Merge "Pass parameters for TLS proxy in front of Glance-API"

2017-01-24 23:13:12 +00:00 · 2017-01-24 23:13:12 +00:00 · f68362bfb9
commit f68362bfb9
parent 00938b0acc a88261aa05
3 changed files with 36 additions and 1 deletions
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@ -6,3 +6,5 @@ resource_registry:
  OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
  OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
  OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
+  # We use apache as a TLS proxy
+  OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -229,6 +229,7 @@ resource_registry:
  OS::TripleO::Services::ContrailControl: puppet/services/network/contrail-control.yaml
  OS::TripleO::Services::ContrailDatabase: puppet/services/network/contrail-database.yaml
  OS::TripleO::Services::ContrailWebui: puppet/services/network/contrail-webui.yaml
+  OS::TripleO::Services::TLSProxyBase: OS::Heat::None
  OS::TripleO::Services::Zaqar: OS::Heat::None
  OS::TripleO::Services::NeutronML2FujitsuCfab: OS::Heat::None
  OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@ -45,8 +45,23 @@ parameters:
    default:
      tag: openstack.glance.api
      path: /var/log/glance/api.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}

 resources:
+
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
  GlanceBase:
    type: ./glance-base.yaml
    properties:
@ -66,6 +81,7 @@ outputs:
      config_settings:
        map_merge:
          - get_attr: [GlanceBase, role_data, config_settings]
+          - get_attr: [TLSProxyBase, role_data, config_settings]
          - glance::api::database_connection:
              list_join:
                - ''
@ -100,7 +116,23 @@ outputs:
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
-            glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, GlanceApiNetwork]
+            tripleo::profile::base::glance::api::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
+            tripleo::profile::base::glance::api::tls_proxy_port:
+              get_param: [EndpointMap, GlanceInternal, port]
+            # Bind to localhost if internal TLS is enabled, since we put a TLs
+            # proxy in front.
+            glance::api::bind_host:
+              if:
+              - use_tls_proxy
+              - 'localhost'
+              - {get_param: [ServiceNetMap, GlanceApiNetwork]}
      step_config: |
        include ::tripleo::profile::base::glance::api
      service_config_settings: