Move cobbler and nginx SSL keys to master node

To give SSL keys opportunity to survive between containers recreation, move those keys to master node instead. Change-Id: I6394f57165760b578ef4795d48a478df9788b3ff Closes-Bug: #1491849
2015-09-03 17:08:09 +03:00 · 2015-09-03 17:08:09 +03:00 · ffce5cd31f
parent b815ca389b
commit ffce5cd31f
5 changed files with 25 additions and 8 deletions
--- a/deployment/puppet/cobbler/manifests/server.pp
+++ b/deployment/puppet/cobbler/manifests/server.pp
@ -157,7 +157,14 @@ class cobbler::server (

  #TODO(mattymo): refactor this into cobbler module and use OS-dependent
  #directories
-  file { ['/etc/httpd', '/etc/httpd/conf/', '/etc/httpd/conf.d/']:
+  file { ['/etc/httpd',
+          '/etc/httpd/conf/',
+          '/etc/httpd/conf.d/',
+          '/var/lib/fuel',
+          '/var/lib/fuel/keys',
+          '/var/lib/fuel/keys/master',
+          '/var/lib/fuel/keys/master/cobbler',
+         ]:
    ensure => 'directory',
  }
  file { '/etc/httpd/conf.d/nailgun.conf':
@ -179,11 +186,12 @@ class cobbler::server (
    unit         => 'Fuel Deployment Team',
    email        => "root@${dns_domain}",
    days         => 3650,
-    base_dir     => '/etc/pki/tls/',
+    base_dir     => '/var/lib/fuel/keys/master/cobbler/',
    owner        => 'root',
    group        => 'root',
    force        => false,
    cnf_tpl      => 'openssl/cert.cnf.erb',
+    require      => File['/var/lib/fuel/keys/master/cobbler'],
    notify       => Service[$cobbler_web_service],
  }

--- a/deployment/puppet/cobbler/templates/httpd_ssl.conf.erb
+++ b/deployment/puppet/cobbler/templates/httpd_ssl.conf.erb
@ -105,14 +105,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/cobbler.crt
+SSLCertificateFile /var/lib/fuel/keys/master/cobbler/cobbler.crt

 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/cobbler.key
+SSLCertificateKeyFile /var/lib/fuel/keys/master/cobbler/cobbler.key

 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
--- a/deployment/puppet/docker/templates/dockerctl_config.erb
+++ b/deployment/puppet/docker/templates/dockerctl_config.erb
@ -103,7 +103,7 @@ ASTUTE_VOL="--volumes-from ${CONTAINER_NAMES['astute']}"
 ###astute: mcollective
 declare -A REQS
 REQS["${HOST_VOL['astuteyaml']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
-REQS["${HOST_VOL['keys']}"]="mcollective astute ostf"
+REQS["${HOST_VOL['keys']}"]="mcollective astute ostf cobbler nginx"
 REQS["${HOST_VOL['repo']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
 REQS["${HOST_VOL['logs']}"]="cobbler postgres rabbitmq rsync astute nailgun ostf nginx rsyslog mcollective keystone"
 #Most containers work from local integrated puppet, but rsync needs to serve host puppet
--- a/deployment/puppet/nailgun/manifests/nginx.pp
+++ b/deployment/puppet/nailgun/manifests/nginx.pp
@ -33,6 +33,14 @@ class nailgun::nginx(
    ensure => latest,
  }

+  file { ['/var/lib/fuel',
+          '/var/lib/fuel/keys',
+          '/var/lib/fuel/keys/master',
+          '/var/lib/fuel/keys/master/nginx',
+         ]:
+    ensure => 'directory',
+  }
+
  file { ["/etc/nginx/conf.d/default.conf",
          "/etc/nginx/conf.d/virtual.conf",
          "/etc/nginx/conf.d/ssl.conf"]:
@ -60,10 +68,11 @@ class nailgun::nginx(
      unit         => 'Fuel Deployment Team',
      email        => "root@fuel.master.local",
      days         => 3650,
-      base_dir     => '/etc/pki/tls/',
+      base_dir     => '/var/lib/fuel/keys/master/nginx/',
      owner        => 'root',
      group        => 'root',
      force        => false,
+      require      => File['/var/lib/fuel/keys/master/nginx'],
      cnf_tpl      => 'openssl/cert.cnf.erb',
    }
  }
--- a/deployment/puppet/nailgun/templates/nginx_nailgun.conf.erb
+++ b/deployment/puppet/nailgun/templates/nginx_nailgun.conf.erb
@ -10,8 +10,8 @@ server {
    <%- end -%>
    <%- if @ssl_enabled -%>
    listen   8443 ssl;
-    ssl_certificate /etc/pki/tls/nginx.crt;
-    ssl_certificate_key /etc/pki/tls/nginx.key;
+    ssl_certificate /var/lib/fuel/keys/master/nginx/nginx.crt;
+    ssl_certificate_key /var/lib/fuel/keys/master/nginx/nginx.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    <%- end -%>