Add ceph dashboard frontend endpoint and tls-e integration

This change exposes to the end-user the new ceph dashboard
frontend which is fully integrated with grafana service.
This review also adds all the info/classes to integrate the
service with tls-everywhere framework, providing the cert
request and generation that will be passed to ceph dashboard
via ceph-ansible.

Depends-On: I7728b6a6bbf8447ec3290a13cb7f5807b30cc01f
Change-Id: Id6d2e4b00355cd84baccc2b493f3205c2b32a44b
(cherry picked from commit eec31fd149ee3e009a0a6b3a1b8f040c2e709c52)

files/certmonger-dashboard-refresh.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Get mgr systemd unit
+mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
+
+# Restart the mgr systemd unit
+if [ -n "$mgr_unit" ]; then
+    systemctl restart "$mgr_unit"
+fi
+

manifests/certmonger/ceph_dashboard.pp

@@ -0,0 +1,81 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ceph_grafana
+#
+# Request a certificate for RabbitMQ and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   Defaults to undef.
+#
+# [*principal*]
+#   (Optional) The service principal that is set for the service in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::ceph_dashboard (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $postsave_cmd = undef,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
+) {
+
+  ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
+    source  => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
+    mode    => '0700',
+    seltype => 'bin_t',
+    notify  => Service['certmonger']
+  })
+
+  certmonger_certificate { 'ceph_dashboard' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+
+  file { $service_certificate :
+    require => Certmonger_certificate['ceph_dashboard'],
+    owner   => 472,
+    group   => 472,
+  }
+  file { $service_key :
+    require => Certmonger_certificate['ceph_dashboard'],
+    owner   => 472,
+    group   => 472,
+  }
+}

manifests/haproxy.pp

@@ -347,6 +347,10 @@
 #  (optional) Enable or not Ceph Grafana dashboard binding
 #  Defaults to hiera('ceph_grafana_enabled', false)
 #
+# [*ceph_dashboard*]
+#  (optional) Enable or not Ceph Dashboard binding
+#  Defaults to hiera('ceph_mgr_enabled', false)
+#
 # [*opendaylight*]
 #  (optional) Enable or not OpenDaylight binding
 #  Defaults to hiera('opendaylight_api_enabled', false)
@@ -388,6 +392,10 @@
 #  (optional) Specify the network ceph_grafana is running on.
 #  Defaults to hiera('ceph_grafana_network', undef)
 #
+# [*ceph_dashboard_network*]
+#  (optional) Specify the network ceph_dashboard is running on.
+#  Defaults to hiera('ceph_mgr', undef)
+#
 # [*cinder_network*]
 #  (optional) Specify the network cinder is running on.
 #  Defaults to hiera('cinder_api_network', undef)
@@ -594,6 +602,8 @@
 #    'ceph_rgw_ssl_port' (Defaults to 13808)
 #    'ceph_grafana_port' (Defaults to 3100)
 #    'ceph_grafana_ssl_port' (Defaults to 3100)
+#    'ceph_dashboard_port' (Defaults to 8444)
+#    'ceph_dashboard_ssl_port' (Defaults to 8444)
 #    'zaqar_ws_port' (Defaults to 9000)
 #    'zaqar_ws_ssl_port' (Defaults to 9000)
 #  * Note that for zaqar's websockets we don't support having a different
@@ -650,6 +660,7 @@ class tripleo::haproxy (
   $panko                       = hiera('panko_api_enabled', false),
   $barbican                    = hiera('barbican_api_enabled', false),
   $ceph_grafana                = hiera('ceph_grafana_enabled', false),
+  $ceph_dashboard              = hiera('ceph_mgr_enabled', false),
   $gnocchi                     = hiera('gnocchi_api_enabled', false),
   $mistral                     = hiera('mistral_api_enabled', false),
   $swift_proxy_server          = hiera('swift_proxy_enabled', false),
@@ -692,6 +703,7 @@ class tripleo::haproxy (
   $gnocchi_network             = hiera('gnocchi_api_network', undef),
   $heat_api_network            = hiera('heat_api_network', undef),
   $ceph_grafana_network        = hiera('ceph_grafana_network', undef),
+  $ceph_dashboard_network      = hiera('ceph_dashboard_network', undef),
   $heat_cfn_network            = hiera('heat_api_cfn_network', undef),
   $horizon_network             = hiera('horizon_network', undef),
   $ironic_inspector_network    = hiera('ironic_inspector_network', undef),
@@ -796,6 +808,8 @@ class tripleo::haproxy (
     zaqar_ws_ssl_port => 9000,
     ceph_grafana_port => 3100,
     ceph_grafana_ssl_port => 3100,
+    ceph_dashboard_port => 8444,
+    ceph_dashboard_ssl_port => 8444,
   }
   $ports = merge($default_service_ports, $service_ports)
 
@@ -1051,6 +1065,24 @@ class tripleo::haproxy (
     }
   }
 
+  if $ceph_dashboard {
+    ::tripleo::haproxy::endpoint { 'ceph_dashboard':
+      internal_ip     => hiera('ceph_dashboard_vip', $controller_virtual_ip),
+      service_port    => $ports[ceph_dashboard_port],
+      ip_addresses    => hiera('ceph_grafana_node_ips', $controller_hosts_real),
+      server_names    => hiera('ceph_grafana_node_names', $controller_hosts_names_real),
+      mode            => 'http',
+      public_ssl_port => $ports[ceph_dashboard_ssl_port],
+      listen_options  => merge($default_listen_options, {
+        'option'     => [ 'httpchk HEAD /' ],
+        'balance'    => 'source',
+        'http-check' => 'expect rstatus 2[0-9][0-9]',
+      }),
+      service_network => $ceph_dashboard_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
+    }
+  }
+
   $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
   if $nova_osapi {
     ::tripleo::haproxy::endpoint { 'nova_osapi':

manifests/profile/base/certmonger_user.pp

@@ -107,6 +107,11 @@
 #   it will create.
 #   Defaults to hiera('ceph_grafana_certificate_specs', {}).
 #
+# [*ceph_dashboard_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('ceph_dashboard_certificate_specs', {}).
+#
 # [*etcd_certificate_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -190,6 +195,7 @@ class tripleo::profile::base::certmonger_user (
   $neutron_certificate_specs          = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
   $novnc_proxy_certificates_specs     = hiera('novnc_proxy_certificates_specs',{}),
   $ceph_grafana_certificate_specs     = hiera('ceph_grafana_certificate_specs', {}),
+  $ceph_dashboard_certificate_specs   = hiera('ceph_dashboard_certificate_specs', {}),
   $ovn_dbs_certificate_specs          = hiera('ovn_dbs_certificate_specs', {}),
   $ovn_controller_certificate_specs   = hiera('ovn_controller_certificate_specs', {}),
   $ovn_metadata_certificate_specs     = hiera('ovn_metadata_certificate_specs', {}),
@@ -284,6 +290,9 @@ class tripleo::profile::base::certmonger_user (
     unless empty($ceph_grafana_certificate_specs) {
       ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
     }
+    unless empty($ceph_dashboard_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs)
+    }
     unless empty($ovn_dbs_certificate_specs) {
       ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
     }

releasenotes/notes/ceph_dashboard_endpoint-10035021352fc190.yaml

@@ -0,0 +1,6 @@
+
+---
+features:
+  - |
+    Adds ceph_dashboard endpoint and ceph_dashboard_port to properly
+    expose the ceph-dashboard frontend service