Enable TLS in the internal network for Octavia API

Partial-Bug: #1789303 Co-Authored-By: Kellen Gattis <kgattis@redhat.com> Change-Id: I38a71f28667ad0c50ebabd24cfbd148d52fe398b
2018-08-27 23:27:20 +02:00 · 2018-08-27 23:27:20 +02:00 · de28e026cd
commit de28e026cd
parent 013154ea20
3 changed files with 101 additions and 2 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -1559,6 +1559,7 @@ class tripleo::haproxy (
      server_names      => hiera('octavia_api_node_names'),
      public_ssl_port   => $ports[octavia_api_ssl_port],
      service_network   => $octavia_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
    }
  }

--- a/manifests/profile/base/octavia/api.pp
+++ b/manifests/profile/base/octavia/api.pp
@ -22,14 +22,56 @@
 #   (Optional) The hostname of the node responsible for bootstrapping tasks
 #   Defaults to hiera('bootstrap_nodeid')
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*octavia_network*]
+#   (Optional) The network name where the barbican endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('octavia_api_network', undef)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*tls_proxy_bind_ip*]
+#   IP on which the TLS proxy will listen on. Required only if
+#   enable_internal_tls is set.
+#   Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+#   fqdn on which the tls proxy will listen on. required only used if
+#   enable_internal_tls is set.
+#   defaults to undef
+#
+# [*tls_proxy_port*]
+#   port on which the tls proxy will listen on. Only used if
+#   enable_internal_tls is set.
+#   defaults to 9876
+#
 class tripleo::profile::base::octavia::api (
-  $bootstrap_node = hiera('bootstrap_nodeid', undef),
-  $step           = Integer(hiera('step')),
+  $bootstrap_node      = hiera('bootstrap_nodeid', undef),
+  $certificates_specs  = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $octavia_network     = hiera('octavia_api_network', undef),
+  $step                = Integer(hiera('step')),
+  $tls_proxy_bind_ip   = undef,
+  $tls_proxy_fqdn      = undef,
+  $tls_proxy_port      = 9876,
 ) {
  if $::hostname == downcase($bootstrap_node) {
    $sync_db = true
@ -39,6 +81,31 @@ class tripleo::profile::base::octavia::api (

  include ::tripleo::profile::base::octavia

+  if $step >= 4 or ($step >= 3 and $sync_db) {
+    if $enable_internal_tls {
+      if !$octavia_network {
+        fail('octavia_api_network is not set in the hieradata.')
+      }
+      if !$tls_proxy_bind_ip {
+        fail('tls_proxy_bind_ip is not set in the hieradata.')
+      }
+      if !$tls_proxy_fqdn {
+        fail('tls_proxy_fqdn is required if internal TLS is enabled.')
+      }
+      $tls_certfile = $certificates_specs["httpd-${octavia_network}"]['service_certificate']
+      $tls_keyfile = $certificates_specs["httpd-${octavia_network}"]['service_key']
+
+      ::tripleo::tls_proxy { 'octavia-api':
+        servername => $tls_proxy_fqdn,
+        ip         => $tls_proxy_bind_ip,
+        port       => $tls_proxy_port,
+        tls_cert   => $tls_certfile,
+        tls_key    => $tls_keyfile,
+        notify     => Class['::octavia::api'],
+      }
+    }
+  }
+
  # We start the Octavia API server on the bootstrap node first, because
  # it will try to populate tables and we need to make sure this happens
  # before it starts on other nodes
--- a/spec/classes/tripleo_profile_base_octavia_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_octavia_api_spec.rb
@ -124,6 +124,37 @@ eos
        is_expected.to contain_class('octavia::api').with(:sync_db => false)
      end
    end
+
+    context 'Configure internal TLS' do
+      before do
+        params.merge!({
+          :step                 => 5,
+          :bootstrap_node       => 'node.example.com',
+          :enable_internal_tls  => true,
+          :octavia_network      => 'octavia-net',
+          :certificates_specs   => {
+            'httpd-octavia-net' => {
+              'hostname'            => 'somehost',
+              'service_certificate' => '/foo.pem',
+              'service_key'         => '/foo.key',
+            },
+          },
+          :tls_proxy_bind_ip    => '172.16.10.25',
+          :tls_proxy_fqdn       => 'octavia-host.example.com',
+          :tls_proxy_port       => 9876
+        })
+      end
+      it {
+        is_expected.to contain_class('octavia::api')
+        is_expected.to contain_apache__vhost('octavia-api-proxy').with(
+          :ssl_cert     => '/foo.pem',
+          :ssl_key      => '/foo.key',
+          :ip           => '172.16.10.25',
+          :port         => 9876,
+          :servername   => 'octavia-host.example.com',
+        )
+      }
+    end
  end

  on_supported_os.each do |os, facts|