Refactor osnailyfacter/modular/ssl

Refactor osnailyfacter/modular/ssl to be compatible with Puppet Master Blueprint: fuel-refactor-osnailyfacter-for-puppet-master-compatibility Change-Id: I45f4e731e8d8cdabb8f706fc559424d136e45530
2016-03-09 16:11:37 +03:00 · 2016-03-09 16:11:37 +03:00 · 0f251698bd
parent eb22a92462
commit 0f251698bd
6 changed files with 276 additions and 259 deletions
--- a/deployment/puppet/osnailyfacter/manifests/ssl/ssl_add_trust_chain.pp
+++ b/deployment/puppet/osnailyfacter/manifests/ssl/ssl_add_trust_chain.pp
@ -0,0 +1,88 @@
+class osnailyfacter::ssl::ssl_add_trust_chain {
+
+  notice('MODULAR: ssl/ssl_add_trust_chain.pp')
+
+  $public_ssl_hash    = hiera_hash('public_ssl')
+  $ssl_hash           = hiera_hash('use_ssl', {})
+
+  Exec {
+    path => '/bin:/usr/bin:/sbin:/usr/sbin',
+  }
+
+  File {
+    ensure => file,
+  }
+
+  define file_link {
+    $service = $name
+    if !empty(file("/etc/pki/tls/certs/public_${service}.pem",'/dev/null')) {
+      file { "/usr/local/share/ca-certificates/${service}_public_haproxy.crt":
+        source => "/etc/pki/tls/certs/public_${service}.pem",
+      }
+    }
+
+    if !empty(file("/etc/pki/tls/certs/internal_${service}.pem",'/dev/null')) {
+      file { "/usr/local/share/ca-certificates/${service}_internal_haproxy.crt":
+        source => "/etc/pki/tls/certs/internal_${service}.pem",
+      }
+    }
+
+    if !empty(file("/etc/pki/tls/certs/admin_${service}.pem",'/dev/null')) {
+      file { "/usr/local/share/ca-certificates/${service}_admin_haproxy.crt":
+        source => "/etc/pki/tls/certs/admin_${service}.pem",
+      }
+    }
+  }
+
+  if !empty($ssl_hash) {
+    $services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder',
+      'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
+
+    file_link { $services: }
+
+  } elsif !empty($public_ssl_hash) {
+    case $::osfamily {
+      'RedHat': {
+        file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
+          source => '/etc/pki/tls/certs/public_haproxy.pem',
+        }
+      }
+
+      'Debian': {
+        file { '/usr/local/share/ca-certificates/public_haproxy.crt':
+          source => '/etc/pki/tls/certs/public_haproxy.pem',
+        }
+      }
+
+      default: {
+        fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
+      }
+    }
+  }
+
+  case $::osfamily {
+    'RedHat': {
+      exec { 'enable_trust':
+        command     => 'update-ca-trust force-enable',
+        refreshonly => true,
+        notify      => Exec['add_trust']
+      }
+
+      File <||> ~> Exec['enable_trust']
+    }
+
+    'Debian': {
+      File <||> ~> Exec['add_trust']
+    }
+
+    default: {
+      fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
+    }
+  }
+
+  exec { 'add_trust':
+    command     => 'update-ca-certificates',
+    refreshonly => true,
+  }
+
+}
--- a/deployment/puppet/osnailyfacter/manifests/ssl/ssl_dns_setup.pp
+++ b/deployment/puppet/osnailyfacter/manifests/ssl/ssl_dns_setup.pp
@ -0,0 +1,107 @@
+class osnailyfacter::ssl::ssl_dns_setup {
+
+  notice('MODULAR: ssl/ssl_dns_setup.pp')
+
+  $public_ssl_hash = hiera_hash('public_ssl')
+  $ssl_hash = hiera_hash('use_ssl', {})
+  $public_vip = hiera('public_vip')
+  $management_vip = hiera('management_vip')
+  $openstack_service_endpoints = hiera_hash('openstack_service_endpoints', {})
+
+  $services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
+
+  #TODO(sbog): convert it to '.each' when moving to Puppet 4
+  #TODO(anoskov): move it outside class 'osnailyfacter::ssl::ssl_dns_setup'
+  define hosts (
+    $ssl_hash,
+    ){
+    $service = $name
+    $public_vip = hiera('public_vip')
+    $management_vip = hiera('management_vip')
+
+    $public_hostname = try_get_value($ssl_hash, "${service}_public_hostname", '')
+    $internal_hostname = try_get_value($ssl_hash, "${service}_internal_hostname", '')
+    $admin_hostname = try_get_value($ssl_hash, "${service}_admin_hostname", $internal_hostname)
+
+    $service_public_ip = try_get_value($ssl_hash, "${service}_public_ip", '')
+    if !empty($service_public_ip) {
+      $public_ip = $service_public_ip
+    } else {
+      $public_ip = $public_vip
+    }
+
+    $service_internal_ip = try_get_value($ssl_hash, "${service}_internal_ip", '')
+    if !empty($service_internal_ip) {
+      $internal_ip = $service_internal_ip
+    } else {
+      $internal_ip = $management_vip
+    }
+
+    $service_admin_ip = try_get_value($ssl_hash, "${service}_admin_ip", '')
+    if !empty($service_admin_ip) {
+      $admin_ip = $service_admin_ip
+    } else {
+      $admin_ip = $management_vip
+    }
+
+    # We always need to set public hostname resolution
+    if !empty($public_hostname) and !defined(Host[$public_hostname]) {
+      host { $public_hostname:
+        name   => $public_hostname,
+        ensure => present,
+        ip     => $public_ip,
+      }
+    }
+
+    if ($public_hostname == $internal_hostname) and ($public_hostname == $admin_hostname) {
+      notify{"All ${service} hostnames is equal, just public one inserted to DNS":}
+    }
+    elsif $public_hostanme == $internal_hostname {
+      if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
+        host { $admin_hostname:
+          name   => $admin_hostname,
+          ensure => present,
+          ip     => $admin_ip,
+        }
+      }
+    }
+    elsif ($public_hostname == $admin_hostname) or ($internal_hostname == $admin_hostname) {
+      if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
+        host { $internal_hostname:
+          name   => $internal_hostname,
+          ensure => present,
+          ip     => $internal_ip,
+        }
+      }
+    }
+    else {
+      if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
+        host { $admin_hostname:
+          name   => $admin_hostname,
+          ensure => present,
+          ip     => $admin_ip,
+        }
+      }
+      if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
+        host { $internal_hostname:
+          name   => $internal_hostname,
+          ensure => present,
+          ip     => $internal_ip,
+        }
+      }
+    }
+  }
+
+  if !empty($ssl_hash) {
+
+    hosts { $services:
+      ssl_hash => $ssl_hash,
+    }
+  } elsif !empty($public_ssl_hash) {
+    host { $public_ssl_hash['hostname']:
+      ensure => present,
+      ip     => $public_vip,
+    }
+  }
+
+}
--- a/deployment/puppet/osnailyfacter/manifests/ssl/ssl_keys_saving.pp
+++ b/deployment/puppet/osnailyfacter/manifests/ssl/ssl_keys_saving.pp
@ -0,0 +1,78 @@
+class osnailyfacter::ssl::ssl_keys_saving {
+
+  notice('MODULAR: ssl/ssl_keys_saving.pp')
+
+  $public_ssl_hash = hiera_hash('public_ssl')
+  $ssl_hash = hiera_hash('use_ssl', {})
+  $pub_certificate_content = try_get_value($public_ssl_hash, 'cert_data/content', '')
+  $base_path = '/etc/pki/tls/certs'
+  $pki_path = [ '/etc/pki', '/etc/pki/tls' ]
+  $astute_base_path = '/var/lib/astute/haproxy'
+
+  File {
+    owner => 'root',
+    group => 'root',
+    mode  => '0644',
+  }
+
+  file { [ $pki_path, $base_path, $astute_base_path ]:
+    ensure => directory,
+  }
+
+  #TODO(sbog): convert it to '.each' syntax when moving to Puppet 4
+  #TODO(anoskov): move it outside class 'osnailyfacter::ssl::ssl_keys_saving'
+  define cert_file (
+    $ssl_hash,
+    $base_path,
+    $astute_base_path,
+    ){
+    $service = $name
+
+    $public_service = try_get_value($ssl_hash, "${service}_public", false)
+    $public_usercert = try_get_value($ssl_hash, "${service}_public_usercert", false)
+    $public_certdata = try_get_value($ssl_hash, "${service}_public_certdata/content", '')
+    $internal_service = try_get_value($ssl_hash, "${service}_internal", false)
+    $internal_usercert = try_get_value($ssl_hash, "${service}_internal_usercert", false)
+    $internal_certdata = try_get_value($ssl_hash, "${service}_internal_certdata/content", '')
+    $admin_service = try_get_value($ssl_hash, "${service}_admin", false)
+    $admin_usercert = try_get_value($ssl_hash, "${service}_admin_usercert", false)
+    $admin_certdata = try_get_value($ssl_hash, "${service}_admin_certdata/content", '')
+
+    if $ssl_hash["${service}"] {
+      if $public_service and $public_usercert and !empty($public_certdata) {
+        file { ["${base_path}/public_${service}.pem", "${astute_base_path}/public_${service}.pem"]:
+          ensure  => present,
+          content => $public_certdata,
+        }
+      }
+      if $internal_service and $internal_usercert and !empty($internal_certdata) {
+        file { ["${base_path}/internal_${service}.pem", "${astute_base_path}/internal_${service}.pem"]:
+          ensure  => present,
+          content => $internal_certdata,
+        }
+      }
+      if $admin_service and $admin_usercert and !empty($admin_certdata) {
+        file { ["${base_path}/admin_${service}.pem", "${astute_base_path}/admin_${service}.pem"]:
+          ensure  => present,
+          content => $admin_certdata,
+        }
+      }
+    }
+  }
+
+  if !empty($ssl_hash) {
+    $services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
+
+    cert_file { $services:
+      ssl_hash         => $ssl_hash,
+      base_path        => $base_path,
+      astute_base_path => $astute_base_path,
+    }
+  } elsif !empty($public_ssl_hash) {
+    file { ["${base_path}/public_haproxy.pem", "${astute_base_path}/public_haproxy.pem"]:
+      ensure  => present,
+      content => $pub_certificate_content,
+    }
+  }
+
+}
--- a/deployment/puppet/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp
+++ b/deployment/puppet/osnailyfacter/modular/ssl/ssl_add_trust_chain.pp
@ -1,84 +1 @@
-notice('MODULAR: ssl_add_trust_chain.pp')
-
-$public_ssl_hash    = hiera_hash('public_ssl')
-$ssl_hash           = hiera_hash('use_ssl', {})
-
-Exec {
-  path => '/bin:/usr/bin:/sbin:/usr/sbin',
-}
-
-File {
-  ensure => file,
-}
-
-define file_link {
-  $service = $name
-  if !empty(file("/etc/pki/tls/certs/public_${service}.pem",'/dev/null')) {
-    file { "/usr/local/share/ca-certificates/${service}_public_haproxy.crt":
-      source => "/etc/pki/tls/certs/public_${service}.pem",
-    }
-  }
-
-  if !empty(file("/etc/pki/tls/certs/internal_${service}.pem",'/dev/null')) {
-    file { "/usr/local/share/ca-certificates/${service}_internal_haproxy.crt":
-      source => "/etc/pki/tls/certs/internal_${service}.pem",
-    }
-  }
-
-  if !empty(file("/etc/pki/tls/certs/admin_${service}.pem",'/dev/null')) {
-    file { "/usr/local/share/ca-certificates/${service}_admin_haproxy.crt":
-      source => "/etc/pki/tls/certs/admin_${service}.pem",
-    }
-  }
-}
-
-if !empty($ssl_hash) {
-  $services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder',
-    'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
-
-  file_link { $services: }
-
-} elsif !empty($public_ssl_hash) {
-  case $::osfamily {
-    'RedHat': {
-      file { '/etc/pki/ca-trust/source/anchors/public_haproxy.pem':
-        source => '/etc/pki/tls/certs/public_haproxy.pem',
-      }
-    }
-
-    'Debian': {
-      file { '/usr/local/share/ca-certificates/public_haproxy.crt':
-        source => '/etc/pki/tls/certs/public_haproxy.pem',
-      }
-    }
-
-    default: {
-      fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
-    }
-  }
-}
-
-case $::osfamily {
-  'RedHat': {
-    exec { 'enable_trust':
-      command     => 'update-ca-trust force-enable',
-      refreshonly => true,
-      notify      => Exec['add_trust']
-    }
-
-    File <||> ~> Exec['enable_trust']
-  }
-
-  'Debian': {
-    File <||> ~> Exec['add_trust']
-  }
-
-  default: {
-    fail("Unsupported OS: ${::osfamily}/${::operatingsystem}")
-  }
-}
-
-exec { 'add_trust':
-  command     => 'update-ca-certificates',
-  refreshonly => true,
-}
+include ::osnailyfacter::ssl::ssl_add_trust_chain
--- a/deployment/puppet/osnailyfacter/modular/ssl/ssl_dns_setup.pp
+++ b/deployment/puppet/osnailyfacter/modular/ssl/ssl_dns_setup.pp
@ -1,102 +1 @@
-notice('MODULAR: ssl_dns_setup.pp')
-
-$public_ssl_hash = hiera_hash('public_ssl')
-$ssl_hash = hiera_hash('use_ssl', {})
-$public_vip = hiera('public_vip')
-$management_vip = hiera('management_vip')
-$openstack_service_endpoints = hiera_hash('openstack_service_endpoints', {})
-
-$services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
-
-#TODO(sbog): convert it to '.each' when moving to Puppet 4
-define hosts (
-  $ssl_hash,
-  ){
-  $service = $name
-  $public_vip = hiera('public_vip')
-  $management_vip = hiera('management_vip')
-
-  $public_hostname = try_get_value($ssl_hash, "${service}_public_hostname", "")
-  $internal_hostname = try_get_value($ssl_hash, "${service}_internal_hostname", "")
-  $admin_hostname = try_get_value($ssl_hash, "${service}_admin_hostname", $internal_hostname)
-
-  $service_public_ip = try_get_value($ssl_hash, "${service}_public_ip", "")
-  if !empty($service_public_ip) {
-    $public_ip = $service_public_ip
-  } else {
-    $public_ip = $public_vip
-  }
-
-  $service_internal_ip = try_get_value($ssl_hash, "${service}_internal_ip", "")
-  if !empty($service_internal_ip) {
-    $internal_ip = $service_internal_ip
-  } else {
-    $internal_ip = $management_vip
-  }
-
-  $service_admin_ip = try_get_value($ssl_hash, "${service}_admin_ip", "")
-  if !empty($service_admin_ip) {
-    $admin_ip = $service_admin_ip
-  } else {
-    $admin_ip = $management_vip
-  }
-
-  # We always need to set public hostname resolution
-  if !empty($public_hostname) and !defined(Host[$public_hostname]) {
-    host { $public_hostname:
-      name   => $public_hostname,
-      ensure => present,
-      ip     => $public_ip,
-    }
-  }
-
-  if ($public_hostname == $internal_hostname) and ($public_hostname == $admin_hostname) {
-    notify{"All ${service} hostnames is equal, just public one inserted to DNS":}
-  }
-  elsif $public_hostanme == $internal_hostname {
-    if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
-      host { $admin_hostname:
-        name   => $admin_hostname,
-        ensure => present,
-        ip     => $admin_ip,
-      }
-    }
-  }
-  elsif ($public_hostname == $admin_hostname) or ($internal_hostname == $admin_hostname) {
-    if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
-      host { $internal_hostname:
-        name   => $internal_hostname,
-        ensure => present,
-        ip     => $internal_ip,
-      }
-    }
-  }
-  else {
-    if !empty($admin_hostname) and !defined(Host[$admin_hostname]) {
-      host { $admin_hostname:
-        name   => $admin_hostname,
-        ensure => present,
-        ip     => $admin_ip,
-      }
-    }
-    if !empty($internal_hostname) and !defined(Host[$internal_hostname]) {
-      host { $internal_hostname:
-        name   => $internal_hostname,
-        ensure => present,
-        ip     => $internal_ip,
-      }
-    }
-  }
-}
-
-if !empty($ssl_hash) {
-
-  hosts { $services:
-    ssl_hash => $ssl_hash,
-  }
-} elsif !empty($public_ssl_hash) {
-  host { $public_ssl_hash['hostname']:
-    ensure => present,
-    ip     => $public_vip,
-  }
-}
+include ::osnailyfacter::ssl::ssl_dns_setup
--- a/deployment/puppet/osnailyfacter/modular/ssl/ssl_keys_saving.pp
+++ b/deployment/puppet/osnailyfacter/modular/ssl/ssl_keys_saving.pp
@ -1,73 +1 @@
-notice('MODULAR: ssl_keys_saving.pp')
-
-$public_ssl_hash = hiera_hash('public_ssl')
-$ssl_hash = hiera_hash('use_ssl', {})
-$pub_certificate_content = try_get_value($public_ssl_hash, 'cert_data/content', "")
-$base_path = "/etc/pki/tls/certs"
-$pki_path = [ "/etc/pki", "/etc/pki/tls" ]
-$astute_base_path = "/var/lib/astute/haproxy"
-
-File {
-  owner => 'root',
-  group => 'root',
-  mode  => '0644',
-}
-
-file { [ $pki_path, $base_path, $astute_base_path ]:
-  ensure => directory,
-}
-
-#TODO(sbog): convert it to '.each' syntax when moving to Puppet 4
-define cert_file (
-  $ssl_hash,
-  $base_path,
-  $astute_base_path,
-  ){
-  $service = $name
-
-  $public_service = try_get_value($ssl_hash, "${service}_public", false)
-  $public_usercert = try_get_value($ssl_hash, "${service}_public_usercert", false)
-  $public_certdata = try_get_value($ssl_hash, "${service}_public_certdata/content", "")
-  $internal_service = try_get_value($ssl_hash, "${service}_internal", false)
-  $internal_usercert = try_get_value($ssl_hash, "${service}_internal_usercert", false)
-  $internal_certdata = try_get_value($ssl_hash, "${service}_internal_certdata/content", "")
-  $admin_service = try_get_value($ssl_hash, "${service}_admin", false)
-  $admin_usercert = try_get_value($ssl_hash, "${service}_admin_usercert", false)
-  $admin_certdata = try_get_value($ssl_hash, "${service}_admin_certdata/content", "")
-
-  if $ssl_hash["${service}"] {
-    if $public_service and $public_usercert and !empty($public_certdata) {
-      file { ["${base_path}/public_${service}.pem", "${astute_base_path}/public_${service}.pem"]:
-        ensure  => present,
-        content => $public_certdata,
-      }
-    }
-    if $internal_service and $internal_usercert and !empty($internal_certdata) {
-      file { ["${base_path}/internal_${service}.pem", "${astute_base_path}/internal_${service}.pem"]:
-        ensure  => present,
-        content => $internal_certdata,
-      }
-    }
-    if $admin_service and $admin_usercert and !empty($admin_certdata) {
-      file { ["${base_path}/admin_${service}.pem", "${astute_base_path}/admin_${service}.pem"]:
-        ensure  => present,
-        content => $admin_certdata,
-      }
-    }
-  }
-}
-
-if !empty($ssl_hash) {
-  $services = [ 'horizon', 'keystone', 'nova', 'heat', 'glance', 'cinder', 'neutron', 'swift', 'sahara', 'murano', 'ceilometer', 'radosgw']
-
-  cert_file { $services:
-    ssl_hash => $ssl_hash,
-    base_path => $base_path,
-    astute_base_path => $astute_base_path,
-  }
-} elsif !empty($public_ssl_hash) {
-  file { ["$base_path/public_haproxy.pem", "$astute_base_path/public_haproxy.pem"]:
-    ensure => present,
-    content => $pub_certificate_content,
-  }
-}
+include ::osnailyfacter::ssl::ssl_keys_saving