From dbd4fc4fca2e31c45de6e0d51eb940e79c534d69 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Tue, 29 Mar 2016 20:51:03 -0400 Subject: [PATCH] scenario001: enable SSL by default This patch enables SSL by default on scenario001 for both Ubuntu & CentOS7, like it's done for scenario002. Change-Id: If7a6ae3825052420ac76b5c8899ce68f003cb903 --- README.md | 2 +- fixtures/scenario001.pp | 4 ++++ manifests/aodh.pp | 36 ++++++++++++++++++++++++++++-------- manifests/ceilometer.pp | 33 +++++++++++++++++++++++++++------ manifests/gnocchi.pp | 28 +++++++++++++++++++++++----- 5 files changed, 83 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index f92f85e5c..5f8b6776e 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ scenario](#All-In-One). | - | scenario001 | scenario002 | scenario003 | scenario-aio | |:----------:|:-----------:|:-----------:|:-----------:|:-------------: -| ssl | no | yes | no | no | +| ssl | yes | yes | no | no | | ipv6 | no | yes | no | no | | keystone | X | X | X | X | | glance | rbd | swift | file | file | diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp index 6ebbbe4b3..2eeb65803 100644 --- a/fixtures/scenario001.pp +++ b/fixtures/scenario001.pp @@ -15,6 +15,10 @@ # include ::openstack_integration +class { '::openstack_integration::config': + ssl => true, +} +include ::openstack_integration::cacert include ::openstack_integration::rabbitmq include ::openstack_integration::mysql include ::openstack_integration::keystone diff --git a/manifests/aodh.pp b/manifests/aodh.pp index c3b08214d..066bce9da 100644 --- a/manifests/aodh.pp +++ b/manifests/aodh.pp @@ -1,5 +1,8 @@ class openstack_integration::aodh { + include ::openstack_integration::config + include ::openstack_integration::params + rabbitmq_user { 'aodh': admin => true, password => 'an_even_bigger_secret', @@ -17,19 +20,29 @@ class openstack_integration::aodh { # https://bugs.launchpad.net/aodh/+bug/1557154 Rabbitmq_user_permissions['aodh@/'] -> Service<| tag == 'aodh-service' |> + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'aodh': + notify => Service['httpd'], + require => Package['aodh'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } + # gnocchi is not packaged in Ubuntu Cloud Archive # https://bugs.launchpad.net/cloud-archive/+bug/1535740 if $::osfamily == 'RedHat' { - $gnocchi_url = 'http://127.0.0.1:8041' + $gnocchi_url = "${::openstack_integration::config::ip_for_url}:8041" } else { $gnocchi_url = undef } class { '::aodh': rabbit_userid => 'aodh', rabbit_password => 'an_even_bigger_secret', + rabbit_port => $::openstack_integration::config::rabbit_port, + rabbit_use_ssl => $::openstack_integration::config::ssl, verbose => true, debug => true, - rabbit_host => '127.0.0.1', + rabbit_host => $::openstack_integration::config::ip_for_url, database_connection => 'mysql+pymysql://aodh:aodh@127.0.0.1/aodh?charset=utf8', gnocchi_url => $gnocchi_url, } @@ -37,21 +50,28 @@ class openstack_integration::aodh { password => 'aodh', } class { '::aodh::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::base_url}:8042", + internal_url => "${::openstack_integration::config::base_url}:8042", + admin_url => "${::openstack_integration::config::base_url}:8042", + password => 'a_big_secret', } class { '::aodh::api': enabled => true, keystone_password => 'a_big_secret', - keystone_identity_uri => 'http://127.0.0.1:35357/', - keystone_auth_uri => 'http://127.0.0.1:35357/', + keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri, + keystone_auth_uri => $::openstack_integration::config::keystone_admin_uri, service_name => 'httpd', } + include ::apache class { '::aodh::wsgi::apache': - workers => 2, - ssl => false, + bind_host => $::openstack_integration::config::ip_for_url, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/aodh/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, } class { '::aodh::auth': - auth_url => 'http://127.0.0.1:5000/v2.0', + auth_url => "${::openstack_integration::config::keystone_auth_uri}/v2.0", auth_password => 'a_big_secret', } class { '::aodh::client': } diff --git a/manifests/ceilometer.pp b/manifests/ceilometer.pp index 0fb1097f4..df37ba33c 100644 --- a/manifests/ceilometer.pp +++ b/manifests/ceilometer.pp @@ -1,5 +1,8 @@ class openstack_integration::ceilometer { + include ::openstack_integration::config + include ::openstack_integration::params + rabbitmq_user { 'ceilometer': admin => true, password => 'an_even_bigger_secret', @@ -14,11 +17,21 @@ class openstack_integration::ceilometer { require => Class['::rabbitmq'], } + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'ceilometer': + notify => Service['httpd'], + require => Package['ceilometer-common'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } + class { '::ceilometer': metering_secret => 'secrete', rabbit_userid => 'ceilometer', rabbit_password => 'an_even_bigger_secret', - rabbit_host => '127.0.0.1', + rabbit_host => $::openstack_integration::config::ip_for_url, + rabbit_port => $::openstack_integration::config::rabbit_port, + rabbit_use_ssl => $::openstack_integration::config::ssl, debug => true, verbose => true, } @@ -29,17 +42,25 @@ class openstack_integration::ceilometer { database_connection => 'mysql+pymysql://ceilometer:ceilometer@127.0.0.1/ceilometer?charset=utf8', } class { '::ceilometer::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::base_url}:8777", + internal_url => "${::openstack_integration::config::base_url}:8777", + admin_url => "${::openstack_integration::config::base_url}:8777", + password => 'a_big_secret', } class { '::ceilometer::api': enabled => true, keystone_password => 'a_big_secret', - identity_uri => 'http://127.0.0.1:35357/', + identity_uri => $::openstack_integration::config::keystone_admin_uri, + auth_uri => $::openstack_integration::config::keystone_auth_uri, service_name => 'httpd', } + include ::apache class { '::ceilometer::wsgi::apache': - ssl => false, - workers => '2', + bind_host => $::openstack_integration::config::ip_for_url, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => '2', } class { '::ceilometer::collector': collector_workers => '2', @@ -51,7 +72,7 @@ class openstack_integration::ceilometer { class { '::ceilometer::agent::polling': } class { '::ceilometer::agent::auth': auth_password => 'a_big_secret', - auth_url => 'http://127.0.0.1:5000/v2.0', + auth_url => "${::openstack_integration::config::keystone_auth_uri}/v2.0", } } diff --git a/manifests/gnocchi.pp b/manifests/gnocchi.pp index dd5ecdf19..74b41030b 100644 --- a/manifests/gnocchi.pp +++ b/manifests/gnocchi.pp @@ -1,8 +1,20 @@ class openstack_integration::gnocchi { + include ::openstack_integration::config + include ::openstack_integration::params + # gnocchi is not packaged in Ubuntu Cloud Archive # https://bugs.launchpad.net/cloud-archive/+bug/1535740 if $::osfamily == 'RedHat' { + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'gnocchi': + notify => Service['httpd'], + require => Package['gnocchi'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } + class { '::gnocchi': verbose => true, debug => true, @@ -12,19 +24,25 @@ class openstack_integration::gnocchi { password => 'gnocchi', } class { '::gnocchi::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::base_url}:8041", + internal_url => "${::openstack_integration::config::base_url}:8041", + admin_url => "${::openstack_integration::config::base_url}:8041", + password => 'a_big_secret', } class { '::gnocchi::api': enabled => true, keystone_password => 'a_big_secret', - keystone_identity_uri => 'http://127.0.0.1:35357/', - keystone_auth_uri => 'http://127.0.0.1:35357/', + keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri, + keystone_auth_uri => $::openstack_integration::config::keystone_admin_uri, service_name => 'httpd', } include ::apache class { '::gnocchi::wsgi::apache': - workers => 2, - ssl => false, + bind_host => $::openstack_integration::config::ip_for_url, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/gnocchi/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, } class { '::gnocchi::client': } class { '::gnocchi::db::sync': }