From 97b12afbadeadac0be348b7cc263b090f6e6f0b8 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 3 Nov 2015 15:19:18 +0200
Subject: Inject TLS certificate and keys for the Overcloud

This is a first implementation of adding TLS termination to the load
balancer in the controllers. The implementation was made so that the
appropriate certificate/private key in PEM format is copied to the
appropriate controller(s) via a software deployment resource.

And the path is then referenced on the HAProxy configuration, but this
part was left commented out because we need to be able to configure the
keystone endpoints in order for this to work properly.

Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79
---
 puppet/extraconfig/tls/no-tls.yaml          | 28 ++++++++++
 puppet/extraconfig/tls/tls-cert-inject.yaml | 81 +++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 puppet/extraconfig/tls/no-tls.yaml
 create mode 100644 puppet/extraconfig/tls/tls-cert-inject.yaml

(limited to 'puppet/extraconfig/tls')

diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
new file mode 100644
index 00000000..d2dfdfa4
--- /dev/null
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -0,0 +1,28 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template. This defines the parameters that
+  need to be passed in order to have TLS enabled in the controller
+  nodes. This template can be replaced with a different
+  implementation via the resource registry, such that deployers
+  may customize their configuration.
+
+parameters:
+  DeployedSSLCertificatePath:
+    default: ''
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+  NodeIndex: # Here for compatibility with tls-cert-inject.yaml
+    default: 0
+    type: number
+  server:    # Here for compatibility with tls-cert-inject.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'TLS not enabled.'
+  deployed_ssl_certificate_path:
+    value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
new file mode 100644
index 00000000..b4564fc7
--- /dev/null
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -0,0 +1,81 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a template which will build the TLS Certificates necessary
+  for the load balancer using the given parameters.
+
+parameters:
+  # Can be overriden via parameter_defaults in the environment
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  SSLIntermediateCertificate:
+    default: ''
+    description: >
+      The content of an SSL intermediate CA certificate in PEM format.
+    type: string
+  SSLKey:
+    default: ''
+    description: >
+      The content of the SSL Key in PEM format.
+    type: string
+    hidden: true
+
+  # Can be overriden by parameter_defaults if the user wants to try deploying
+  # this in a distro that doesn't support this path.
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
+
+  # Passed in by the controller
+  NodeIndex:
+    default: 0
+    type: number
+  server:
+    description: ID of the controller node to apply this config to
+    type: string
+
+resources:
+  ControllerTLSConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: cert_path
+        - name: cert_chain_content
+      outputs:
+        - name: chain_md5sum
+      config: |
+        #!/bin/sh
+        cat << EOF | tee ${cert_path} > /dev/null
+        ${cert_chain_content}
+        EOF
+        chmod 0440 ${cert_path}
+        chown root:haproxy ${cert_path}
+        md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+
+  ControllerTLSDeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      config: {get_resource: ControllerTLSConfig}
+      server: {get_param: server}
+      input_values:
+        cert_path: {get_param: DeployedSSLCertificatePath}
+        cert_chain_content:
+          list_join:
+            - ''
+            - - {get_param: SSLCertificate}
+              - {get_param: SSLIntermediateCertificate}
+              - {get_param: SSLKey}
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference
+    value: {get_attr: [ControllerTLSDeployment, chain_md5sum]}
+  deployed_ssl_certificate_path:
+    description: The location that the TLS certificate was deployed to.
+    value: {get_param: DeployedSSLCertificatePath}
-- 
cgit 1.2.3-korg