openstack/puppet-openstack-integration
Code Issues Proposed changes

scenario001: enable SSL by default

Browse Source 
This patch enables SSL by default on scenario001 for both Ubuntu &
CentOS7, like it's done for scenario002.

Change-Id: If7a6ae3825052420ac76b5c8899ce68f003cb903
This commit is contained in:
Emilien Macchi 2016-03-29 20:51:03 -04:00
parent 301f3247ae
commit dbd4fc4fca
5 changed files with 83 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -33,7 +33,7 @@ scenario](#All-In-One).
| - | scenario001 | scenario002 | scenario003 | scenario-aio | | - | scenario001 | scenario002 | scenario003 | scenario-aio |
|:----------:|:-----------:|:-----------:|:-----------:|:-------------: |:----------:|:-----------:|:-----------:|:-----------:|:-------------:
| ssl | no | yes | no | no | | ssl | yes | yes | no | no |
| ipv6 | no | yes | no | no | | ipv6 | no | yes | no | no |
| keystone | X | X | X | X | | keystone | X | X | X | X |
| glance | rbd | swift | file | file | | glance | rbd | swift | file | file |

4
fixtures/scenario001.pp
View File

@ -15,6 +15,10 @@
# #
include ::openstack_integration include ::openstack_integration
class { '::openstack_integration::config':
ssl => true,
}
include ::openstack_integration::cacert
include ::openstack_integration::rabbitmq include ::openstack_integration::rabbitmq
include ::openstack_integration::mysql include ::openstack_integration::mysql
include ::openstack_integration::keystone include ::openstack_integration::keystone

36
manifests/aodh.pp
View File

@ -1,5 +1,8 @@
class openstack_integration::aodh { class openstack_integration::aodh {
include ::openstack_integration::config
include ::openstack_integration::params
rabbitmq_user { 'aodh': rabbitmq_user { 'aodh':
admin => true, admin => true,
password => 'an_even_bigger_secret', password => 'an_even_bigger_secret',
@ -17,19 +20,29 @@ class openstack_integration::aodh {
# https://bugs.launchpad.net/aodh/+bug/1557154 # https://bugs.launchpad.net/aodh/+bug/1557154
Rabbitmq_user_permissions['aodh@/'] -> Service<| tag == 'aodh-service' |> Rabbitmq_user_permissions['aodh@/'] -> Service<| tag == 'aodh-service' |>
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'aodh':
notify => Service['httpd'],
require => Package['aodh'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
# gnocchi is not packaged in Ubuntu Cloud Archive # gnocchi is not packaged in Ubuntu Cloud Archive
# https://bugs.launchpad.net/cloud-archive/+bug/1535740 # https://bugs.launchpad.net/cloud-archive/+bug/1535740
if $::osfamily == 'RedHat' { if $::osfamily == 'RedHat' {
$gnocchi_url = 'http://127.0.0.1:8041' $gnocchi_url = "${::openstack_integration::config::ip_for_url}:8041"
} else { } else {
$gnocchi_url = undef $gnocchi_url = undef
} }
class { '::aodh': class { '::aodh':
rabbit_userid => 'aodh', rabbit_userid => 'aodh',
rabbit_password => 'an_even_bigger_secret', rabbit_password => 'an_even_bigger_secret',
rabbit_port => $::openstack_integration::config::rabbit_port,
rabbit_use_ssl => $::openstack_integration::config::ssl,
verbose => true, verbose => true,
debug => true, debug => true,
rabbit_host => '127.0.0.1', rabbit_host => $::openstack_integration::config::ip_for_url,
database_connection => 'mysql+pymysql://aodh:aodh@127.0.0.1/aodh?charset=utf8', database_connection => 'mysql+pymysql://aodh:aodh@127.0.0.1/aodh?charset=utf8',
gnocchi_url => $gnocchi_url, gnocchi_url => $gnocchi_url,
} }
@ -37,21 +50,28 @@ class openstack_integration::aodh {
password => 'aodh', password => 'aodh',
} }
class { '::aodh::keystone::auth': class { '::aodh::keystone::auth':
password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:8042",
internal_url => "${::openstack_integration::config::base_url}:8042",
admin_url => "${::openstack_integration::config::base_url}:8042",
password => 'a_big_secret',
} }
class { '::aodh::api': class { '::aodh::api':
enabled => true, enabled => true,
keystone_password => 'a_big_secret', keystone_password => 'a_big_secret',
keystone_identity_uri => 'http://127.0.0.1:35357/', keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri,
keystone_auth_uri => 'http://127.0.0.1:35357/', keystone_auth_uri => $::openstack_integration::config::keystone_admin_uri,
service_name => 'httpd', service_name => 'httpd',
} }
include ::apache
class { '::aodh::wsgi::apache': class { '::aodh::wsgi::apache':
workers => 2, bind_host => $::openstack_integration::config::ip_for_url,
ssl => false, ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/aodh/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
} }
class { '::aodh::auth': class { '::aodh::auth':
auth_url => 'http://127.0.0.1:5000/v2.0', auth_url => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
auth_password => 'a_big_secret', auth_password => 'a_big_secret',
} }
class { '::aodh::client': } class { '::aodh::client': }

33
manifests/ceilometer.pp
View File

@ -1,5 +1,8 @@
class openstack_integration::ceilometer { class openstack_integration::ceilometer {
include ::openstack_integration::config
include ::openstack_integration::params
rabbitmq_user { 'ceilometer': rabbitmq_user { 'ceilometer':
admin => true, admin => true,
password => 'an_even_bigger_secret', password => 'an_even_bigger_secret',
@ -14,11 +17,21 @@ class openstack_integration::ceilometer {
require => Class['::rabbitmq'], require => Class['::rabbitmq'],
} }
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'ceilometer':
notify => Service['httpd'],
require => Package['ceilometer-common'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
class { '::ceilometer': class { '::ceilometer':
metering_secret => 'secrete', metering_secret => 'secrete',
rabbit_userid => 'ceilometer', rabbit_userid => 'ceilometer',
rabbit_password => 'an_even_bigger_secret', rabbit_password => 'an_even_bigger_secret',
rabbit_host => '127.0.0.1', rabbit_host => $::openstack_integration::config::ip_for_url,
rabbit_port => $::openstack_integration::config::rabbit_port,
rabbit_use_ssl => $::openstack_integration::config::ssl,
debug => true, debug => true,
verbose => true, verbose => true,
} }
@ -29,17 +42,25 @@ class openstack_integration::ceilometer {
database_connection => 'mysql+pymysql://ceilometer:ceilometer@127.0.0.1/ceilometer?charset=utf8', database_connection => 'mysql+pymysql://ceilometer:ceilometer@127.0.0.1/ceilometer?charset=utf8',
} }
class { '::ceilometer::keystone::auth': class { '::ceilometer::keystone::auth':
password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:8777",
internal_url => "${::openstack_integration::config::base_url}:8777",
admin_url => "${::openstack_integration::config::base_url}:8777",
password => 'a_big_secret',
} }
class { '::ceilometer::api': class { '::ceilometer::api':
enabled => true, enabled => true,
keystone_password => 'a_big_secret', keystone_password => 'a_big_secret',
identity_uri => 'http://127.0.0.1:35357/', identity_uri => $::openstack_integration::config::keystone_admin_uri,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
service_name => 'httpd', service_name => 'httpd',
} }
include ::apache
class { '::ceilometer::wsgi::apache': class { '::ceilometer::wsgi::apache':
ssl => false, bind_host => $::openstack_integration::config::ip_for_url,
workers => '2', ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => '2',
} }
class { '::ceilometer::collector': class { '::ceilometer::collector':
collector_workers => '2', collector_workers => '2',
@ -51,7 +72,7 @@ class openstack_integration::ceilometer {
class { '::ceilometer::agent::polling': } class { '::ceilometer::agent::polling': }
class { '::ceilometer::agent::auth': class { '::ceilometer::agent::auth':
auth_password => 'a_big_secret', auth_password => 'a_big_secret',
auth_url => 'http://127.0.0.1:5000/v2.0', auth_url => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
} }
} }

28
manifests/gnocchi.pp
View File

@ -1,8 +1,20 @@
class openstack_integration::gnocchi { class openstack_integration::gnocchi {
include ::openstack_integration::config
include ::openstack_integration::params
# gnocchi is not packaged in Ubuntu Cloud Archive # gnocchi is not packaged in Ubuntu Cloud Archive
# https://bugs.launchpad.net/cloud-archive/+bug/1535740 # https://bugs.launchpad.net/cloud-archive/+bug/1535740
if $::osfamily == 'RedHat' { if $::osfamily == 'RedHat' {
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'gnocchi':
notify => Service['httpd'],
require => Package['gnocchi'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
class { '::gnocchi': class { '::gnocchi':
verbose => true, verbose => true,
debug => true, debug => true,
@ -12,19 +24,25 @@ class openstack_integration::gnocchi {
password => 'gnocchi', password => 'gnocchi',
} }
class { '::gnocchi::keystone::auth': class { '::gnocchi::keystone::auth':
password => 'a_big_secret', public_url => "${::openstack_integration::config::base_url}:8041",
internal_url => "${::openstack_integration::config::base_url}:8041",
admin_url => "${::openstack_integration::config::base_url}:8041",
password => 'a_big_secret',
} }
class { '::gnocchi::api': class { '::gnocchi::api':
enabled => true, enabled => true,
keystone_password => 'a_big_secret', keystone_password => 'a_big_secret',
keystone_identity_uri => 'http://127.0.0.1:35357/', keystone_identity_uri => $::openstack_integration::config::keystone_admin_uri,
keystone_auth_uri => 'http://127.0.0.1:35357/', keystone_auth_uri => $::openstack_integration::config::keystone_admin_uri,
service_name => 'httpd', service_name => 'httpd',
} }
include ::apache include ::apache
class { '::gnocchi::wsgi::apache': class { '::gnocchi::wsgi::apache':
workers => 2, bind_host => $::openstack_integration::config::ip_for_url,
ssl => false, ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/gnocchi/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
} }
class { '::gnocchi::client': } class { '::gnocchi::client': }
class { '::gnocchi::db::sync': } class { '::gnocchi::db::sync': }