From dbd4fc4fca2e31c45de6e0d51eb940e79c534d69 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Tue, 29 Mar 2016 20:51:03 -0400
Subject: [PATCH] scenario001: enable SSL by default

This patch enables SSL by default on scenario001 for both Ubuntu &
CentOS7, like it's done for scenario002.

Change-Id: If7a6ae3825052420ac76b5c8899ce68f003cb903
---
 README.md               |  2 +-
 fixtures/scenario001.pp |  4 ++++
 manifests/aodh.pp       | 36 ++++++++++++++++++++++++++++--------
 manifests/ceilometer.pp | 33 +++++++++++++++++++++++++++------
 manifests/gnocchi.pp    | 28 +++++++++++++++++++++++-----
 5 files changed, 83 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index f92f85e5c..5f8b6776e 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ scenario](#All-In-One).
 
 |     -      | scenario001 | scenario002 | scenario003 | scenario-aio |
 |:----------:|:-----------:|:-----------:|:-----------:|:-------------:
-| ssl        |     no      |      yes    |      no     |      no      |
+| ssl        |     yes     |      yes    |      no     |      no      |
 | ipv6       |     no      |      yes    |      no     |      no      |
 | keystone   |      X      |       X     |       X     |       X      |
 | glance     |     rbd     |     swift   |     file    |     file     |
diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp
index 6ebbbe4b3..2eeb65803 100644
--- a/fixtures/scenario001.pp
+++ b/fixtures/scenario001.pp
@@ -15,6 +15,10 @@
 #
 
 include ::openstack_integration
+class { '::openstack_integration::config':
+  ssl => true,
+}
+include ::openstack_integration::cacert
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
 include ::openstack_integration::keystone
diff --git a/manifests/aodh.pp b/manifests/aodh.pp
index c3b08214d..066bce9da 100644
--- a/manifests/aodh.pp
+++ b/manifests/aodh.pp
@@ -1,5 +1,8 @@
 class openstack_integration::aodh {
 
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
   rabbitmq_user { 'aodh':
     admin    => true,
     password => 'an_even_bigger_secret',
@@ -17,19 +20,29 @@ class openstack_integration::aodh {
   # https://bugs.launchpad.net/aodh/+bug/1557154
   Rabbitmq_user_permissions['aodh@/'] -> Service<| tag == 'aodh-service' |>
 
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'aodh':
+      notify  => Service['httpd'],
+      require => Package['aodh'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
+
   # gnocchi is not packaged in Ubuntu Cloud Archive
   # https://bugs.launchpad.net/cloud-archive/+bug/1535740
   if $::osfamily == 'RedHat' {
-    $gnocchi_url = 'http://127.0.0.1:8041'
+    $gnocchi_url = "${::openstack_integration::config::ip_for_url}:8041"
   } else {
     $gnocchi_url = undef
   }
   class { '::aodh':
     rabbit_userid       => 'aodh',
     rabbit_password     => 'an_even_bigger_secret',
+    rabbit_port         => $::openstack_integration::config::rabbit_port,
+    rabbit_use_ssl      => $::openstack_integration::config::ssl,
     verbose             => true,
     debug               => true,
-    rabbit_host         => '127.0.0.1',
+    rabbit_host         => $::openstack_integration::config::ip_for_url,
     database_connection => 'mysql+pymysql://aodh:aodh@127.0.0.1/aodh?charset=utf8',
     gnocchi_url         => $gnocchi_url,
   }
@@ -37,21 +50,28 @@ class openstack_integration::aodh {
     password => 'aodh',
   }
   class { '::aodh::keystone::auth':
-    password => 'a_big_secret',
+    public_url   => "${::openstack_integration::config::base_url}:8042",
+    internal_url => "${::openstack_integration::config::base_url}:8042",
+    admin_url    => "${::openstack_integration::config::base_url}:8042",
+    password     => 'a_big_secret',
   }
   class { '::aodh::api':
     enabled               => true,
     keystone_password     => 'a_big_secret',
-    keystone_identity_uri => 'http://127.0.0.1:35357/',
-    keystone_auth_uri     => 'http://127.0.0.1:35357/',
+    keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri,
+    keystone_auth_uri     => $::openstack_integration::config::keystone_admin_uri,
     service_name          => 'httpd',
   }
+  include ::apache
   class { '::aodh::wsgi::apache':
-    workers => 2,
-    ssl     => false,
+    bind_host => $::openstack_integration::config::ip_for_url,
+    ssl       => $::openstack_integration::config::ssl,
+    ssl_key   => "/etc/aodh/ssl/private/${::fqdn}.pem",
+    ssl_cert  => $::openstack_integration::params::cert_path,
+    workers   => 2,
   }
   class { '::aodh::auth':
-    auth_url      => 'http://127.0.0.1:5000/v2.0',
+    auth_url      => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
     auth_password => 'a_big_secret',
   }
   class { '::aodh::client': }
diff --git a/manifests/ceilometer.pp b/manifests/ceilometer.pp
index 0fb1097f4..df37ba33c 100644
--- a/manifests/ceilometer.pp
+++ b/manifests/ceilometer.pp
@@ -1,5 +1,8 @@
 class openstack_integration::ceilometer {
 
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
   rabbitmq_user { 'ceilometer':
     admin    => true,
     password => 'an_even_bigger_secret',
@@ -14,11 +17,21 @@ class openstack_integration::ceilometer {
     require              => Class['::rabbitmq'],
   }
 
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'ceilometer':
+      notify  => Service['httpd'],
+      require => Package['ceilometer-common'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
+
   class { '::ceilometer':
     metering_secret => 'secrete',
     rabbit_userid   => 'ceilometer',
     rabbit_password => 'an_even_bigger_secret',
-    rabbit_host     => '127.0.0.1',
+    rabbit_host     => $::openstack_integration::config::ip_for_url,
+    rabbit_port     => $::openstack_integration::config::rabbit_port,
+    rabbit_use_ssl  => $::openstack_integration::config::ssl,
     debug           => true,
     verbose         => true,
   }
@@ -29,17 +42,25 @@ class openstack_integration::ceilometer {
     database_connection => 'mysql+pymysql://ceilometer:ceilometer@127.0.0.1/ceilometer?charset=utf8',
   }
   class { '::ceilometer::keystone::auth':
-    password => 'a_big_secret',
+    public_url   => "${::openstack_integration::config::base_url}:8777",
+    internal_url => "${::openstack_integration::config::base_url}:8777",
+    admin_url    => "${::openstack_integration::config::base_url}:8777",
+    password     => 'a_big_secret',
   }
   class { '::ceilometer::api':
     enabled           => true,
     keystone_password => 'a_big_secret',
-    identity_uri      => 'http://127.0.0.1:35357/',
+    identity_uri      => $::openstack_integration::config::keystone_admin_uri,
+    auth_uri          => $::openstack_integration::config::keystone_auth_uri,
     service_name      => 'httpd',
   }
+  include ::apache
   class { '::ceilometer::wsgi::apache':
-    ssl     => false,
-    workers => '2',
+    bind_host => $::openstack_integration::config::ip_for_url,
+    ssl       => $::openstack_integration::config::ssl,
+    ssl_key   => "/etc/keystone/ssl/private/${::fqdn}.pem",
+    ssl_cert  => $::openstack_integration::params::cert_path,
+    workers   => '2',
   }
   class { '::ceilometer::collector':
     collector_workers => '2',
@@ -51,7 +72,7 @@ class openstack_integration::ceilometer {
   class { '::ceilometer::agent::polling': }
   class { '::ceilometer::agent::auth':
     auth_password => 'a_big_secret',
-    auth_url      => 'http://127.0.0.1:5000/v2.0',
+    auth_url      => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
   }
 
 }
diff --git a/manifests/gnocchi.pp b/manifests/gnocchi.pp
index dd5ecdf19..74b41030b 100644
--- a/manifests/gnocchi.pp
+++ b/manifests/gnocchi.pp
@@ -1,8 +1,20 @@
 class openstack_integration::gnocchi {
 
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
   # gnocchi is not packaged in Ubuntu Cloud Archive
   # https://bugs.launchpad.net/cloud-archive/+bug/1535740
   if $::osfamily == 'RedHat' {
+
+    if $::openstack_integration::config::ssl {
+      openstack_integration::ssl_key { 'gnocchi':
+        notify  => Service['httpd'],
+        require => Package['gnocchi'],
+      }
+      Exec['update-ca-certificates'] ~> Service['httpd']
+    }
+
     class { '::gnocchi':
       verbose             => true,
       debug               => true,
@@ -12,19 +24,25 @@ class openstack_integration::gnocchi {
       password => 'gnocchi',
     }
     class { '::gnocchi::keystone::auth':
-      password => 'a_big_secret',
+      public_url   => "${::openstack_integration::config::base_url}:8041",
+      internal_url => "${::openstack_integration::config::base_url}:8041",
+      admin_url    => "${::openstack_integration::config::base_url}:8041",
+      password     => 'a_big_secret',
     }
     class { '::gnocchi::api':
       enabled               => true,
       keystone_password     => 'a_big_secret',
-      keystone_identity_uri => 'http://127.0.0.1:35357/',
-      keystone_auth_uri     => 'http://127.0.0.1:35357/',
+      keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri,
+      keystone_auth_uri     => $::openstack_integration::config::keystone_admin_uri,
       service_name          => 'httpd',
     }
     include ::apache
     class { '::gnocchi::wsgi::apache':
-      workers => 2,
-      ssl     => false,
+      bind_host => $::openstack_integration::config::ip_for_url,
+      ssl       => $::openstack_integration::config::ssl,
+      ssl_key   => "/etc/gnocchi/ssl/private/${::fqdn}.pem",
+      ssl_cert  => $::openstack_integration::params::cert_path,
+      workers   => 2,
     }
     class { '::gnocchi::client': }
     class { '::gnocchi::db::sync': }