Refactor osnailyfacter/modular/ssl
Refactor osnailyfacter/modular/ssl to be compatible with Puppet Master Blueprint: fuel-refactor-osnailyfacter-for-puppet-master-compatibility Change-Id: I45f4e731e8d8cdabb8f706fc559424d136e45530
This commit is contained in:
parent
eb22a92462
commit
0f251698bd
|
@ -0,0 +1,88 @@
|
|||
class osnailyfacter::ssl::ssl_add_trust_chain {
|
||||
|
||||
notice('MODULAR: ssl/ssl_add_trust_chain.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
|
||||
Exec {
|
||||
path => '/bin:/usr/bin:/sbin:/usr/sbin',
|
||||
}
|
||||
|
||||
File {
|
||||
ensure => file,
|
||||
}
|
||||
|
||||
define file_link {
|
||||
$service = $name
|
||||
if !empty(file("/etc/pki/tls/certs/public_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_public_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/public_${service}.pem",
|
||||
}
|
||||
}
|
||||
|
||||
if !empty(file("/etc/pki/tls/certs/internal_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_internal_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/internal_${service}.pem",
|
||||
}
|
||||
}
|
||||
|
||||
if !empty(file("/etc/pki/tls/certs/admin_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_admin_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/admin_${service}.pem",
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder',
|
||||
'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
file_link { $services: }
|
||||
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
|
||||
source => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}
|
||||
}
|
||||
|
||||
'Debian': {
|
||||
file { '/usr/local/share/ca-certificates/public_haproxy.crt':
|
||||
source => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}
|
||||
}
|
||||
|
||||
default: {
|
||||
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
exec { 'enable_trust':
|
||||
command => 'update-ca-trust force-enable',
|
||||
refreshonly => true,
|
||||
notify => Exec['add_trust']
|
||||
}
|
||||
|
||||
File <||> ~> Exec['enable_trust']
|
||||
}
|
||||
|
||||
'Debian': {
|
||||
File <||> ~> Exec['add_trust']
|
||||
}
|
||||
|
||||
default: {
|
||||
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
|
||||
exec { 'add_trust':
|
||||
command => 'update-ca-certificates',
|
||||
refreshonly => true,
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,107 @@
|
|||
class osnailyfacter::ssl::ssl_dns_setup {
|
||||
|
||||
notice('MODULAR: ssl/ssl_dns_setup.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
$public_vip = hiera('public_vip')
|
||||
$management_vip = hiera('management_vip')
|
||||
$openstack_service_endpoints = hiera_hash('openstack_service_endpoints', {})
|
||||
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
#TODO(sbog): convert it to '.each' when moving to Puppet 4
|
||||
#TODO(anoskov): move it outside class 'osnailyfacter::ssl::ssl_dns_setup'
|
||||
define hosts (
|
||||
$ssl_hash,
|
||||
){
|
||||
$service = $name
|
||||
$public_vip = hiera('public_vip')
|
||||
$management_vip = hiera('management_vip')
|
||||
|
||||
$public_hostname = try_get_value($ssl_hash, "${service}_public_hostname", '')
|
||||
$internal_hostname = try_get_value($ssl_hash, "${service}_internal_hostname", '')
|
||||
$admin_hostname = try_get_value($ssl_hash, "${service}_admin_hostname", $internal_hostname)
|
||||
|
||||
$service_public_ip = try_get_value($ssl_hash, "${service}_public_ip", '')
|
||||
if !empty($service_public_ip) {
|
||||
$public_ip = $service_public_ip
|
||||
} else {
|
||||
$public_ip = $public_vip
|
||||
}
|
||||
|
||||
$service_internal_ip = try_get_value($ssl_hash, "${service}_internal_ip", '')
|
||||
if !empty($service_internal_ip) {
|
||||
$internal_ip = $service_internal_ip
|
||||
} else {
|
||||
$internal_ip = $management_vip
|
||||
}
|
||||
|
||||
$service_admin_ip = try_get_value($ssl_hash, "${service}_admin_ip", '')
|
||||
if !empty($service_admin_ip) {
|
||||
$admin_ip = $service_admin_ip
|
||||
} else {
|
||||
$admin_ip = $management_vip
|
||||
}
|
||||
|
||||
# We always need to set public hostname resolution
|
||||
if !empty($public_hostname) and !defined(Host[$public_hostname]) {
|
||||
host { $public_hostname:
|
||||
name => $public_hostname,
|
||||
ensure => present,
|
||||
ip => $public_ip,
|
||||
}
|
||||
}
|
||||
|
||||
if ($public_hostname == $internal_hostname) and ($public_hostname == $admin_hostname) {
|
||||
notify{"All ${service} hostnames is equal, just public one inserted to DNS":}
|
||||
}
|
||||
elsif $public_hostanme == $internal_hostname {
|
||||
if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
|
||||
host { $admin_hostname:
|
||||
name => $admin_hostname,
|
||||
ensure => present,
|
||||
ip => $admin_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
elsif ($public_hostname == $admin_hostname) or ($internal_hostname == $admin_hostname) {
|
||||
if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
|
||||
host { $internal_hostname:
|
||||
name => $internal_hostname,
|
||||
ensure => present,
|
||||
ip => $internal_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
|
||||
host { $admin_hostname:
|
||||
name => $admin_hostname,
|
||||
ensure => present,
|
||||
ip => $admin_ip,
|
||||
}
|
||||
}
|
||||
if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
|
||||
host { $internal_hostname:
|
||||
name => $internal_hostname,
|
||||
ensure => present,
|
||||
ip => $internal_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
|
||||
hosts { $services:
|
||||
ssl_hash => $ssl_hash,
|
||||
}
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
host { $public_ssl_hash['hostname']:
|
||||
ensure => present,
|
||||
ip => $public_vip,
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
class osnailyfacter::ssl::ssl_keys_saving {
|
||||
|
||||
notice('MODULAR: ssl/ssl_keys_saving.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
$pub_certificate_content = try_get_value($public_ssl_hash, 'cert_data/content', '')
|
||||
$base_path = '/etc/pki/tls/certs'
|
||||
$pki_path = [ '/etc/pki', '/etc/pki/tls' ]
|
||||
$astute_base_path = '/var/lib/astute/haproxy'
|
||||
|
||||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
file { [ $pki_path, $base_path, $astute_base_path ]:
|
||||
ensure => directory,
|
||||
}
|
||||
|
||||
#TODO(sbog): convert it to '.each' syntax when moving to Puppet 4
|
||||
#TODO(anoskov): move it outside class 'osnailyfacter::ssl::ssl_keys_saving'
|
||||
define cert_file (
|
||||
$ssl_hash,
|
||||
$base_path,
|
||||
$astute_base_path,
|
||||
){
|
||||
$service = $name
|
||||
|
||||
$public_service = try_get_value($ssl_hash, "${service}_public", false)
|
||||
$public_usercert = try_get_value($ssl_hash, "${service}_public_usercert", false)
|
||||
$public_certdata = try_get_value($ssl_hash, "${service}_public_certdata/content", '')
|
||||
$internal_service = try_get_value($ssl_hash, "${service}_internal", false)
|
||||
$internal_usercert = try_get_value($ssl_hash, "${service}_internal_usercert", false)
|
||||
$internal_certdata = try_get_value($ssl_hash, "${service}_internal_certdata/content", '')
|
||||
$admin_service = try_get_value($ssl_hash, "${service}_admin", false)
|
||||
$admin_usercert = try_get_value($ssl_hash, "${service}_admin_usercert", false)
|
||||
$admin_certdata = try_get_value($ssl_hash, "${service}_admin_certdata/content", '')
|
||||
|
||||
if $ssl_hash["${service}"] {
|
||||
if $public_service and $public_usercert and !empty($public_certdata) {
|
||||
file { ["${base_path}/public_${service}.pem", "${astute_base_path}/public_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $public_certdata,
|
||||
}
|
||||
}
|
||||
if $internal_service and $internal_usercert and !empty($internal_certdata) {
|
||||
file { ["${base_path}/internal_${service}.pem", "${astute_base_path}/internal_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $internal_certdata,
|
||||
}
|
||||
}
|
||||
if $admin_service and $admin_usercert and !empty($admin_certdata) {
|
||||
file { ["${base_path}/admin_${service}.pem", "${astute_base_path}/admin_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $admin_certdata,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
cert_file { $services:
|
||||
ssl_hash => $ssl_hash,
|
||||
base_path => $base_path,
|
||||
astute_base_path => $astute_base_path,
|
||||
}
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
file { ["${base_path}/public_haproxy.pem", "${astute_base_path}/public_haproxy.pem"]:
|
||||
ensure => present,
|
||||
content => $pub_certificate_content,
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -1,84 +1 @@
|
|||
notice('MODULAR: ssl_add_trust_chain.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
|
||||
Exec {
|
||||
path => '/bin:/usr/bin:/sbin:/usr/sbin',
|
||||
}
|
||||
|
||||
File {
|
||||
ensure => file,
|
||||
}
|
||||
|
||||
define file_link {
|
||||
$service = $name
|
||||
if !empty(file("/etc/pki/tls/certs/public_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_public_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/public_${service}.pem",
|
||||
}
|
||||
}
|
||||
|
||||
if !empty(file("/etc/pki/tls/certs/internal_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_internal_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/internal_${service}.pem",
|
||||
}
|
||||
}
|
||||
|
||||
if !empty(file("/etc/pki/tls/certs/admin_${service}.pem",'/dev/null')) {
|
||||
file { "/usr/local/share/ca-certificates/${service}_admin_haproxy.crt":
|
||||
source => "/etc/pki/tls/certs/admin_${service}.pem",
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder',
|
||||
'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
file_link { $services: }
|
||||
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
|
||||
source => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}
|
||||
}
|
||||
|
||||
'Debian': {
|
||||
file { '/usr/local/share/ca-certificates/public_haproxy.crt':
|
||||
source => '/etc/pki/tls/certs/public_haproxy.pem',
|
||||
}
|
||||
}
|
||||
|
||||
default: {
|
||||
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
exec { 'enable_trust':
|
||||
command => 'update-ca-trust force-enable',
|
||||
refreshonly => true,
|
||||
notify => Exec['add_trust']
|
||||
}
|
||||
|
||||
File <||> ~> Exec['enable_trust']
|
||||
}
|
||||
|
||||
'Debian': {
|
||||
File <||> ~> Exec['add_trust']
|
||||
}
|
||||
|
||||
default: {
|
||||
fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
|
||||
}
|
||||
}
|
||||
|
||||
exec { 'add_trust':
|
||||
command => 'update-ca-certificates',
|
||||
refreshonly => true,
|
||||
}
|
||||
include ::osnailyfacter::ssl::ssl_add_trust_chain
|
||||
|
|
|
@ -1,102 +1 @@
|
|||
notice('MODULAR: ssl_dns_setup.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
$public_vip = hiera('public_vip')
|
||||
$management_vip = hiera('management_vip')
|
||||
$openstack_service_endpoints = hiera_hash('openstack_service_endpoints', {})
|
||||
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
#TODO(sbog): convert it to '.each' when moving to Puppet 4
|
||||
define hosts (
|
||||
$ssl_hash,
|
||||
){
|
||||
$service = $name
|
||||
$public_vip = hiera('public_vip')
|
||||
$management_vip = hiera('management_vip')
|
||||
|
||||
$public_hostname = try_get_value($ssl_hash, "${service}_public_hostname", "")
|
||||
$internal_hostname = try_get_value($ssl_hash, "${service}_internal_hostname", "")
|
||||
$admin_hostname = try_get_value($ssl_hash, "${service}_admin_hostname", $internal_hostname)
|
||||
|
||||
$service_public_ip = try_get_value($ssl_hash, "${service}_public_ip", "")
|
||||
if !empty($service_public_ip) {
|
||||
$public_ip = $service_public_ip
|
||||
} else {
|
||||
$public_ip = $public_vip
|
||||
}
|
||||
|
||||
$service_internal_ip = try_get_value($ssl_hash, "${service}_internal_ip", "")
|
||||
if !empty($service_internal_ip) {
|
||||
$internal_ip = $service_internal_ip
|
||||
} else {
|
||||
$internal_ip = $management_vip
|
||||
}
|
||||
|
||||
$service_admin_ip = try_get_value($ssl_hash, "${service}_admin_ip", "")
|
||||
if !empty($service_admin_ip) {
|
||||
$admin_ip = $service_admin_ip
|
||||
} else {
|
||||
$admin_ip = $management_vip
|
||||
}
|
||||
|
||||
# We always need to set public hostname resolution
|
||||
if !empty($public_hostname) and !defined(Host[$public_hostname]) {
|
||||
host { $public_hostname:
|
||||
name => $public_hostname,
|
||||
ensure => present,
|
||||
ip => $public_ip,
|
||||
}
|
||||
}
|
||||
|
||||
if ($public_hostname == $internal_hostname) and ($public_hostname == $admin_hostname) {
|
||||
notify{"All ${service} hostnames is equal, just public one inserted to DNS":}
|
||||
}
|
||||
elsif $public_hostanme == $internal_hostname {
|
||||
if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
|
||||
host { $admin_hostname:
|
||||
name => $admin_hostname,
|
||||
ensure => present,
|
||||
ip => $admin_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
elsif ($public_hostname == $admin_hostname) or ($internal_hostname == $admin_hostname) {
|
||||
if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
|
||||
host { $internal_hostname:
|
||||
name => $internal_hostname,
|
||||
ensure => present,
|
||||
ip => $internal_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
|
||||
host { $admin_hostname:
|
||||
name => $admin_hostname,
|
||||
ensure => present,
|
||||
ip => $admin_ip,
|
||||
}
|
||||
}
|
||||
if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
|
||||
host { $internal_hostname:
|
||||
name => $internal_hostname,
|
||||
ensure => present,
|
||||
ip => $internal_ip,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
|
||||
hosts { $services:
|
||||
ssl_hash => $ssl_hash,
|
||||
}
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
host { $public_ssl_hash['hostname']:
|
||||
ensure => present,
|
||||
ip => $public_vip,
|
||||
}
|
||||
}
|
||||
include ::osnailyfacter::ssl::ssl_dns_setup
|
||||
|
|
|
@ -1,73 +1 @@
|
|||
notice('MODULAR: ssl_keys_saving.pp')
|
||||
|
||||
$public_ssl_hash = hiera_hash('public_ssl')
|
||||
$ssl_hash = hiera_hash('use_ssl', {})
|
||||
$pub_certificate_content = try_get_value($public_ssl_hash, 'cert_data/content', "")
|
||||
$base_path = "/etc/pki/tls/certs"
|
||||
$pki_path = [ "/etc/pki", "/etc/pki/tls" ]
|
||||
$astute_base_path = "/var/lib/astute/haproxy"
|
||||
|
||||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
file { [ $pki_path, $base_path, $astute_base_path ]:
|
||||
ensure => directory,
|
||||
}
|
||||
|
||||
#TODO(sbog): convert it to '.each' syntax when moving to Puppet 4
|
||||
define cert_file (
|
||||
$ssl_hash,
|
||||
$base_path,
|
||||
$astute_base_path,
|
||||
){
|
||||
$service = $name
|
||||
|
||||
$public_service = try_get_value($ssl_hash, "${service}_public", false)
|
||||
$public_usercert = try_get_value($ssl_hash, "${service}_public_usercert", false)
|
||||
$public_certdata = try_get_value($ssl_hash, "${service}_public_certdata/content", "")
|
||||
$internal_service = try_get_value($ssl_hash, "${service}_internal", false)
|
||||
$internal_usercert = try_get_value($ssl_hash, "${service}_internal_usercert", false)
|
||||
$internal_certdata = try_get_value($ssl_hash, "${service}_internal_certdata/content", "")
|
||||
$admin_service = try_get_value($ssl_hash, "${service}_admin", false)
|
||||
$admin_usercert = try_get_value($ssl_hash, "${service}_admin_usercert", false)
|
||||
$admin_certdata = try_get_value($ssl_hash, "${service}_admin_certdata/content", "")
|
||||
|
||||
if $ssl_hash["${service}"] {
|
||||
if $public_service and $public_usercert and !empty($public_certdata) {
|
||||
file { ["${base_path}/public_${service}.pem", "${astute_base_path}/public_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $public_certdata,
|
||||
}
|
||||
}
|
||||
if $internal_service and $internal_usercert and !empty($internal_certdata) {
|
||||
file { ["${base_path}/internal_${service}.pem", "${astute_base_path}/internal_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $internal_certdata,
|
||||
}
|
||||
}
|
||||
if $admin_service and $admin_usercert and !empty($admin_certdata) {
|
||||
file { ["${base_path}/admin_${service}.pem", "${astute_base_path}/admin_${service}.pem"]:
|
||||
ensure => present,
|
||||
content => $admin_certdata,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($ssl_hash) {
|
||||
$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
|
||||
|
||||
cert_file { $services:
|
||||
ssl_hash => $ssl_hash,
|
||||
base_path => $base_path,
|
||||
astute_base_path => $astute_base_path,
|
||||
}
|
||||
} elsif !empty($public_ssl_hash) {
|
||||
file { ["$base_path/public_haproxy.pem", "$astute_base_path/public_haproxy.pem"]:
|
||||
ensure => present,
|
||||
content => $pub_certificate_content,
|
||||
}
|
||||
}
|
||||
include ::osnailyfacter::ssl::ssl_keys_saving
|
||||
|
|
Loading…
Reference in New Issue