openstack/puppet-tripleo
Code Issues Proposed changes
ee5366fc5e
puppet-tripleo/manifests/profile/base/cinder/api.pp
Lukas Bezdicka ef4a1da270 Ensure we configure ssl.conf 
Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.

Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
(cherry picked from commit 9e729c0db2)
2017-04-19 13:41:14 +02:00

101 lines
3.4 KiB
Puppet
Raw Blame History

# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::cinder::api
#
# Cinder API profile for tripleo
#
# === Parameters
#
# [*bootstrap_node*]
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
# [*certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Example with hiera:
# apache_certificates_specs:
# httpd-internal_api:
# hostname: <overcloud controller fqdn>
# service_certificate: <service certificate path>
# service_key: <service key path>
# principal: "haproxy/<overcloud controller fqdn>"
# Defaults to hiera('apache_certificate_specs', {}).
#
# [*cinder_api_network*]
# (Optional) The network name where the cinder API endpoint is listening on.
# This is set by t-h-t.
# Defaults to hiera('cinder_api_network', undef)
#
# [*enable_internal_tls*]
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
# [*generate_service_certificates*]
# (Optional) Whether or not certmonger will generate certificates for
# HAProxy. This could be as many as specified by the $certificates_specs
# variable.
# Note that this doesn't configure the certificates in haproxy, it merely
# creates the certificates.
# Defaults to hiera('generate_service_certificate', false).
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::cinder::api (
$bootstrap_node = hiera('bootstrap_nodeid', undef),
$certificates_specs = hiera('apache_certificates_specs', {}),
$cinder_api_network = hiera('cinder_api_network', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
$generate_service_certificates = hiera('generate_service_certificates', false),
$step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
$sync_db = true
} else {
$sync_db = false
}
include ::tripleo::profile::base::cinder
if $enable_internal_tls {
if $generate_service_certificates {
ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
}
if !$cinder_api_network {
fail('cinder_api_network is not set in the hieradata.')
}
$tls_certfile = $certificates_specs["httpd-${cinder_api_network}"]['service_certificate']
$tls_keyfile = $certificates_specs["httpd-${cinder_api_network}"]['service_key']
} else {
$tls_certfile = undef
$tls_keyfile = undef
}
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::cinder::api
include ::apache::mod::ssl
class { '::cinder::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,
}
include ::cinder::ceilometer
}
}
View Git Blame Copy Permalink