scenario002: switch Keystone/Glance/Ironic/Nova to SSL

* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments.
* Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again
  later in a next iteration.
* Deploy Ironic API under WSGI instead of eventlet.
* Switch Glance API, Ironic API and Keystone to SSL.
* Configure Tempest with SSL endpoints when needed.
* Reduce the Ironic tests because of [1].

[1] https://bugs.launchpad.net/ironic/+bug/1554237

Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not
implemented in this patch.
Note #2: we don't enable SSL for Neutron because of
https://bugs.launchpad.net/neutron/+bug/1514424

Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014

files/ipv4.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIJALVl9IhMkdcmMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
+BAMMCTEyNy4wLjAuMTAeFw0xNjAzMTExNTE2MTRaFw0yNjAzMDkxNTE2MTRaMBQx
+EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAJv5aTwsONF3PdTWoikEzndOxKqrS1RbgvBGjmqgDC/0JtVtJN1jmhBG0FyK
+PJeLIFa8JAktgai0OPShBEwRadiZry35tvw4cNX3EQeLhd7n/YC4qhyobDwgCOCb
+4r/WPGMAU/tsizymkcTwSw7h7u4vyGcmFj5aPW8Fd8zBk/V8CShpxjNby+teJnce
+APzW+pPvXibKaCzdP6o9enRxjVCAAsqj1LkVhP40+GBWcoXGlTJivgQfUZeGQaZC
+ggOOAf9D1lHV3u3OAdfz7gaoeCwzpi+AmRcg3TWmgbA6myoQJe0EGUoveRlY9n51
+px/nXjzdgHxEmGoLGkAHNqrhNj8CAwEAAaNQME4wHQYDVR0OBBYEFHTKFpvR+QEl
+hqOTw9pQcJUqtM4EMB8GA1UdIwQYMBaAFHTKFpvR+QElhqOTw9pQcJUqtM4EMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADyUrEaBXwH9GNaUKoGI+N6Y
+Hv975u1PyefaawF23S3PcvS6lnKqEMr5zVXG/aGdF+Lfy2u7Mz8c+OBso2qbKZTO
+MToLQ8o3WEezcadRRbQmHEoAR57eXGaSW1kiUah2TiqMvrMj24bYYaTZgGPVgVZq
+NcPvQYnZKTV1DiBJNxPAO4H8CEo4T46cZS37QxOZITCKjKLnfeFfNQHmfTqe8RG+
+8xQcv4NChPj09ITUaGzLKOAEo+fS7irTWtDv7WRyQoPAMkJ1ZLS1q6ED4iAX6/ec
+mRv1TT+aaQq14xYGVadALQS1ge9d9+pKWl3QG/zxnzcFCVYvdUg27gAxUpJTzb0=
+-----END CERTIFICATE-----

files/ipv4.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAm/lpPCw40Xc91NaiKQTOd07EqqtLVFuC8EaOaqAML/Qm1W0k
+3WOaEEbQXIo8l4sgVrwkCS2BqLQ49KEETBFp2JmvLfm2/Dhw1fcRB4uF3uf9gLiq
+HKhsPCAI4Jviv9Y8YwBT+2yLPKaRxPBLDuHu7i/IZyYWPlo9bwV3zMGT9XwJKGnG
+M1vL614mdx4A/Nb6k+9eJspoLN0/qj16dHGNUIACyqPUuRWE/jT4YFZyhcaVMmK+
+BB9Rl4ZBpkKCA44B/0PWUdXe7c4B1/PuBqh4LDOmL4CZFyDdNaaBsDqbKhAl7QQZ
+Si95GVj2fnWnH+dePN2AfESYagsaQAc2quE2PwIDAQABAoIBADhK8u0xtKv80kcP
+0+TkBDRRLG/AdOaURJS9kkbvTpa8Eovy4Vw5x2/abvcHOUkkgF5tdsANOX+O1AOO
+XYOqwT3Ycb4xIxaytB61FeNYOs+xgO/FNjgznSSyFyIhgNvl0VOV2bmjejlAkNm4
+NA7CAj7a5gQ8XcjRPtzj51HyB5mQQ2TEAhVTEhaj3qqWCPJYwXZrMV0qxnT3C5ML
+ZFigxapPRbvznGhzZ6qzoZxOkXc2pdvpyzwuGNkbKI03GXJ6Jv9NSoXOzGs+qXy0
+mXd7PGNF+fpqvdRYnM1aGSuBlAokpgpE2Gp4gwBRUD1zLO7/rDNGMBRklWn9hfCc
+4Xg68MkCgYEAzAFQo9OYtCn/wz7Vi31qCRYhoLqf9HqCrobA0ueBq7IsoniJ/Zae
+FaPeYHLS1ob1rK1HBtQ/FuG17UncaxbFR6zV2vayD9r7n9j9BrMHVDWDoBoSdEbv
+z8uE95WWUHRROCMra0Gp0iAQdt9XJJhw09N7LIvFVGG5FEOIxVcDx5UCgYEAw7o8
+DSg3S+eIFfsdI5K8vpaXqLP/YT77/83rYcYBmHxMYk9LRAweZwdamwCSXSBE6Pfs
+i/LlCNW99J2Dv6bRFsd9XQtyDsy9s+FDyhesI2JtmW/I8ocm9q+0C/x1bri5vhpA
+ueciKSVJZtFE6AFQeTbYurW1nGLxfhFUlrLggYMCgYABQFjQSHH9WOyas/33VxOZ
+bqtSIxLsGvxGOclhAc6H0RX5AShHh+78Tv8ENHAapMVJA98VqaOhbk0BYZyag48+
+O08sgqrg8gTtHBWhPuPinllqV/6Y+/5oleUA58f+QlhlMcIIbGSwR0YSlJgiP1Uh
+14A/67OQKvFJsIhcPYZmaQKBgQCdFoCR8sAGvKndMnDdlyzDLmxEK0sBSqLIWQXc
+sCWhs8k+cfOvhqZz/FP86YWPFpIYBLumSukFoT7W8ADIteNEjBGSttfxBuQOVfKp
+ZTx0HdBnAG/gLxbXkIdJw3KgzcPNzpY6XkZtjY6O5dCPAFcNIjbqC2LaRBMcIl6o
+oKJNbwKBgHrwN/ugJvM4xacKza8/L1boRAjSoTlgB0gONH8oY3wylipsFA0lIC5+
+wa5MjKtAYBdgpRI95sx3A4ejDI668ixLlzclNZv2JkrhqpF0SrLhmXVio/Co2of2
+40BmtGjoZL4juSrOlugi4rZd5jfLuiaVSe6qmMOMoJjEvqlihVyb
+-----END RSA PRIVATE KEY-----

files/ipv6.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIJAJnJp20/d69bMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV
+BAMMAzo6MTAeFw0xNjAzMTExNTE3MDNaFw0yNjAzMDkxNTE3MDNaMA4xDDAKBgNV
+BAMMAzo6MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB7u7Apm69h
+t/pDFi3sRnMg0g/bmLS0lxOjb76TQd/XC77zZSfujvaxbhuxwb3BjxrT8ZxL9R34
+GkkTrDEk51sMOXppDJqUcPhcCCOqqlXRPeGg5e71g2mod0pozLxQus8sDMWFvdJ5
+j8v/LUGKZMaOZpIVbpZ7O7dHlMVf/RG+mX8zY3vZgqLmPx3FaVriFwWQdE0h5Q2u
+iuL9ewU/UDCfZMbK3Z/budkUd5K6QhTtGWhQLr+sLOWLJtWiPQ/g6RMBTd5mEy2F
+gH4zLrHpmSpCHo1KaX3ZlRtPcW99ggN6J/7tlcXfVaE9gv/zWrc9aNVNC/GH83LH
+OODODTMTuwMCAwEAAaNQME4wHQYDVR0OBBYEFMnKFXEhjiEZsgp2T5qzBXXFRpQ+
+MB8GA1UdIwQYMBaAFMnKFXEhjiEZsgp2T5qzBXXFRpQ+MAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADggEBAAXkgS/NZQffVNiL9hfBQwbSJY+vPgJ4rj1SCt7g
+nNwxw9WUk98zyYRQj/VQDv4Q0rKY9RRIf3/gqsDiTyYbVK665cbz61PDac57kzB6
+pYmHPyAJyfgi2TtoDCejxVIk7HEfxIctrvN/QOxM+xB8FpP9roKsmcdivWlsIhAP
+JCR5beVBEjBeXXRfJxr87kTx4REXUcvMyrJ45Uign/TuHmtfgfkelLTYiVIElB0a
+n/L6M/06et73zZg+A+xlXDRlWbN+38JR+6KKwWztUnjaErhgqkm7mDYlWFwlcE9S
+JoUeAYL1R0LWdGwV2l/iDC8iLPVfV9GgNOvn9Op9CmzP5Os=
+-----END CERTIFICATE-----

files/ipv6.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsHu7sCmbr2G3+kMWLexGcyDSD9uYtLSXE6NvvpNB39cLvvNl
+J+6O9rFuG7HBvcGPGtPxnEv1HfgaSROsMSTnWww5emkMmpRw+FwII6qqVdE94aDl
+7vWDaah3SmjMvFC6zywMxYW90nmPy/8tQYpkxo5mkhVulns7t0eUxV/9Eb6ZfzNj
+e9mCouY/HcVpWuIXBZB0TSHlDa6K4v17BT9QMJ9kxsrdn9u52RR3krpCFO0ZaFAu
+v6ws5Ysm1aI9D+DpEwFN3mYTLYWAfjMusemZKkIejUppfdmVG09xb32CA3on/u2V
+xd9VoT2C//Natz1o1U0L8Yfzcsc44M4NMxO7AwIDAQABAoIBAFGzBiE4MdVP9H6L
+fgIGZlq3r+cdbqUBEQtLVtivjQhVoh9kx8hjnJVBcEqr0JfKujfeM/R6CWA1Ud3Q
+mJ8riVrR3u33IZmR7HZdDHuOb0pJEk+YT7l+uLY6AfdVaqom6UQtDUCHeGeuVM5I
+NCgqLBrrIzqvZ0GMjQl8vrdch2glwWJizNGcOn+NYIG7oBT/PoWOCxJy5/NfWxfJ
+p8qlW5mLEBN7HNLEEHPdLL1OBYrrF6ZlrlZe36+BhoOai06VmTOQe3Ig3wTZNhsI
+eGwWkHQrwi4nGB/5nAailUhz1T0yIYtWHiiEgaGo2LUOeOEnG43oyrIEQGo+q6d4
+hOjbwYECgYEA6o0fh37GbFWcnV/ZNoxoSOn+S/bok7/qiR5OC8yGe8HaFUnH6jot
+UFqtvxlZAQK4yyvfBxgpmM7urb2PslP/EhzzdlcDJzN9fX9qFcpWsgOJoIONdr6Z
+wiCKTYONcAde7c2EWc3J18YyRVaYx1jhTDNA/bg9FSwFxWvYkboCQkMCgYEAwJ87
+XT8gb2Iwhz7laE56LjFWDpR2cGDmgYJ9zkgG+M9HYHYBo+u8izq7VOS4tOzV57O3
+86rgAwTwt7pkuF+3AqKA+mXcEI7GLc658n+kr4WYd5vqV504njtOnNZv0u1wIevi
+iwCXnvcDBOiR1iiNB4EPYiqehvkKhlkr0dlw+EECgYB86xxXtZVILXB0AJBXFQCV
+lMny+1VzG0t2K8W1UwBs+RmFLP5kKQfpO+I9XOqiNyjkTEFELgI5eDx2G/dkKog2
+xWSFKmJrhmjXZfzCDjmOJYQvEOFO1MRfN6VxExdJCyPr0wEiMw/E87Hia/SCdzvG
+saVze6RMml2Yf4+gTUjWsQKBgQCdiZ2jxd1hO401D9vQU17aKL+ZbRLxFk9v3KnH
+7GDHXb+ixODSkBrERGSyKd5nGsxXlET+pOJRldjKa0e1A5NKNF4IbQZvBFZRYKH0
+EzE93KW2LW6b+Zo0z4yb+UW73TW4iJPf27wl5yAxA4VDAidV29gZEYJWIZjaCFQu
+bQhYAQKBgF8TutgmCecVc7HUGD4926rLGZRWpOHK+7z4OxVdHPaTBPGt/Z9YriBj
+TkNUUUf7DpG1AtCK8q94XnAGuEjJIh4jMPoDm+MrFYPzzdsjvoRW3shnZ274kr5h
+fLfx9ecAuRtnniDMgnR6qMYfQ7GShes+UU3Imol0k5txXJQIRTbq
+-----END RSA PRIVATE KEY-----

files/puppet_openstack.pem

@@ -1,49 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
-BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw
-EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2
-NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi
-ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN
-BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p
-3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ
-45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF
-ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6
-IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6
-B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm
-8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a
-Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF
-MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi
-PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT
-xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I
-epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb
-JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD
-uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts=
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP
-/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go
-XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd
-uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB
-QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e
-XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN
-ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb
-UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN
-3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3
-IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9
-i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5
-UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU
-LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq
-l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh
-EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz
-ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0
-50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY
-6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9
-lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t
-jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO
-ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ
-knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9
-I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU
-v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6
-LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj
-NvVFs8W/3TAiZXoZVqKttZuE9g==
------END PRIVATE KEY-----

fixtures/scenario002.pp

@@ -35,7 +35,6 @@ case $::osfamily {
 include ::openstack_integration
 class { '::openstack_integration::config':
   ssl => true,
-  ipv6 => true,
 }
 include ::openstack_integration::cacert
 include ::openstack_integration::rabbitmq

manifests/cacert.pp

@@ -1,13 +1,14 @@
 class openstack_integration::cacert {
 
   include ::openstack_integration::params
+  include ::openstack_integration::config
 
   file { $::openstack_integration::params::cert_path:
     ensure                  => present,
     owner                   => 'root',
     group                   => 'root',
     mode                    => '0444',
-    source                  => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
+    source                  => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.crt",
     selinux_ignore_defaults => true,
     replace                 => true,
   }

manifests/cinder.pp

@@ -43,7 +43,8 @@ class openstack_integration::cinder (
   }
   class { '::cinder::api':
     keystone_password   => 'a_big_secret',
-    identity_uri        => 'http://127.0.0.1:35357/',
+    auth_uri            => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri        => $::openstack_integration::config::keystone_admin_uri,
     default_volume_type => 'BACKEND_1',
     service_workers     => 2,
   }
@@ -55,7 +56,7 @@ class openstack_integration::cinder (
   }
   class { '::cinder::cron::db_purge': }
   class { '::cinder::glance':
-    glance_api_servers  => 'localhost:9292',
+    glance_api_servers  => "${::openstack_integration::config::proto}://127.0.0.1:9292",
   }
   case $backend {
     'iscsi': {

manifests/config.pp

@@ -15,8 +15,10 @@ class openstack_integration::config (
 
   if $ssl {
     $rabbit_port = '5671'
+    $proto       = 'https'
   } else {
     $rabbit_port = '5672'
+    $proto       = 'http'
   }
 
   if $ipv6 {
@@ -25,9 +27,14 @@ class openstack_integration::config (
       'RABBITMQ_NODE_IP_ADDRESS'   => '::1',
       'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"',
     }
+    $ip_version  = '6'
   } else {
     $rabbit_host = '127.0.0.1'
     $rabbit_env  = {}
+    $ip_version  = '4'
   }
 
+  $keystone_auth_uri  = "${proto}://127.0.0.1:5000"
+  $keystone_admin_uri = "${proto}://127.0.0.1:35357"
+
 }

manifests/glance.pp

@@ -10,6 +10,21 @@ class openstack_integration::glance (
 ) {
 
   include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'glance':
+      notify => [Service['glance-api'], Service['glance-registry']],
+    }
+    Package<| tag == 'glance-package' |> -> File['/etc/glance/ssl']
+    $key_file  = "/etc/glance/ssl/private/${::fqdn}.pem"
+    $crt_file = $::openstack_integration::params::cert_path
+    Exec['update-ca-certificates'] ~> Service['glance-api']
+    Exec['update-ca-certificates'] ~> Service['glance-registry']
+  } else {
+    $key_file = undef
+    $crt_file  = undef
+  }
 
   rabbitmq_user { 'glance':
     admin    => true,
@@ -31,6 +46,9 @@ class openstack_integration::glance (
   include ::glance
   include ::glance::client
   class { '::glance::keystone::auth':
+    public_url   => "${::openstack_integration::config::proto}://127.0.0.1:9292",
+    internal_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
+    admin_url    => "${::openstack_integration::config::proto}://127.0.0.1:9292",
     password     => 'a_big_secret',
   }
   case $backend {
@@ -54,6 +72,7 @@ class openstack_integration::glance (
         swift_store_user                    => 'services:glance',
         swift_store_key                     => 'a_big_secret',
         swift_store_create_container_on_put => 'True',
+        swift_store_auth_address            => "${::openstack_integration::config::proto}://127.0.0.1:5000/v2.0",
       }
     }
     default: {
@@ -70,6 +89,13 @@ class openstack_integration::glance (
     workers                   => 2,
     stores                    => $glance_stores,
     default_store             => $backend,
+    auth_uri                  => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri              => $::openstack_integration::config::keystone_admin_uri,
+    registry_client_protocol  => $::openstack_integration::config::proto,
+    registry_client_cert_file => $crt_file,
+    registry_client_key_file  => $key_file,
+    cert_file                 => $crt_file,
+    key_file                  => $key_file,
   }
   class { '::glance::registry':
     debug               => true,
@@ -77,6 +103,10 @@ class openstack_integration::glance (
     database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
     keystone_password   => 'a_big_secret',
     workers             => 2,
+    auth_uri            => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri        => $::openstack_integration::config::keystone_admin_uri,
+    cert_file           => $crt_file,
+    key_file            => $key_file,
   }
   class { '::glance::notify::rabbitmq':
     rabbit_userid       => 'glance',

manifests/ironic.pp

@@ -1,6 +1,15 @@
 class openstack_integration::ironic {
 
   include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'ironic':
+      notify  => Service['httpd'],
+      require => Package['ironic-common'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
 
   rabbitmq_user { 'ironic':
     admin    => true,
@@ -31,12 +40,25 @@ class openstack_integration::ironic {
     password => 'ironic',
   }
   class { '::ironic::keystone::auth':
+    public_url   => "${::openstack_integration::config::proto}://127.0.0.1:6385",
+    internal_url => "${::openstack_integration::config::proto}://127.0.0.1:6385",
+    admin_url    => "${::openstack_integration::config::proto}://127.0.0.1:6385",
     password     => 'a_big_secret',
   }
   class { '::ironic::client': }
   class { '::ironic::api':
+    auth_uri       => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri   => $::openstack_integration::config::keystone_admin_uri,
+    neutron_url    => 'http://127.0.0.1:9696',
     admin_password => 'a_big_secret',
-    workers        => '2',
+    service_name   => 'httpd',
+  }
+  include ::apache
+  class { '::ironic::wsgi::apache':
+    ssl      => $::openstack_integration::config::ssl,
+    ssl_key  => "/etc/ironic/ssl/private/${::fqdn}.pem",
+    ssl_cert => $::openstack_integration::params::cert_path,
+    workers  => 2,
   }
   class { '::ironic::conductor': }
   Rabbitmq_user_permissions['ironic@/'] -> Service<| tag == 'ironic-service' |>

manifests/keystone.pp

@@ -16,6 +16,17 @@ class openstack_integration::keystone (
   $using_domain_config = false,
 ) {
 
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'keystone':
+      notify  => Service['httpd'],
+      require => Package['keystone'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
+
   class { '::keystone::client': }
   class { '::keystone::cron::token_flush': }
   class { '::keystone::db::mysql':
@@ -30,10 +41,13 @@ class openstack_integration::keystone (
     service_name        => 'httpd',
     default_domain      => $default_domain,
     using_domain_config => $using_domain_config,
+    enable_ssl          => $::openstack_integration::config::ssl,
   }
   include ::apache
   class { '::keystone::wsgi::apache':
-    ssl     => false,
+    ssl      => $::openstack_integration::config::ssl,
+    ssl_key  => "/etc/keystone/ssl/private/${::fqdn}.pem",
+    ssl_cert => $::openstack_integration::params::cert_path,
     workers  => 2,
   }
   class { '::keystone::roles::admin':
@@ -42,6 +56,8 @@ class openstack_integration::keystone (
   }
   class { '::keystone::endpoint':
     default_domain => $default_domain,
+    public_url     => $::openstack_integration::config::keystone_auth_uri,
+    admin_url      => $::openstack_integration::config::keystone_admin_uri,
   }
   class { '::keystone::disable_admin_token_auth': }
 
@@ -49,5 +65,6 @@ class openstack_integration::keystone (
     password       => 'a_big_secret',
     project_domain => 'default',
     user_domain    => 'default',
+    auth_url       => "${::openstack_integration::config::keystone_auth_uri}/v3/",
   }
 }

manifests/neutron.pp

@@ -41,6 +41,8 @@ class openstack_integration::neutron {
     sync_db             => true,
     api_workers         => 2,
     rpc_workers         => 2,
+    auth_uri            => $::openstack_integration::config::keystone_auth_uri,
+    auth_url            => $::openstack_integration::config::keystone_admin_uri,
   }
   class { '::neutron::plugins::ml2':
     type_drivers         => ['vxlan'],
@@ -54,9 +56,10 @@ class openstack_integration::neutron {
   }
   class { '::neutron::agents::metadata':
     debug            => true,
-    auth_password    => 'a_big_secret',
     shared_secret    => 'a_big_secret',
     metadata_workers => 2,
+    auth_url         => "${::openstack_integration::config::keystone_admin_uri}/v2.0",
+    auth_password    => 'a_big_secret',
   }
   class { '::neutron::agents::lbaas':
     debug => true,
@@ -71,6 +74,7 @@ class openstack_integration::neutron {
     debug => true,
   }
   class { '::neutron::server::notifications':
+    auth_url => $::openstack_integration::config::keystone_admin_uri,
     password => 'a_big_secret',
   }
   class { '::neutron::services::fwaas':

manifests/nova.pp

@@ -10,6 +10,15 @@ class openstack_integration::nova (
 ) {
 
   include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'nova':
+      notify  => Service['httpd'],
+      require => Package['nova-common'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
 
   rabbitmq_user { 'nova':
     admin    => true,
@@ -32,6 +41,12 @@ class openstack_integration::nova (
     password => 'nova',
   }
   class { '::nova::keystone::auth':
+    public_url      => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
+    public_url_v3   => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
+    internal_url    => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
+    internal_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
+    admin_url       => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
+    admin_url_v3    => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
     password        => 'a_big_secret',
   }
   class { '::nova':
@@ -42,7 +57,7 @@ class openstack_integration::nova (
     rabbit_userid           => 'nova',
     rabbit_password         => 'an_even_bigger_secret',
     rabbit_use_ssl          => $::openstack_integration::config::ssl,
-    glance_api_servers      => 'http://127.0.0.1:9292',
+    glance_api_servers      => "${::openstack_integration::config::proto}://127.0.0.1:9292",
     verbose                 => true,
     debug                   => true,
     notification_driver     => 'messagingv2',
@@ -50,7 +65,8 @@ class openstack_integration::nova (
   }
   class { '::nova::api':
     admin_password                       => 'a_big_secret',
-    identity_uri                         => 'http://127.0.0.1:35357/',
+    auth_uri                             => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri                         => $::openstack_integration::config::keystone_admin_uri,
     osapi_v3                             => true,
     neutron_metadata_proxy_shared_secret => 'a_big_secret',
     metadata_workers                     => 2,
@@ -60,7 +76,9 @@ class openstack_integration::nova (
   }
   include ::apache
   class { '::nova::wsgi::apache':
-    ssl     => false,
+    ssl_key  => "/etc/nova/ssl/private/${::fqdn}.pem",
+    ssl_cert => $::openstack_integration::params::cert_path,
+    ssl      => $::openstack_integration::config::ssl,
     workers  => '2',
   }
   class { '::nova::client': }
@@ -95,6 +113,7 @@ class openstack_integration::nova (
   class { '::nova::vncproxy': }
 
   class { '::nova::network::neutron':
+    neutron_auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3",
     neutron_password => 'a_big_secret',
   }
 

manifests/params.pp

@@ -2,14 +2,14 @@ class openstack_integration::params {
 
   case $::osfamily {
     'RedHat': {
-      $cacert_path         = '/etc/ssl/certs/ca-bundle.crt'
+      $ca_bundle_cert_path = '/etc/ssl/certs/ca-bundle.crt'
-      $cert_path           = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt'
+      $cert_path           = '/etc/pki/ca-trust/source/anchors/puppet_openstack.pem'
       $update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract'
     }
     'Debian': {
-      $cacert_path         = '/etc/ssl/certs/puppet_openstack.pem'
+      $ca_bundle_cert_path = '/etc/ssl/certs/puppet_openstack.pem'
       $cert_path           = '/usr/local/share/ca-certificates/puppet_openstack.crt'
-      $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates'
+      $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates -f'
     }
     default: {
       fail("Unsupported osfamily: ${::osfamily} operatingsystem")

manifests/provision.pp

@@ -2,7 +2,9 @@
 
 class openstack_integration::provision {
 
-  $os_auth_options = '--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url http://127.0.0.1:5000/v2.0'
+  include ::openstack_integration::config
+
+  $os_auth_options = "--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url ${::openstack_integration::config::keystone_auth_uri}/v2.0"
 
   exec { 'manage_m1.nano_nova_flavor':
     path     => '/usr/bin:/bin:/usr/sbin:/sbin',

manifests/rabbitmq.pp

@@ -25,7 +25,7 @@ class openstack_integration::rabbitmq {
     }
     openstack_integration::ssl_key { 'rabbitmq':
       key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
-      require  => File['/etc/rabbitmq/ssl'],
+      require  => File['/etc/rabbitmq/ssl/private'],
       notify   => Service['rabbitmq-server'],
     }
     class { '::rabbitmq':
@@ -33,7 +33,7 @@ class openstack_integration::rabbitmq {
       package_provider      => $package_provider,
       ssl                   => true,
       ssl_only              => true,
-      ssl_cacert            => $::openstack_integration::params::cacert_path,
+      ssl_cacert            => $::openstack_integration::params::ca_bundle_cert_path,
       ssl_cert              => $::openstack_integration::params::cert_path,
       ssl_key               => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
       environment_variables => $::openstack_integration::config::rabbit_env,

manifests/ssl_key.pp

@@ -7,6 +7,9 @@
 define openstack_integration::ssl_key(
   $key_path = undef,
 ) {
+
+  include ::openstack_integration::config
+
   if $key_path == undef {
     $_key_path  = "/etc/${name}/ssl/private/${::fqdn}.pem"
   } else {
@@ -35,7 +38,7 @@ define openstack_integration::ssl_key(
   file { $_key_path:
     ensure                  => present,
     owner                   => $name,
-    source                  => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
+    source                  => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.key",
     selinux_ignore_defaults => true,
     mode                    => '0600',
   }

manifests/swift.pp

@@ -1,5 +1,7 @@
 class openstack_integration::swift {
 
+  include ::openstack_integration::config
+
   include ::memcached
   class { '::swift':
     swift_hash_suffix => 'secrete',
@@ -20,8 +22,8 @@ class openstack_integration::swift {
   include ::swift::proxy::tempurl
   include ::swift::proxy::ratelimit
   class { '::swift::proxy::authtoken':
-    auth_uri       => 'http://127.0.0.1:5000/v2.0',
+    auth_uri       => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
-    identity_uri   => 'http://127.0.0.1:35357/',
+    identity_uri   => "${::openstack_integration::config::keystone_admin_uri}/",
     admin_password => 'a_big_secret',
   }
   class { '::swift::proxy::keystone':

manifests/tempest.pp

@@ -63,6 +63,9 @@ class openstack_integration::tempest (
   $trove      = false,
 ) {
 
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
   class { '::tempest':
     debug                  => true,
     use_stderr             => false,
@@ -74,8 +77,8 @@ class openstack_integration::tempest (
     tempest_config_file    => '/tmp/openstack/tempest/etc/tempest.conf',
     configure_images       => true,
     configure_networks     => true,
-    identity_uri           => 'http://127.0.0.1:5000/v2.0',
+    identity_uri           => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
-    identity_uri_v3        => 'http://127.0.0.1:5000/v3',
+    identity_uri_v3        => "${::openstack_integration::config::keystone_auth_uri}/v3",
     admin_username         => 'admin',
     admin_tenant_name      => 'openstack',
     admin_password         => 'a_big_secret',
@@ -103,6 +106,7 @@ class openstack_integration::tempest (
     image_alt_ssh_user     => 'cirros',
     img_file               => 'cirros-0.3.4-x86_64-disk.img',
     compute_build_interval => 10,
+    ca_certificates_file   => $::openstack_integration::params::ca_bundle_cert_path,
     # TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
     # and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
     # img_dir              => '/home/jenkins/cache/files',

run_tests.sh

@@ -115,11 +115,21 @@ wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img -P /tmp
 
 set +e
 # Select what to test:
-# - smoke suite
+# Smoke suite
-# - dashboard (horizon)
+TESTS="smoke"
-# - TelemetryAlarming (Aodh)
+
-# - api.baremetal (Ironic)
+# Horizon
-cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 smoke dashboard TelemetryAlarming api.baremetal
+TESTS="${TESTS} dashbboard"
+
+# Aodh
+TESTS="${TESTS} TelemetryAlarming"
+
+# Ironic
+# Note: running all Ironic tests under SSL is not working
+# https://bugs.launchpad.net/ironic/+bug/1554237
+TESTS="${TESTS} api.baremetal.admin.test_drivers"
+
+cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 $TESTS
 RESULT=$?
 set -e
 /tmp/openstack/tempest/.tox/all/bin/testr last --subunit > /tmp/openstack/tempest/testrepository.subunit