From 76bf2f532f9541eaf9cd7242ad2bf520f6788033 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 13 Jul 2016 12:27:23 +0300 Subject: [PATCH] Enable TLS in the internal network for keystone This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039 --- manifests/certmonger/httpd.pp | 62 ++++++++++++++++++++ manifests/haproxy.pp | 15 +++++ manifests/profile/base/keystone.pp | 90 ++++++++++++++++++++++++++---- 3 files changed, 156 insertions(+), 11 deletions(-) create mode 100644 manifests/certmonger/httpd.pp diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp new file mode 100644 index 000000000..94b48b722 --- /dev/null +++ b/manifests/certmonger/httpd.pp @@ -0,0 +1,62 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::httpd +# +# Request a certificate for the httpd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# The haproxy service principal that is set for HAProxy in kerberos. +# +define tripleo::certmonger::httpd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::apache::params + + $postsave_cmd = "systemctl reload ${::apache::params::service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index c4d018d52..3ad10ebcf 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -106,6 +106,11 @@ # flag is set. # Defaults to {} # +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -427,6 +432,7 @@ class tripleo::haproxy ( $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -541,6 +547,13 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + # TODO(jaosorior): change verify none to verify required. + $internal_tls_member_options = ['ssl', 'verify none'] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -680,6 +693,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -709,6 +723,7 @@ class tripleo::haproxy ( listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index fbccdda31..a0e553867 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -18,18 +18,48 @@ # # === Parameters # +# [*admin_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_admin_api_network', undef) +# # [*bootstrap_node*] # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: +# service_certificate: +# service_key: +# principal: "haproxy/" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_db_purge*] # (Optional) Whether keystone token flushing should be enabled # Defaults to hiera('keystone_enable_db_purge', true) # -# [*step*] -# (Optional) The current step in deployment. See tripleo-heat-templates -# for more details. -# Defaults to hiera('step') +# [*public_endpoint_network*] +# (Optional) The network name where the admin endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('keystone_public_api_network', undef) +# # # [*rabbit_hosts*] # list of the rabbbit host IPs @@ -38,13 +68,23 @@ # [*rabbit_port*] # IP port for rabbitmq service # Defaults to hiera('keystone::rabbit_port', 5672) - +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# class tripleo::profile::base::keystone ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_db_purge = hiera('keystone_enable_db_purge', true), - $step = hiera('step'), - $rabbit_hosts = hiera('rabbitmq_node_ips', undef), - $rabbit_port = hiera('keystone::rabbit_port', 5672), + $admin_endpoint_network = hiera('keystone_admin_api_network', undef), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_db_purge = hiera('keystone_enable_db_purge', true), + $public_endpoint_network = hiera('keystone_public_api_network', undef), + $rabbit_hosts = hiera('rabbitmq_node_ips', undef), + $rabbit_port = hiera('keystone::rabbit_port', 5672), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -58,6 +98,29 @@ class tripleo::profile::base::keystone ( $manage_domain = false } + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$public_endpoint_network { + fail('keystone_public_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${public_endpoint_network}"]['service_key'] + + if !$admin_endpoint_network { + fail('keystone_admin_api_network is not set in the hieradata.') + } + $tls_certfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_certificate'] + $tls_keyfile_admin = $certificates_specs["httpd-${admin_endpoint_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + $tls_certfile_admin = undef + $tls_keyfile_admin = undef + } + if $step >= 4 or ( $step >= 3 and $sync_db ) { class { '::keystone': sync_db => $sync_db, @@ -66,7 +129,12 @@ class tripleo::profile::base::keystone ( } include ::keystone::config - include ::keystone::wsgi::apache + class { '::keystone::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + ssl_cert_admin => $tls_certfile_admin, + ssl_key_admin => $tls_keyfile_admin, + } include ::keystone::cors if $manage_roles {