From debbfbbf8fe8702fd3202f75e049496ee9bb3ddf Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 26 Sep 2016 15:34:10 +0000
Subject: Generate internal TLS hieradata for apache services

This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.

When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands

bp tls-via-certmonger

Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
---
 puppet/services/keystone.yaml | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'puppet/services/keystone.yaml')

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index e3531636..d424a0e8 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -98,6 +98,9 @@ parameters:
     default:
       tag: openstack.keystone
       path: /var/log/keystone/keystone.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -107,6 +110,7 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
 
 outputs:
   role_data:
@@ -163,7 +167,8 @@ outputs:
               ec2/driver:
                 value: 'keystone.contrib.ec2.backends.sql.Ec2'
             keystone::service_name: 'httpd'
-            keystone::wsgi::apache::ssl: false
+            keystone::enable_ssl: {get_param: EnableInternalTLS}
+            keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             keystone::wsgi::apache::servername:
               str_replace:
                 template:
@@ -188,15 +193,25 @@ outputs:
                   - 13000
                   - 35357
                   - 13357
+            keystone::admin_bind_host:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
+            keystone::public_bind_host:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
             # NOTE: bind IP is found in Heat replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):
             # internal_api -> IP
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
-            # NOTE: this applies to all 4 bind IP settings below...
-            keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-            keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
+            # NOTE: this applies to all 2 bind IP settings below...
             keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
             keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
       step_config: |
-- 
cgit 1.2.3-korg