openstack/puppet-openstack-integration
Code Issues Proposed changes

scenario002: deploy RabbitMQ with SSL

Browse Source 
* Manage Puppet OpenStack CI CA and create a common certificate,
  auto-signed.
* Configure RabbitMQ to activate SSL on scenario002
* Configure OpenStack services that run on scenario002 to connect to
  RabbitMQ using SSL protocol.

Change-Id: Ic435078472ba4e0e0eaf04a64e5bcb7aabba7b3d
This commit is contained in:
Emilien Macchi
2016-02-26 19:13:28 -05:00
parent 918a6c9342
commit 2be3e3f9d2
12 changed files with 259 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -33,6 +33,7 @@ scenario](#All-In-One).
| - | scenario001 | scenario002 | scenario003 | scenario-aio |
|:----------:|:-----------:|:-----------:|:-----------:|:-------------:
| ssl | no | yes | no | no |
| keystone | X | X | X | X |
| glance | rbd | swift | file | file |
| nova | rbd | X | X | X |

49
files/puppet_openstack.pem Normal file
View File

@@ -0,0 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw
EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2
NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi
ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN
BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p
3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ
45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF
ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6
IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6
B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm
8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a
Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi
PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT
xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I
epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb
JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD
uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP
/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go
XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd
uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB
QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e
XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN
ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb
UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN
3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3
IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9
i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5
UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU
LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq
l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh
EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz
ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0
50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY
6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9
lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t
jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO
ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ
knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9
I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU
v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6
LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj
NvVFs8W/3TAiZXoZVqKttZuE9g==
-----END PRIVATE KEY-----

22
fixtures/scenario002.pp
View File

@@ -15,17 +15,29 @@
#
include ::openstack_integration
include ::openstack_integration::rabbitmq
include ::openstack_integration::cacert
class { '::openstack_integration::rabbitmq':
ssl => true,
}
include ::openstack_integration::mysql
include ::openstack_integration::keystone
class { '::openstack_integration::glance':
backend => 'swift',
ssl => true,
}
class { '::openstack_integration::neutron':
ssl => true,
}
class { '::openstack_integration::nova':
ssl => true,
}
class { '::openstack_integration::cinder':
ssl => true,
}
include ::openstack_integration::neutron
include ::openstack_integration::nova
include ::openstack_integration::cinder
include ::openstack_integration::swift
include ::openstack_integration::ironic
class { '::openstack_integration::ironic':
ssl => true,
}
include ::openstack_integration::mongodb
include ::openstack_integration::provision

20
manifests/cacert.pp Normal file
View File

@@ -0,0 +1,20 @@
class openstack_integration::cacert {
include ::openstack_integration::params
file { $::openstack_integration::params::cert_path:
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
selinux_ignore_defaults => true,
replace => true,
}
exec { 'update-ca-certificates':
command => $::openstack_integration::params::update_ca_certs_cmd,
subscribe => File[$::openstack_integration::params::cert_path],
refreshonly => true,
}
}

13
manifests/cinder.pp
View File

@@ -5,10 +5,21 @@
# Can be 'iscsi' or 'rbd'.
# Defaults to 'iscsi'.
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::cinder (
$backend = 'iscsi',
$ssl = false,
) {
if $ssl {
$rabbit_port = '5671'
} else {
$rabbit_port = '5672'
}
rabbitmq_user { 'cinder':
admin => true,
password => 'an_even_bigger_secret',
@@ -32,8 +43,10 @@ class openstack_integration::cinder (
class { '::cinder':
database_connection => 'mysql+pymysql://cinder:cinder@127.0.0.1/cinder?charset=utf8',
rabbit_host => '127.0.0.1',
rabbit_port => $rabbit_port,
rabbit_userid => 'cinder',
rabbit_password => 'an_even_bigger_secret',
rabbit_use_ssl => $ssl,
verbose => true,
debug => true,
}

13
manifests/glance.pp
View File

@@ -5,10 +5,21 @@
# Can be 'file', 'swift' or 'rbd'.
# Defaults to 'file'.
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::glance (
$backend = 'file',
$ssl = false,
) {
if $ssl {
$rabbit_port = '5671'
} else {
$rabbit_port = '5672'
}
rabbitmq_user { 'glance':
admin => true,
password => 'an_even_bigger_secret',
@@ -79,7 +90,9 @@ class openstack_integration::glance (
rabbit_userid => 'glance',
rabbit_password => 'an_even_bigger_secret',
rabbit_host => '127.0.0.1',
rabbit_port => $rabbit_port,
notification_driver => 'messagingv2',
rabbit_use_ssl => $ssl,
}
}

18
manifests/ironic.pp
View File

@@ -1,4 +1,18 @@
class openstack_integration::ironic {
# Configure the Ironic service
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::ironic (
$ssl = false,
) {
if $ssl {
$rabbit_port = '5671'
} else {
$rabbit_port = '5672'
}
rabbitmq_user { 'ironic':
admin => true,
@@ -18,6 +32,8 @@ class openstack_integration::ironic {
rabbit_userid => 'ironic',
rabbit_password => 'an_even_bigger_secret',
rabbit_host => '127.0.0.1',
rabbit_port => $rabbit_port,
rabbit_use_ssl => $ssl,
database_connection => 'mysql+pymysql://ironic:ironic@127.0.0.1/ironic?charset=utf8',
debug => true,
verbose => true,

18
manifests/neutron.pp
View File

@@ -1,4 +1,18 @@
class openstack_integration::neutron {
# Configure the Neutron services
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::neutron (
$ssl = false,
) {
if $ssl {
$rabbit_port = '5671'
} else {
$rabbit_port = '5672'
}
rabbitmq_user { 'neutron':
admin => true,
@@ -24,6 +38,8 @@ class openstack_integration::neutron {
rabbit_user => 'neutron',
rabbit_password => 'an_even_bigger_secret',
rabbit_host => '127.0.0.1',
rabbit_port => $rabbit_port,
rabbit_use_ssl => $ssl,
allow_overlapping_ips => true,
core_plugin => 'ml2',
service_plugins => ['router', 'metering', 'firewall'],

13
manifests/nova.pp
View File

@@ -5,10 +5,21 @@
# to use Libvirt RBD backend.
# Defaults to false.
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::nova (
$libvirt_rbd = false,
$ssl = false,
) {
if $ssl {
$rabbit_port = '5671'
} else {
$rabbit_port = '5672'
}
rabbitmq_user { 'nova':
admin => true,
password => 'an_even_bigger_secret',
@@ -36,8 +47,10 @@ class openstack_integration::nova (
database_connection => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8',
api_database_connection => 'mysql+pymysql://nova_api:nova@127.0.0.1/nova_api?charset=utf8',
rabbit_host => '127.0.0.1',
rabbit_port => $rabbit_port,
rabbit_userid => 'nova',
rabbit_password => 'an_even_bigger_secret',
rabbit_use_ssl => $ssl,
glance_api_servers => 'http://127.0.0.1:9292',
verbose => true,
debug => true,

19
manifests/params.pp Normal file
View File

@@ -0,0 +1,19 @@
class openstack_integration::params {
case $::osfamily {
'RedHat': {
$cacert_path = '/etc/ssl/certs/ca-bundle.crt'
$cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt'
$update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract'
}
'Debian': {
$cacert_path = '/etc/ssl/certs/puppet_openstack.pem'
$cert_path = '/usr/local/share/ca-certificates/puppet_openstack.crt'
$update_ca_certs_cmd = '/usr/sbin/update-ca-certificates'
}
default: {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")
}
}
}

42
manifests/rabbitmq.pp
View File

@@ -1,4 +1,14 @@
class openstack_integration::rabbitmq {
# Configure the RabbitMQ service
#
# [*ssl*]
# (optional) Boolean to enable or not SSL.
# Defaults to false.
#
class openstack_integration::rabbitmq (
$ssl = false,
) {
include ::openstack_integration::params
case $::osfamily {
'Debian': {
@@ -12,9 +22,33 @@ class openstack_integration::rabbitmq {
}
}
class { '::rabbitmq':
delete_guest_user => true,
package_provider => $package_provider,
if $ssl {
file { '/etc/rabbitmq/ssl/private':
ensure => directory,
owner => 'root',
mode => '0755',
selinux_ignore_defaults => true,
before => File["/etc/rabbitmq/ssl/private/${::fqdn}.pem"],
}
openstack_integration::ssl_key { 'rabbitmq':
key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
require => File['/etc/rabbitmq/ssl'],
notify => Service['rabbitmq-server'],
}
class { '::rabbitmq':
delete_guest_user => true,
package_provider => $package_provider,
ssl => true,
ssl_only => true,
ssl_cacert => $::openstack_integration::params::cacert_path,
ssl_cert => $::openstack_integration::params::cert_path,
ssl_key => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
}
} else {
class { '::rabbitmq':
delete_guest_user => true,
package_provider => $package_provider,
}
}
rabbitmq_vhost { '/':
provider => 'rabbitmqctl',

42
manifests/ssl_key.pp Normal file
View File

@@ -0,0 +1,42 @@
# Deploy SSL private keys
#
# [*key_path*]
# (optional) Path of SSL private key
# Defaults to undef.
#
define openstack_integration::ssl_key(
$key_path = undef,
) {
if $key_path == undef {
$_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem"
} else {
$_key_path = $key_path
}
# If the user isn't providing an unexpected path, create the directory
# structure.
if $key_path == undef {
file { "/etc/${name}/ssl":
ensure => directory,
owner => $name,
mode => '0775',
selinux_ignore_defaults => true,
}
file { "/etc/${name}/ssl/private":
ensure => directory,
owner => $name,
mode => '0755',
require => File["/etc/${name}/ssl"],
selinux_ignore_defaults => true,
before => File[$_key_path]
}
}
file { $_key_path:
ensure => present,
owner => $name,
source => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
selinux_ignore_defaults => true,
mode => '0600',
}
}