diff --git a/README.md b/README.md
index cb01cbea4..cf7c2ae9b 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ scenario](#All-In-One).
| - | scenario001 | scenario002 | scenario003 | scenario-aio |
|:----------:|:-----------:|:-----------:|:-----------:|:-------------:
-| ssl | yes | yes | no | no |
+| ssl | yes | yes | yes | no |
| ipv6 | centos7 | centos7 | no | no |
| keystone | X | X | X | X |
| glance | rbd | swift | file | file |
diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp
index 35c2aa26a..8f381ea41 100644
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@@ -29,6 +29,10 @@ case $::osfamily {
}
include ::openstack_integration
+class { '::openstack_integration::config':
+ ssl => true,
+}
+include ::openstack_integration::cacert
include ::openstack_integration::rabbitmq
include ::openstack_integration::mysql
include ::openstack_integration::keystone
diff --git a/manifests/heat.pp b/manifests/heat.pp
index 7b3004db9..b3602f9bd 100644
--- a/manifests/heat.pp
+++ b/manifests/heat.pp
@@ -1,5 +1,8 @@
class openstack_integration::heat {
+ include ::openstack_integration::config
+ include ::openstack_integration::params
+
rabbitmq_user { 'heat':
admin => true,
password => 'an_even_bigger_secret',
@@ -14,12 +17,28 @@ class openstack_integration::heat {
require => Class['::rabbitmq'],
}
+ if $::openstack_integration::config::ssl {
+ openstack_integration::ssl_key { 'heat':
+ require => Package['heat-common'],
+ }
+ $key_file = "/etc/heat/ssl/private/${::fqdn}.pem"
+ $crt_file = $::openstack_integration::params::cert_path
+ File[$key_file] ~> Service<| tag == 'heat-service' |>
+ Exec['update-ca-certificates'] ~> Service<| tag == 'heat-service' |>
+ } else {
+ $key_file = undef
+ $crt_file = undef
+ }
+
class { '::heat':
rabbit_userid => 'heat',
rabbit_password => 'an_even_bigger_secret',
- rabbit_host => '127.0.0.1',
+ rabbit_host => $::openstack_integration::config::ip_for_url,
+ rabbit_use_ssl => $::openstack_integration::config::ssl,
+ rabbit_port => $::openstack_integration::config::rabbit_port,
database_connection => 'mysql+pymysql://heat:heat@127.0.0.1/heat?charset=utf8',
- identity_uri => 'http://127.0.0.1:35357/',
+ identity_uri => $::openstack_integration::config::keystone_auth_uri,
+ auth_uri => $::openstack_integration::config::keystone_admin_uri,
keystone_password => 'a_big_secret',
debug => true,
verbose => true,
@@ -30,6 +49,9 @@ class openstack_integration::heat {
class { '::heat::keystone::auth':
password => 'a_big_secret',
configure_delegated_roles => true,
+ public_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
+ internal_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
+ admin_url => "${::openstack_integration::config::base_url}:8004/v1/%(tenant_id)s",
}
class { '::heat::keystone::domain':
domain_password => 'oh_my_no_secret',
@@ -37,16 +59,28 @@ class openstack_integration::heat {
Keystone_user_role['heat_admin::heat@::heat'] -> File['/root/openrc']
class { '::heat::client': }
class { '::heat::api':
- workers => '2',
+ workers => '2',
+ use_ssl => $::openstack_integration::config::ssl,
+ cert_file => $crt_file,
+ key_file => $key_file,
}
class { '::heat::engine':
- auth_encryption_key => '1234567890AZERTYUIOPMLKJHGFDSQ12',
+ auth_encryption_key => '1234567890AZERTYUIOPMLKJHGFDSQ12',
+ heat_metadata_server_url => "${::openstack_integration::config::base_url}:8000",
+ heat_waitcondition_server_url => "${::openstack_integration::config::base_url}:8000/v1/waitcondition",
+ heat_watch_server_url => "${::openstack_integration::config::base_url}:8003",
}
class { '::heat::api_cloudwatch':
- workers => '2',
+ workers => '2',
+ use_ssl => $::openstack_integration::config::ssl,
+ cert_file => $crt_file,
+ key_file => $key_file,
}
class { '::heat::api_cfn':
- workers => '2',
+ workers => '2',
+ use_ssl => $::openstack_integration::config::ssl,
+ cert_file => $crt_file,
+ key_file => $key_file,
}
}
diff --git a/manifests/horizon.pp b/manifests/horizon.pp
index 69ce30e71..dcde51045 100644
--- a/manifests/horizon.pp
+++ b/manifests/horizon.pp
@@ -1,14 +1,46 @@
class openstack_integration::horizon {
- $vhost_params = { add_listen => false }
+ include ::openstack_integration::config
+ include ::openstack_integration::params
+
+ if $::openstack_integration::config::ssl {
+ file { '/etc/openstack-dashboard/ssl':
+ ensure => directory,
+ owner => 'root',
+ mode => '0755',
+ selinux_ignore_defaults => true,
+ require => Package['horizon'],
+ }
+ file { '/etc/openstack-dashboard/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ mode => '0755',
+ selinux_ignore_defaults => true,
+ require => File['/etc/openstack-dashboard/ssl'],
+ before => File["/etc/openstack-dashboard/ssl/private/${::fqdn}.pem"],
+ }
+ openstack_integration::ssl_key { 'horizon':
+ key_path => "/etc/openstack-dashboard/ssl/private/${::fqdn}.pem",
+ key_owner => 'root',
+ require => File['/etc/openstack-dashboard/ssl/private'],
+ notify => Service['httpd'],
+ }
+ Exec['update-ca-certificates'] ~> Service['httpd']
+ }
+
class { '::horizon':
- secret_key => 'big_secret',
- vhost_extra_params => $vhost_params,
- servername => $::hostname,
- allowed_hosts => $::hostname,
+ secret_key => 'big_secret',
+ servername => $::openstack_integration::config::ip_for_url,
+ allowed_hosts => $::openstack_integration::config::ip_for_url,
+ listen_ssl => $::openstack_integration::config::ssl,
+ ssl_redirect => $::openstack_integration::config::ssl,
+ horizon_cert => $::openstack_integration::params::cert_path,
+ horizon_key => "/etc/openstack-dashboard/ssl/private/${::fqdn}.pem",
+ horizon_ca => $::openstack_integration::params::ca_bundle_cert_path,
+ keystone_url => "${::openstack_integration::config::keystone_auth_uri}/v3",
# need to disable offline compression due to
# https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1424042
- compress_offline => false,
+ compress_offline => false,
}
}
diff --git a/manifests/sahara.pp b/manifests/sahara.pp
index 16920e6eb..1079a0cab 100644
--- a/manifests/sahara.pp
+++ b/manifests/sahara.pp
@@ -1,5 +1,8 @@
class openstack_integration::sahara {
+ include ::openstack_integration::config
+ include ::openstack_integration::params
+
rabbitmq_user { 'sahara':
admin => true,
password => 'an_even_bigger_secret',
@@ -18,19 +21,28 @@ class openstack_integration::sahara {
password => 'sahara',
}
class { '::sahara::keystone::auth':
+ # SSL does not seem to work in Sahara
+ # https://bugs.launchpad.net/sahara/+bug/1565082
+ public_url => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
+ internal_url => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
+ admin_url => "http://${::openstack_integration::config::ip_for_url}:8386/v1.1/%(tenant_id)s",
password => 'a_big_secret',
}
class { '::sahara':
database_connection => 'mysql+pymysql://sahara:sahara@127.0.0.1/sahara?charset=utf8',
rabbit_userid => 'sahara',
rabbit_password => 'an_even_bigger_secret',
- rabbit_host => '127.0.0.1',
+ rabbit_host => $::openstack_integration::config::ip_for_url,
+ rabbit_port => $::openstack_integration::config::rabbit_port,
+ rabbit_use_ssl => $::openstack_integration::config::ssl,
rpc_backend => 'rabbit',
admin_password => 'a_big_secret',
admin_user => 'sahara',
admin_tenant_name => 'services',
debug => true,
verbose => true,
+ auth_uri => "${::openstack_integration::config::keystone_admin_uri}/v2.0",
+ identity_uri => $::openstack_integration::config::keystone_admin_uri,
}
class { '::sahara::service::api':
api_workers => 2,
diff --git a/manifests/ssl_key.pp b/manifests/ssl_key.pp
index a5abb86e6..c54e55161 100644
--- a/manifests/ssl_key.pp
+++ b/manifests/ssl_key.pp
@@ -4,8 +4,13 @@
# (optional) Path of SSL private key
# Defaults to undef.
#
+# [*key_owner*]
+# (optional) Owner of SSL private key
+# Defaults to $name.
+#
define openstack_integration::ssl_key(
- $key_path = undef,
+ $key_path = undef,
+ $key_owner = $name,
) {
include ::openstack_integration::config
@@ -37,7 +42,7 @@ define openstack_integration::ssl_key(
file { $_key_path:
ensure => present,
- owner => $name,
+ owner => $key_owner,
source => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.key",
selinux_ignore_defaults => true,
mode => '0600',
diff --git a/manifests/tempest.pp b/manifests/tempest.pp
index 7c3fd0ac7..7c8affb2e 100644
--- a/manifests/tempest.pp
+++ b/manifests/tempest.pp
@@ -99,7 +99,7 @@ class openstack_integration::tempest (
swift_available => $swift,
ironic_available => $ironic,
public_network_name => 'public',
- dashboard_url => "http://${::hostname}/",
+ dashboard_url => $::openstack_integration::config::base_url,
flavor_ref => '42',
flavor_ref_alt => '84',
image_ssh_user => 'cirros',
diff --git a/manifests/trove.pp b/manifests/trove.pp
index 2242afcd4..4fe2f9f0b 100644
--- a/manifests/trove.pp
+++ b/manifests/trove.pp
@@ -1,5 +1,8 @@
class openstack_integration::trove {
+ include ::openstack_integration::config
+ include ::openstack_integration::params
+
rabbitmq_user { 'trove':
admin => true,
password => 'an_even_bigger_secret',
@@ -14,38 +17,58 @@ class openstack_integration::trove {
require => Class['::rabbitmq'],
}
+ if $::openstack_integration::config::ssl {
+ openstack_integration::ssl_key { 'trove':
+ require => Package['trove'],
+ }
+ $key_file = "/etc/trove/ssl/private/${::fqdn}.pem"
+ $crt_file = $::openstack_integration::params::cert_path
+ File[$key_file] ~> Service<| tag == 'trove-service' |>
+ Exec['update-ca-certificates'] ~> Service<| tag == 'trove-service' |>
+ } else {
+ $key_file = undef
+ $crt_file = undef
+ }
+
class { '::trove':
database_connection => 'mysql+pymysql://trove:trove@127.0.0.1/trove?charset=utf8',
rabbit_userid => 'trove',
rabbit_password => 'an_even_bigger_secret',
- rabbit_host => '127.0.0.1',
+ rabbit_host => $::openstack_integration::config::ip_for_url,
+ rabbit_port => $::openstack_integration::config::rabbit_port,
+ rabbit_use_ssl => $::openstack_integration::config::ssl,
nova_proxy_admin_pass => 'a_big_secret',
}
class { '::trove::db::mysql':
password => 'trove',
}
class { '::trove::keystone::auth':
- password => 'a_big_secret',
+ password => 'a_big_secret',
+ public_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
+ internal_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
+ admin_url => "${::openstack_integration::config::base_url}:8779/v1.0/%(tenant_id)s",
}
class { '::trove::api':
keystone_password => 'a_big_secret',
- auth_uri => 'http://127.0.0.1:5000/',
- identity_uri => 'http://127.0.0.1:35357/',
+ auth_uri => $::openstack_integration::config::keystone_auth_uri,
+ identity_uri => $::openstack_integration::config::keystone_admin_uri,
debug => true,
verbose => true,
workers => 2,
+ cert_file => $crt_file,
+ key_file => $key_file,
}
class { '::trove::client': }
class { '::trove::conductor':
debug => true,
verbose => true,
workers => 2,
- auth_url => 'http://127.0.0.1:5000/',
+ auth_url => $::openstack_integration::config::keystone_auth_uri,
}
class { '::trove::taskmanager':
debug => true,
verbose => true,
- auth_url => 'http://127.0.0.1:5000/',
+ auth_url => $::openstack_integration::config::keystone_auth_uri,
}
}