x
/
fuel-plugin-tls
Code Issues Proposed changes

remove hiera call from modules 

Change-Id: I643c0ee1eca02b1a3c5c122e39d685396c64712e
This commit is contained in:
sbartel 2015-08-10 10:29:16 +02:00
parent a68502c8c3
commit 61faeb0e3a
6 changed files with 107 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -35,7 +35,7 @@ Installation Guide
Https plugin installation Https plugin installation
---------------------------- ----------------------------
1. Clone the fuel-plugin repo from: https://github.com/stackforge/fuel-plugin-tls.git 1. Clone the Fuel-plugin repo from: https://github.com/stackforge/fuel-plugin-tls.git
``git clone`` ``git clone``
@ -56,7 +56,7 @@ Https plugin installation
6. Install the tls plugin: 6. Install the tls plugin:
``fuel plugins --install tls-<x.x.x>.rpm`` ``Fuel plugins --install tls-<x.x.x>.rpm``
6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI. 6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI.
@ -78,8 +78,8 @@ https plugin configuration
- the certificate .key content - the certificate .key content
You must pass your .crt, .key, .ca files via fuel UI (settings tab) You must pass your .crt, .key, .ca files via Fuel UI (settings tab)
When you pass the content of the files in fuel ui, some "space" characters will appear, don't care about this puppet will remove it. When you pass the content of the files in Fuel ui, some "space" characters will appear, don't care about this puppet will remove it.
CRT file must be in the following format : CRT file must be in the following format :
@ -136,7 +136,7 @@ X43ceACVpWiv5DmBtEUrB8dbwxEJFaoPGqEswwdh1FDxzfsPdapyqGI5B8zRjnpa
SR2QEYok/8lZeDgUOhXkGg== SR2QEYok/8lZeDgUOhXkGg==
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
CA file must be in the following format : CA file must be in the following format :
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJHydV1v41XIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV MIIDXTCCAkWgAwIBAgIJAJHydV1v41XIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV

52
deployment_scripts/puppet/manifests/site.pp
View File

@ -1,19 +1,47 @@
$tls_hash = hiera('tls') $tls_hash = hiera('tls')
$horizon_crt = $tls_hash['horizon_crt'] $horizon_crt = $tls_hash['horizon_crt']
$horizon_key = $tls_hash['horizon_key'] $horizon_key = $tls_hash['horizon_key']
$horizon_ca = $tls_hash['horizon_ca'] $horizon_ca = $tls_hash['horizon_ca']
$nodes_hash = hiera('nodes')
$controllers = hiera('controllers') #do not use hiera for node parameters (see bug 1476957)
$public_virtual_ip = hiera('public_vip') $fuel_settings = parseyaml(file('/etc/astute.yaml'))
$internal_virtual_ip = hiera('management_vip') $nodes_hash = $::fuel_settings['nodes']
$controllers = concat(filter_nodes($nodes_hash,'role','primary-controller'), filter_nodes($nodes_hash,'role','controller'))
$public_virtual_ip = $::fuel_settings['public_vip']
$internal_virtual_ip = $::fuel_settings['management_vip']
$servername = hiera('public_vip')
$horizon_hash = hiera_hash('horizon',{})
$cache_server_ip = hiera('memcache_servers', $controller_nodes)
$cache_server_port = hiera('memcache_server_port', '11211')
$neutron = hiera('use_neutron')
$keystone_host = hiera('management_vip')
$verbose = hiera('verbose', true)
$debug = hiera('debug')
$package_ensure = hiera('horizon_package_ensure', 'installed')
$use_syslog = hiera('use_syslog', true)
$nova_quota = hiera('nova_quota')
class { 'tls::controller': class { 'tls::controller':
controllers => $controllers, controllers => $controllers,
public_virtual_ip => $public_virtual_ip, public_virtual_ip => $public_virtual_ip,
internal_virtual_ip => $internal_virtual_ip, internal_virtual_ip => $internal_virtual_ip,
horizon_crt => $horizon_crt, horizon_crt => $horizon_crt,
horizon_key => $horizon_key, horizon_key => $horizon_key,
horizon_ca => $horizon_ca, horizon_ca => $horizon_ca,
external_ip => $public_virtual_ip external_ip => $public_virtual_ip,
nodes_hash => $nodes_hash,
servername => $servername,
horizon_hash => $horizon_hash,
cache_server_ip => $cache_server_ip,
cache_server_port => $cache_server_port,
neutron => $neutron,
keystone_host => $keystone_host,
verbose => $verbose,
debug => $debug,
package_ensure => $package_ensure,
use_syslog => $use_syslog,
nova_quota => $nova_quota
} }

17
deployment_scripts/puppet/manifests/site_compute.pp
View File

@ -1,9 +1,14 @@
$tls_hash = hiera('tls') $tls_hash = hiera('tls')
$horizon_crt = $tls_hash['horizon_crt'] $horizon_crt = $tls_hash['horizon_crt']
$horizon_key = $tls_hash['horizon_key'] $horizon_key = $tls_hash['horizon_key']
$nodes_hash = hiera('nodes') $nodes_hash = hiera('nodes')
$public_ip = hiera('public_vip') $public_ip = hiera('public_vip')
$internal_ip = hiera('management_vip') $internal_ip = hiera('management_vip')
#do not use hiera for node parameters (see bug 1476957)
$fuel_settings = parseyaml(file('/etc/astute.yaml'))
$public_virtual_ip = $::fuel_settings['public_vip']
$internal_virtual_ip = $::fuel_settings['management_vip']
class { 'tls::compute': class { 'tls::compute':
public_virtual_ip => $public_ip, public_virtual_ip => $public_ip,

30
deployment_scripts/puppet/modules/tls/manifests/controller.pp
View File

@ -5,16 +5,27 @@ class tls::controller(
$horizon_crt, $horizon_crt,
$horizon_key, $horizon_key,
$horizon_ca, $horizon_ca,
$external_ip $external_ip,
$nodes_hash,
$servername,
$horizon_hash,
$cache_server_ip,
$cache_server_port,
$neutron,
$keystone_host,
$verbose,
$debug,
$package_ensure,
$use_syslog,
$nova_quota
) { ) {
$nodes_hash = hiera('nodes')
$node = filter_nodes($nodes_hash,'name',$::hostname) $node = filter_nodes($nodes_hash,'name',$::hostname)
$internal_address = $node[0]['internal_address'] $internal_address = $node[0]['internal_address']
$bind_address = $internal_address $bind_address = $internal_address
$server_hostname = $external_ip $server_hostname = $external_ip
include tls::params include tls::params
$apache_tls_path = $tls::params::apache_tls_path $apache_tls_path = $tls::params::apache_tls_path
#format crt and key files #format crt and key files
file { "$apache_tls_path" : file { "$apache_tls_path" :
ensure => directory, ensure => directory,
@ -50,10 +61,21 @@ class tls::controller(
httpd_service => $tls::params::httpd_service_name httpd_service => $tls::params::httpd_service_name
}-> }->
class { 'tls::horizon::horizon': class { 'tls::horizon::horizon':
bind_address => $bind_address, bind_address => $bind_address,
controllers => $controllers, controllers => $controllers,
public_virtual_ip => $public_virtual_ip, public_virtual_ip => $public_virtual_ip,
internal_virtual_ip => $internal_virtual_ip, internal_virtual_ip => $internal_virtual_ip,
servername => $servername,
horizon_hash => $horizon_hash,
cache_server_ip => $cache_server_ip,
cache_server_port => $cache_server_port,
neutron => $neutron,
keystone_host => $keystone_host,
verbose => $verbose,
debug => $debug,
package_ensure => $package_ensure,
use_syslog => $use_syslog,
nova_quota => $nova_quota,
}-> }->
exec { "ha_proxy_restart": exec { "ha_proxy_restart":
command => "/usr/sbin/crm resource restart p_haproxy", command => "/usr/sbin/crm resource restart p_haproxy",

37
deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp
View File

@ -3,35 +3,35 @@ class tls::horizon::horizon(
$controllers, $controllers,
$public_virtual_ip, $public_virtual_ip,
$internal_virtual_ip, $internal_virtual_ip,
$servername,
$horizon_hash,
$cache_server_ip,
$cache_server_port,
$neutron,
$keystone_host,
$verbose,
$debug,
$package_ensure,
$use_syslog,
$nova_quota
) { ) {
include tls::params include tls::params
$ssl_port = 443 $ssl_port = 443
$horizon_hash = hiera_hash('horizon',{})
$root_url = $tls::params::root_url $root_url = $tls::params::root_url
$horizon_cert = $tls::params::tls_cert_file $horizon_cert = $tls::params::tls_cert_file
$horizon_key = $tls::params::tls_key_file $horizon_key = $tls::params::tls_key_file
$horizon_ca = $tls::params::tls_ca_file $horizon_ca = $tls::params::tls_ca_file
$controller_internal_addresses = nodes_to_hash($controllers,'name','internal_address') $controller_internal_addresses = nodes_to_hash($controllers,'name','internal_address')
$controller_nodes = ipsort(values($controller_internal_addresses)) $controller_nodes = ipsort(values($controller_internal_addresses))
$cache_server_ip = hiera('memcache_servers', $controller_nodes)
$cache_server_port = hiera('memcache_server_port', '11211')
$swift = false $swift = false
$neutron = hiera('use_neutron')
$horizon_app_links = undef $horizon_app_links = undef
$keystone_host = hiera('management_vip')
$keystone_scheme = 'http' $keystone_scheme = 'http'
$keystone_default_role = '_member_' $keystone_default_role = '_member_'
$verbose = hiera('verbose', true)
$debug = hiera('debug')
$api_result_limit = 1000 $api_result_limit = 1000
$package_ensure = hiera('horizon_package_ensure', 'installed')
$use_ssl = true $use_ssl = true
$use_syslog = hiera('use_syslog', true)
$log_level = 'WARNING' $log_level = 'WARNING'
$nova_quota = hiera('nova_quota')
$local_settings_template = 'openstack/horizon/local_settings.py.erb' $local_settings_template = 'openstack/horizon/local_settings.py.erb'
$django_session_engine = 'django.contrib.sessions.backends.cache' $django_session_engine = 'django.contrib.sessions.backends.cache'
$servername = hiera('public_vip')
$cache_backend = 'horizon.backends.memcached.HorizonMemcached' $cache_backend = 'horizon.backends.memcached.HorizonMemcached'
$cache_options = ["'SOCKET_TIMEOUT': 1","'SERVER_RETRIES': 1","'DEAD_RETRY': 1"] $cache_options = ["'SOCKET_TIMEOUT': 1","'SERVER_RETRIES': 1","'DEAD_RETRY': 1"]
@ -128,15 +128,24 @@ class tls::horizon::horizon(
horizon_ca => $horizon_ca horizon_ca => $horizon_ca
} }
# Performance optimization for wsgi
if ($::memorysize_mb < 1200 or $::processorcount <= 3) {
$wsgi_processes = 2
$wsgi_threads = 9
} else {
$wsgi_processes = $::processorcount
$wsgi_threads = 15
}
class { '::horizon::wsgi::apache': class { '::horizon::wsgi::apache':
priority => false, priority => false,
servername => $public_virtual_ip, servername => $public_virtual_ip,
bind_address => $bind_address, bind_address => $bind_address,
wsgi_processes => $wsgi_processes, wsgi_processes => $wsgi_processes,
wsgi_threads => $wsgi_threads, wsgi_threads => $wsgi_threads,
horizon_cert => $horizon_cert , horizon_cert => $horizon_cert ,
horizon_key => $horizon_key, horizon_key => $horizon_key,
horizon_ca => $horizon_ca, horizon_ca => $horizon_ca,
listen_ssl => $use_ssl, listen_ssl => $use_ssl,
extra_params => { extra_params => {
default_vhost => true, default_vhost => true,

10
deployment_scripts/puppet/modules/tls/manifests/params.pp
View File

@ -9,10 +9,7 @@ class tls::params {
$tls_cert_file = '/etc/apache2/TLS/horizon.crt' $tls_cert_file = '/etc/apache2/TLS/horizon.crt'
$tls_key_file = '/etc/apache2/TLS/horizon.key' $tls_key_file = '/etc/apache2/TLS/horizon.key'
$tls_ca_file = '/etc/apache2/TLS/horizon.ca' $tls_ca_file = '/etc/apache2/TLS/horizon.ca'
$root_url = '/horizon' $root_url = '/horizon'
$apache_conf_file = '/etc/apache2/conf-available/openstack-dashboard.conf'
$apache_vhost_file = '/etc/apache2/sites-available/openstack-dashboard.conf'
$apache_port_file = '/etc/apache2/ports.conf'
} elsif($::osfamily == 'RedHat') { } elsif($::osfamily == 'RedHat') {
$httpd_service_name = 'httpd' $httpd_service_name = 'httpd'
$horizon_settings_file = '/etc/openstack-dashboard/local_settings' $horizon_settings_file = '/etc/openstack-dashboard/local_settings'
@ -23,10 +20,7 @@ class tls::params {
$tls_cert_file = '/etc/httpd/TLS/horizon.crt' $tls_cert_file = '/etc/httpd/TLS/horizon.crt'
$tls_key_file = '/etc/httpd/TLS/horizon.key' $tls_key_file = '/etc/httpd/TLS/horizon.key'
$tls_ca_file = '/etc/httpd/TLS/horizon.ca' $tls_ca_file = '/etc/httpd/TLS/horizon.ca'
$root_url = '/dashboard' $root_url = '/dashboard'
$apache_conf_file = '/etc/httpd/conf.d/openstack-dashboard.conf'
$apache_vhost_file = '/etc/httpd/conf.d/ssl.conf'
$apache_port_file = '/etc/httpd/conf.d/ports.conf'
} else { } else {
fail("unsupported family ${::osfamily}") fail("unsupported family ${::osfamily}")
} }