scenario003: enable SSL by default

This patch enables SSL by default on scenario003 for both Ubuntu & CentOS7, like it's done for scenario001 and 002. Note: we don't enable SSL for Sahara because of: https://bugs.launchpad.net/sahara/+bug/1565082 Change-Id: I7e25b8acaeda2fc51a1a83b3a3aae0c89f332323
2016-03-30 15:55:40 -04:00 · 2016-03-30 15:55:40 -04:00 · fd9c981a05
commit fd9c981a05
parent 4a3ca2bf40
8 changed files with 133 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -33,7 +33,7 @@ scenario](#All-In-One).

 |     -      | scenario001 | scenario002 | scenario003 | scenario-aio |
 |:----------:|:-----------:|:-----------:|:-----------:|:-------------:
-| ssl        |     yes     |      yes    |      no     |      no      |
+| ssl        |     yes     |      yes    |      yes    |      no      |
 | ipv6       |   centos7   |    centos7  |      no     |      no      |
 | keystone   |      X      |       X     |       X     |       X      |
 | glance     |     rbd     |     swift   |     file    |     file     |
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@ -29,6 +29,10 @@ case $::osfamily {
 }

 include ::openstack_integration
+class { '::openstack_integration::config':
+  ssl => true,
+}
+include ::openstack_integration::cacert
 include ::openstack_integration::rabbitmq
 include ::openstack_integration::mysql
 include ::openstack_integration::keystone
--- a/manifests/heat.pp
+++ b/manifests/heat.pp
@ -1,5 +1,8 @@
 class openstack_integration::heat {

+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
  rabbitmq_user { 'heat':
    admin    => true,
    password => 'an_even_bigger_secret',
@ -14,12 +17,28 @@ class openstack_integration::heat {
    require              => Class['::rabbitmq'],
  }

+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'heat':
+      require => Package['heat-common'],
+    }
+    $key_file = "/etc/heat/ssl/private/${::fqdn}.pem"
+    $crt_file = $::openstack_integration::params::cert_path
+    File[$key_file] ~> Service<| tag == 'heat-service' |>
+    Exec['update-ca-certificates'] ~> Service<| tag == 'heat-service' |>
+  } else {
+    $key_file = undef
+    $crt_file = undef
+  }
+
  class { '::heat':
    rabbit_userid       => 'heat',
    rabbit_password     => 'an_even_bigger_secret',
-    rabbit_host         => '127.0.0.1',
+    rabbit_host         => $::openstack_integration::config::ip_for_url,
+    rabbit_use_ssl      => $::openstack_integration::config::ssl,
+    rabbit_port         => $::openstack_integration::config::rabbit_port,
    database_connection => 'mysql+pymysql://heat:heat@127.0.0.1/heat?charset=utf8',
-    identity_uri        => 'http://127.0.0.1:35357/',
+    identity_uri        => $::openstack_integration::config::keystone_auth_uri,
+    auth_uri            => $::openstack_integration::config::keystone_admin_uri,
    keystone_password   => 'a_big_secret',
    debug               => true,
    verbose             => true,
@ -30,6 +49,9 @@ class openstack_integration::heat {
  class { '::heat::keystone::auth':
    password                  => 'a_big_secret',
    configure_delegated_roles => true,
+    public_url                => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
+    internal_url              => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
+    admin_url                 => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
  }
  class { '::heat::keystone::domain':
    domain_password => 'oh_my_no_secret',
@ -37,16 +59,28 @@ class openstack_integration::heat {
  Keystone_user_role['heat_admin::heat@::heat'] -> File['/root/openrc']
  class { '::heat::client': }
  class { '::heat::api':
-    workers => '2',
+    workers   => '2',
+    use_ssl   => $::openstack_integration::config::ssl,
+    cert_file => $crt_file,
+    key_file  => $key_file,
  }
  class { '::heat::engine':
-    auth_encryption_key => '1234567890AZERTYUIOPMLKJHGFDSQ12',
+    auth_encryption_key           => '1234567890AZERTYUIOPMLKJHGFDSQ12',
+    heat_metadata_server_url      => "${::openstack_integration::config::base_url}:8000",
+    heat_waitcondition_server_url => "${::openstack_integration::config::base_url}:8000/v1/waitcondition",
+    heat_watch_server_url         => "${::openstack_integration::config::base_url}:8003",
  }
  class { '::heat::api_cloudwatch':
-    workers => '2',
+    workers   => '2',
+    use_ssl   => $::openstack_integration::config::ssl,
+    cert_file => $crt_file,
+    key_file  => $key_file,
  }
  class { '::heat::api_cfn':
-    workers => '2',
+    workers   => '2',
+    use_ssl   => $::openstack_integration::config::ssl,
+    cert_file => $crt_file,
+    key_file  => $key_file,
  }

 }
--- a/manifests/horizon.pp
+++ b/manifests/horizon.pp
@ -1,14 +1,46 @@
 class openstack_integration::horizon {

-  $vhost_params = { add_listen => false }
+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
+  if $::openstack_integration::config::ssl {
+    file { '/etc/openstack-dashboard/ssl':
+      ensure                  => directory,
+      owner                   => 'root',
+      mode                    => '0755',
+      selinux_ignore_defaults => true,
+      require                 => Package['horizon'],
+    }
+    file { '/etc/openstack-dashboard/ssl/private':
+      ensure                  => directory,
+      owner                   => 'root',
+      mode                    => '0755',
+      selinux_ignore_defaults => true,
+      require                 => File['/etc/openstack-dashboard/ssl'],
+      before                  => File["/etc/openstack-dashboard/ssl/private/${::fqdn}.pem"],
+    }
+    openstack_integration::ssl_key { 'horizon':
+      key_path  => "/etc/openstack-dashboard/ssl/private/${::fqdn}.pem",
+      key_owner => 'root',
+      require   => File['/etc/openstack-dashboard/ssl/private'],
+      notify    => Service['httpd'],
+    }
+    Exec['update-ca-certificates'] ~> Service['httpd']
+  }
+
  class { '::horizon':
-    secret_key         => 'big_secret',
-    vhost_extra_params => $vhost_params,
-    servername         => $::hostname,
-    allowed_hosts      => $::hostname,
+    secret_key       => 'big_secret',
+    servername       => $::openstack_integration::config::ip_for_url,
+    allowed_hosts    => $::openstack_integration::config::ip_for_url,
+    listen_ssl       => $::openstack_integration::config::ssl,
+    ssl_redirect     => $::openstack_integration::config::ssl,
+    horizon_cert     => $::openstack_integration::params::cert_path,
+    horizon_key      => "/etc/openstack-dashboard/ssl/private/${::fqdn}.pem",
+    horizon_ca       => $::openstack_integration::params::ca_bundle_cert_path,
+    keystone_url     => "${::openstack_integration::config::keystone_auth_uri}/v3",
    # need to disable offline compression due to
    # https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1424042
-    compress_offline   => false,
+    compress_offline => false,
  }

 }
--- a/manifests/sahara.pp
+++ b/manifests/sahara.pp
@ -1,5 +1,8 @@
 class openstack_integration::sahara {

+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
  rabbitmq_user { 'sahara':
    admin    => true,
    password => 'an_even_bigger_secret',
@ -18,19 +21,28 @@ class openstack_integration::sahara {
    password => 'sahara',
  }
  class { '::sahara::keystone::auth':
+    # SSL does not seem to work in Sahara
+    # https://bugs.launchpad.net/sahara/+bug/1565082
+    public_url   => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
+    internal_url => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
+    admin_url    => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
    password     => 'a_big_secret',
  }
  class { '::sahara':
    database_connection => 'mysql+pymysql://sahara:sahara@127.0.0.1/sahara?charset=utf8',
    rabbit_userid       => 'sahara',
    rabbit_password     => 'an_even_bigger_secret',
-    rabbit_host         => '127.0.0.1',
+    rabbit_host         => $::openstack_integration::config::ip_for_url,
+    rabbit_port         => $::openstack_integration::config::rabbit_port,
+    rabbit_use_ssl      => $::openstack_integration::config::ssl,
    rpc_backend         => 'rabbit',
    admin_password      => 'a_big_secret',
    admin_user          => 'sahara',
    admin_tenant_name   => 'services',
    debug               => true,
    verbose             => true,
+    auth_uri            => "${::openstack_integration::config::keystone_admin_uri}/v2.0",
+    identity_uri        => $::openstack_integration::config::keystone_admin_uri,
  }
  class { '::sahara::service::api':
    api_workers => 2,
--- a/manifests/ssl_key.pp
+++ b/manifests/ssl_key.pp
@ -4,8 +4,13 @@
 #   (optional) Path of SSL private key
 #   Defaults to undef.
 #
+# [*key_owner*]
+#   (optional) Owner of SSL private key
+#   Defaults to $name.
+#
 define openstack_integration::ssl_key(
-  $key_path = undef,
+  $key_path  = undef,
+  $key_owner = $name,
 ) {

  include ::openstack_integration::config
@ -37,7 +42,7 @@ define openstack_integration::ssl_key(

  file { $_key_path:
    ensure                  => present,
-    owner                   => $name,
+    owner                   => $key_owner,
    source                  => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.key",
    selinux_ignore_defaults => true,
    mode                    => '0600',
--- a/manifests/tempest.pp
+++ b/manifests/tempest.pp
@ -99,7 +99,7 @@ class openstack_integration::tempest (
    swift_available        => $swift,
    ironic_available       => $ironic,
    public_network_name    => 'public',
-    dashboard_url          => "http://${::hostname}/",
+    dashboard_url          => $::openstack_integration::config::base_url,
    flavor_ref             => '42',
    flavor_ref_alt         => '84',
    image_ssh_user         => 'cirros',
--- a/manifests/trove.pp
+++ b/manifests/trove.pp
@ -1,5 +1,8 @@
 class openstack_integration::trove {

+  include ::openstack_integration::config
+  include ::openstack_integration::params
+
  rabbitmq_user { 'trove':
    admin    => true,
    password => 'an_even_bigger_secret',
@ -14,38 +17,58 @@ class openstack_integration::trove {
    require              => Class['::rabbitmq'],
  }

+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'trove':
+      require => Package['trove'],
+    }
+    $key_file = "/etc/trove/ssl/private/${::fqdn}.pem"
+    $crt_file = $::openstack_integration::params::cert_path
+    File[$key_file] ~> Service<| tag == 'trove-service' |>
+    Exec['update-ca-certificates'] ~> Service<| tag == 'trove-service' |>
+  } else {
+    $key_file = undef
+    $crt_file = undef
+  }
+
  class { '::trove':
    database_connection   => 'mysql+pymysql://trove:trove@127.0.0.1/trove?charset=utf8',
    rabbit_userid         => 'trove',
    rabbit_password       => 'an_even_bigger_secret',
-    rabbit_host           => '127.0.0.1',
+    rabbit_host           => $::openstack_integration::config::ip_for_url,
+    rabbit_port           => $::openstack_integration::config::rabbit_port,
+    rabbit_use_ssl        => $::openstack_integration::config::ssl,
    nova_proxy_admin_pass => 'a_big_secret',
  }
  class { '::trove::db::mysql':
    password => 'trove',
  }
  class { '::trove::keystone::auth':
-    password => 'a_big_secret',
+    password     => 'a_big_secret',
+    public_url   => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
+    internal_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
+    admin_url    => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
  }
  class { '::trove::api':
    keystone_password => 'a_big_secret',
-    auth_uri          => 'http://127.0.0.1:5000/',
-    identity_uri      => 'http://127.0.0.1:35357/',
+    auth_uri          => $::openstack_integration::config::keystone_auth_uri,
+    identity_uri      => $::openstack_integration::config::keystone_admin_uri,
    debug             => true,
    verbose           => true,
    workers           => 2,
+    cert_file         => $crt_file,
+    key_file          => $key_file,
  }
  class { '::trove::client': }
  class { '::trove::conductor':
    debug    => true,
    verbose  => true,
    workers  => 2,
-    auth_url => 'http://127.0.0.1:5000/',
+    auth_url => $::openstack_integration::config::keystone_auth_uri,
  }
  class { '::trove::taskmanager':
    debug    => true,
    verbose  => true,
-    auth_url => 'http://127.0.0.1:5000/',
+    auth_url => $::openstack_integration::config::keystone_auth_uri,
  }

 }