openstack/tripleo-heat-templates
Code Issues Proposed changes

Generate internal TLS hieradata for apache services

Browse Source 
This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.

When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands

bp tls-via-certmonger

Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
This commit is contained in:
Juan Antonio Osorio Robles 2016-09-26 15:34:10 +00:00
parent 81aa47d314
commit debbfbbf8f
5 changed files with 104 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
environments/enable-internal-tls.yaml
View File

@ -1,2 +1,6 @@
# A Heat environment file which can be used to enable a
# a TLS for in the internal network via certmonger
parameter_defaults: parameter_defaults:
EnableInternalTLS: true EnableInternalTLS: true
resource_registry:
OS::TripleO::Services::ApacheTLS: ../../puppet/services/apache-internal-tls-certmonger.yaml

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -99,6 +99,7 @@ resource_registry:
# services # services
OS::TripleO::Services: puppet/services/services.yaml OS::TripleO::Services: puppet/services/services.yaml
OS::TripleO::Services::Apache: puppet/services/apache.yaml OS::TripleO::Services::Apache: puppet/services/apache.yaml
OS::TripleO::Services::ApacheTLS: OS::Heat::None
OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
OS::TripleO::Services::CephMon: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None
OS::TripleO::Services::CephRgw: OS::Heat::None OS::TripleO::Services::CephRgw: OS::Heat::None

50
puppet/services/apache-internal-tls-certmonger.yaml Normal file
View File

@ -0,0 +1,50 @@
heat_template_version: 2016-10-14
description: >
Apache service TLS configurations.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
# The following parameters are not needed by the template but are
# required to pass the pep8 tests
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache_internal_tls_certmonger
config_settings:
generate_service_certificates: true
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
hostname: "%{::fqdn_NETWORK}"
principal: "HTTP/%{::fqdn_NETWORK}"
for_each:
NETWORK:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that, and the external
# network will be handled in another template.
yaql:
expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
data:
map:
get_param: ServiceNetMap

14
puppet/services/apache.yaml
View File

@ -27,6 +27,17 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry. via parameter_defaults in the resource registry.
type: json type: json
EnableInternalTLS:
type: boolean
default: false
resources:
ApacheTLS:
type: OS::TripleO::Services::ApacheTLS
properties:
ServiceNetMap: {get_param: ServiceNetMap}
outputs: outputs:
role_data: role_data:
@ -34,6 +45,9 @@ outputs:
value: value:
service_name: apache service_name: apache
config_settings: config_settings:
map_merge:
- get_attr: [ApacheTLS, role_data, config_settings]
-
# for the given network; replacement examples (eg. for internal_api): # for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP # internal_api -> IP
# internal_api_uri -> [IP] # internal_api_uri -> [IP]

23
puppet/services/keystone.yaml
View File

@ -98,6 +98,9 @@ parameters:
default: default:
tag: openstack.keystone tag: openstack.keystone
path: /var/log/keystone/keystone.log path: /var/log/keystone/keystone.log
EnableInternalTLS:
type: boolean
default: false
resources: resources:
@ -107,6 +110,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap} ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords} DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap} EndpointMap: {get_param: EndpointMap}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs: outputs:
role_data: role_data:
@ -163,7 +167,8 @@ outputs:
ec2/driver: ec2/driver:
value: 'keystone.contrib.ec2.backends.sql.Ec2' value: 'keystone.contrib.ec2.backends.sql.Ec2'
keystone::service_name: 'httpd' keystone::service_name: 'httpd'
keystone::wsgi::apache::ssl: false keystone::enable_ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::servername: keystone::wsgi::apache::servername:
str_replace: str_replace:
template: template:
@ -188,15 +193,25 @@ outputs:
- 13000 - 13000
- 35357 - 35357
- 13357 - 13357
keystone::admin_bind_host:
str_replace:
template:
'"%{::fqdn_$NETWORK}"'
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::public_bind_host:
str_replace:
template:
'"%{::fqdn_$NETWORK}"'
params:
$NETWORK: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
# NOTE: bind IP is found in Heat replacing the network name with the # NOTE: bind IP is found in Heat replacing the network name with the
# local node IP for the given network; replacement examples # local node IP for the given network; replacement examples
# (eg. for internal_api): # (eg. for internal_api):
# internal_api -> IP # internal_api -> IP
# internal_api_uri -> [IP] # internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR # internal_api_subnet - > IP/CIDR
# NOTE: this applies to all 4 bind IP settings below... # NOTE: this applies to all 2 bind IP settings below...
keystone::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
keystone::public_bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]} keystone::wsgi::apache::bind_host: {get_param: [ServiceNetMap, KeystonePublicApiNetwork]}
keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} keystone::wsgi::apache::admin_bind_host: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
step_config: | step_config: |