSPerf
    # created namespaces so they can be cleaned up if needed.
    if not os.path.isdir('/tmp/namespaces'):
        try:
            os.mkdir('/tmp/namespaces')
        except os.error:
            # OK don't crash, but cleanup may be an issue...
            _LOGGER.error('Unable to create namespace temp folder.')
            _LOGGER.error(
                'Namespaces will not be removed on test case completion')
    if os.path.isdir('/tmp/namespaces'):
        with open('/tmp/namespaces/{}'.format(name), 'a'):
            os.utime('/tmp/namespaces/{}'.format(name), None)

    tasks.run_task(['sudo', 'ip', 'netns', 'add', name], _LOGGER,
                   'Creating namespace {}...'.format(name), False)
    tasks.run_task(['sudo', 'ip', 'netns', 'exec', name,
                    'ip', 'link', 'set', 'lo', 'up'], _LOGGER,
                   'Enabling loopback interface...', False)


def delete_namespace(name):
    """
    Delete linux network namespace
    :param name: namespace to delete
    :return: None
    """
    # delete the file if it exists in the temp area
    if os.path.exists('/tmp/namespaces/{}'.format(name)):
        os.remove('/tmp/namespaces/{}'.format(name))
    tasks.run_task(['sudo', 'ip', 'netns', 'delete', name], _LOGGER,
                   'Deleting namespace {}...'.format(name), False)


def get_system_namespace_list():
    """
    Return tuple of strings for namespaces on the system
    :return: tuple of namespaces as string
    """
    return tuple(os.listdir('/var/run/netns')) if os.path.exists(
        '/var/run/netns') else tuple()

def get_vsperf_namespace_list():
    """
    Return a tuple of strings for namespaces created by vsperf testcase
    :return: tuple of namespaces as string
    """
    if os.path.isdir('/tmp/namespaces'):
        return tuple(os.listdir('/tmp/namespaces'))
    else:
        return []


def reset_port_to_root(port, name):
    """
    Return the assigned port to the root namespace
    :param port: port to return as string
    :param name: namespace the port currently resides
    :return: None
    """
    tasks.run_task(['sudo', 'ip', 'netns', 'exec', name,
                    'ip', 'link', 'set', port, 'netns', '1'],
                   _LOGGER, 'Assigning port {} to namespace {}...'.format(
                       port, name), False)


# pylint: disable=invalid-name
def validate_add_ip_to_namespace_eth(_result, port, name, ip_addr, cidr):
    """
    Validation function for integration testcases
    """
    ip_string = '{}/{}'.format(ip_addr, cidr)
    return ip_string in ''.join(tasks.run_task(
        ['sudo', 'ip', 'netns', 'exec', name, 'ip', 'addr', 'show', port],
        _LOGGER, 'Validating ip address in namespace...', False))


def validate_assign_port_to_namespace(_result, port, name, _port_up=False):
    """
    Validation function for integration testcases
    """
    # this could be improved...its not 100% accurate
    return port in ''.join(tasks.run_task(
        ['sudo', 'ip', 'netns', 'exec', name, 'ip', 'addr'],
        _LOGGER, 'Validating port in namespace...'))


def validate_create_namespace(_result, name):
    """
    Validation function for integration testcases
    """
    return name in get_system_namespace_list()


def validate_delete_namespace(_result, name):
    """
    Validation function for integration testcases
    """
    return name not in get_system_namespace_list()


def validate_reset_port_to_root(result, port, name):
    """
    Validation function for integration testcases
    """
    return not validate_assign_port_to_namespace(result, port, name)