diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/certmon_config/ini_setting.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/certmon_config/ini_setting.rb new file mode 100644 index 000000000..3a70243c2 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/provider/certmon_config/ini_setting.rb @@ -0,0 +1,35 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2020 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:certmon_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/sysinv/cert-mon.conf' + end + + # added for backwards compatibility with older versions of inifile + def file_path + self.class.file_path + end + +end diff --git a/modules/puppet-sysinv/src/sysinv/lib/puppet/type/certmon_config.rb b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/certmon_config.rb new file mode 100644 index 000000000..e2e67f3de --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/lib/puppet/type/certmon_config.rb @@ -0,0 +1,50 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2020 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:certmon_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/sysinv/cert-mon.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp new file mode 100644 index 000000000..394046d60 --- /dev/null +++ b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp @@ -0,0 +1,125 @@ +# +# Files in this package are licensed under Apache; see LICENSE file. +# +# Copyright (c) 2020 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# +class sysinv::certmon ( + $local_keystone_password, + $dc_keystone_password, + $local_keystone_auth_uri = false, + $local_keystone_identity_uri = false, + $local_keystone_project_domain = 'Default', + $local_keystone_tenant = 'services', + $local_keystone_user = 'sysinv', + $local_keystone_user_domain = 'Default', + $local_region_name = 'RegionOne', + + $dc_keystone_auth_uri = false, + $dc_keystone_identity_uri = false, + $dc_keystone_project_domain = 'Default', + $dc_keystone_tenant = 'services', + $dc_keystone_user = 'dcmanager', + $dc_keystone_user_domain = 'Default', + + $use_syslog = false, + $log_facility = 'LOG_USER', + $debug = false, + + $keystone_auth_protocol = 'http', + $keystone_auth_host = 'localhost', + $keystone_enabled = true, + $keystone_interface = 'internal', + $auth_type = 'password', + $service_port = '5000', + $keystone_http_connect_timeout = '10', + $package_ensure = 'latest', + $bind_host = '::', + $pxeboot_host = undef, + $enabled = true, +) { + include sysinv::params + + if $::sysinv::params::certmon_package { + Package['certmon'] -> Certmon_config<||> + package { 'certmon': + ensure => $package_ensure, + name => $::sysinv::params::certmon_package, + } + } + + file { $::sysinv::params::certmon_conf: + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + require => Package['sysinv'], + } + + if $local_keystone_identity_uri { + certmon_config { + 'keystone_authtoken/auth_url': value => $local_keystone_identity_uri; + 'keystone_authtoken/auth_uri': value => $local_keystone_identity_uri; + } + } else { + certmon_config { + 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + } + + certmon_config { + 'DEFAULT/syslog_log_facility': value => $log_facility; + 'DEFAULT/use_syslog': value => $use_syslog; + 'DEFAULT/debug': value => $debug; + 'DEFAULT/logging_default_format_string': value => '%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s'; + 'DEFAULT/logging_debug_format_suffix': value => '%(pathname)s:%(lineno)d'; + } + + certmon_config { + 'certmon/retry_interval': value => 600; + 'certmon/max_retry': value => 14; + 'certmon/audit_interval': value => 86400; + } + + if $keystone_enabled { + certmon_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + certmon_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $local_keystone_tenant; + 'keystone_authtoken/username': value => $local_keystone_user; + 'keystone_authtoken/password': value => $local_keystone_password, secret=> true; + 'keystone_authtoken/user_domain_name': value => $local_keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $local_keystone_project_domain; + 'keystone_authtoken/interface': value => $keystone_interface; + 'keystone_authtoken/region_name': value => $local_region_name; + } + + if $::platform::params::distributed_cloud_role == 'systemcontroller' { + certmon_config { + 'endpoint_cache/auth_plugin': value => $auth_type; + 'endpoint_cache/username': value => $dc_keystone_user; + 'endpoint_cache/password': value => $dc_keystone_password, secret=> true; + 'endpoint_cache/project_name': value => $dc_keystone_tenant; + 'endpoint_cache/user_domain_name': value => $dc_keystone_user_domain; + 'endpoint_cache/project_domain_name': value => $dc_keystone_project_domain; + 'endpoint_cache/http_connect_timeout': value => $keystone_http_connect_timeout; + } + } + + if $dc_keystone_identity_uri { + certmon_config { 'endpoint_cache/auth_uri': value => "${dc_keystone_identity_uri}/v3"; } + } + + } + else + { + certmon_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } +} diff --git a/modules/puppet-sysinv/src/sysinv/manifests/init.pp b/modules/puppet-sysinv/src/sysinv/manifests/init.pp index 9727c89c9..15ce79b9c 100644 --- a/modules/puppet-sysinv/src/sysinv/manifests/init.pp +++ b/modules/puppet-sysinv/src/sysinv/manifests/init.pp @@ -72,6 +72,7 @@ class sysinv ( Package['sysinv'] -> Sysinv_config<||> Package['sysinv'] -> Sysinv_api_paste_ini<||> + Package['sysinv'] -> Certmon_config<||> # this anchor is used to simplify the graph between sysinv components by # allowing a resource to serve as a point where the configuration of sysinv begins diff --git a/modules/puppet-sysinv/src/sysinv/manifests/params.pp b/modules/puppet-sysinv/src/sysinv/manifests/params.pp index 438aa3768..285220d7b 100644 --- a/modules/puppet-sysinv/src/sysinv/manifests/params.pp +++ b/modules/puppet-sysinv/src/sysinv/manifests/params.pp @@ -18,6 +18,7 @@ class sysinv::params { $sysinv_dir = '/etc/sysinv' $sysinv_conf = '/etc/sysinv/sysinv.conf' + $certmon_conf = '/etc/sysinv/cert-mon.conf' $sysinv_paste_api_ini = '/etc/sysinv/api-paste.ini' if $::osfamily == 'Debian' { @@ -29,6 +30,7 @@ class sysinv::params { $conductor_service = 'sysinv-conductor' $agent_package = 'sysinv' $agent_service = 'sysinv-agent' + $certmon_package = 'cert-mon' $db_sync_command = 'sysinv-dbsync' } elsif($::osfamily == 'RedHat') { @@ -41,6 +43,7 @@ class sysinv::params { $conductor_service = 'sysinv-conductor' $agent_package = false $agent_service = 'sysinv-agent' + $certmon_package = false $db_sync_command = 'sysinv-dbsync' } elsif($::osfamily == 'WRLinux') { @@ -53,6 +56,7 @@ class sysinv::params { $conductor_service = 'sysinv-conductor' $agent_package = false $agent_service = 'sysinv-agent' + $certmon_package = false $db_sync_command = 'sysinv-dbsync' } else { diff --git a/puppet-manifests/src/hieradata/controller.yaml b/puppet-manifests/src/hieradata/controller.yaml index 21c538e5b..044c8f6f1 100644 --- a/puppet-manifests/src/hieradata/controller.yaml +++ b/puppet-manifests/src/hieradata/controller.yaml @@ -159,6 +159,11 @@ sysinv::api::keystone_project_domain: 'Default' sysinv::conductor::enabled: false +# cert-mon +sysinv::certmon::use_syslog: true +sysinv::certmon::log_facility: 'local6' +sysinv::certmon::debug: false + # nfvi nfv::nfvi::infrastructure_rest_api_data_port_fault_handling_enabled: false diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index d239c1744..ad4295c44 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -89,6 +89,7 @@ include ::platform::dcorch include ::platform::dcorch::engine include ::platform::dcorch::api_proxy include ::platform::dcmanager::api +include ::platform::certmon include ::platform::dcdbsync include ::platform::dcdbsync::api diff --git a/puppet-manifests/src/modules/platform/manifests/certmon.pp b/puppet-manifests/src/modules/platform/manifests/certmon.pp new file mode 100644 index 000000000..f969559c4 --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/certmon.pp @@ -0,0 +1,6 @@ +class platform::certmon { + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + include ::sysinv::certmon + } +}