migrate plugins from 1.0.0 to 2.0.0 package version
Change-Id: Ib7f3578a14a30c3bbd7b1bd9fa92cfd3aee7f193
This commit is contained in:
parent
93228988ed
commit
a68502c8c3
42
README.md
42
README.md
|
@ -15,7 +15,7 @@ Requirements
|
|||
|
||||
| Requirement | Version/Comment |
|
||||
|----------------------------------|---------------------------------------------------------|
|
||||
| Mirantis Openstack compatibility | 6.0 |
|
||||
| Mirantis Openstack compatibility | 6.1 |
|
||||
|----------------------------------|---------------------------------------------------------|
|
||||
| Crt & Key files | You have a crt & key files to provide before deployment |
|
||||
|
||||
|
@ -43,20 +43,20 @@ Https plugin installation
|
|||
|
||||
``pip install fuel-plugin-builder``
|
||||
|
||||
3. Build nova-nfs Fuel plugin:
|
||||
3. Build tls Fuel plugin:
|
||||
|
||||
``fpb --build fuel-plugin-tls/``
|
||||
|
||||
4. The tls-<x.x.x>.fp file will be created in the plugin folder (fuel-plugin-tls)
|
||||
4. The tls-<x.x.x>.rpm file will be created in the plugin folder (fuel-plugin-tls)
|
||||
|
||||
5. Move this file to the Fuel Master node with secure copy (scp):
|
||||
|
||||
``scp tls-<x.x.x>.fp root@:<the_Fuel_Master_node_IP address>:/tmp``
|
||||
``scp tls-<x.x.x>.rpm root@:<the_Fuel_Master_node_IP address>:/tmp``
|
||||
``cd /tmp``
|
||||
|
||||
6. Install the nova-nfs plugin:
|
||||
6. Install the tls plugin:
|
||||
|
||||
``fuel plugins --install tls-<x.x.x>.fp``
|
||||
``fuel plugins --install tls-<x.x.x>.rpm``
|
||||
|
||||
6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI.
|
||||
|
||||
|
@ -78,7 +78,7 @@ https plugin configuration
|
|||
- the certificate .key content
|
||||
|
||||
|
||||
You must pass your .crt and .key files via fuel UI (settings tab)
|
||||
You must pass your .crt, .key, .ca files via fuel UI (settings tab)
|
||||
When you pass the content of the files in fuel ui, some "space" characters will appear, don't care about this puppet will remove it.
|
||||
|
||||
CRT file must be in the following format :
|
||||
|
@ -136,6 +136,30 @@ X43ceACVpWiv5DmBtEUrB8dbwxEJFaoPGqEswwdh1FDxzfsPdapyqGI5B8zRjnpa
|
|||
SR2QEYok/8lZeDgUOhXkGg==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
CA file must be in the following format :
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDXTCCAkWgAwIBAgIJAJHydV1v41XIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
|
||||
BAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
|
||||
aWRnaXRzIFB0eSBMdGQwHhcNMTUwMTMwMTAyNDU3WhcNMTYwMTMwMTAyNDU3WjBF
|
||||
MQswCQYDVQQGEwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
|
||||
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
||||
CgKCAQEAqwHssa1A2alSVh8ZZvKffGaix7mSFMDsFjUgPShqbAZ8xGQynvrHPel9
|
||||
A8E6ml0sGzHDwk8gobpu7k1wuMhcs7Np88xu5GtR1DhZWQ8MUGWHfflyjguMjtzF
|
||||
pZg4j0M14SE2INwwsRRtvC0/aeV1/q7HqfTk7+y01g/N4OKvYwndNp2lbSjBZZF4
|
||||
qbL9QD5iesOptxRryJ8tcm47i6hC4LTunz9pgVI13rtlOoqtXjf07ytMydBbzpeR
|
||||
4joaPAjbPf5ywf+I/n8XFxy6QPC9qAm2H3Gpo/5bb7+9S8AOhYqvWEKNotvyX1E8
|
||||
aiDLV+LHkL45Xpx47YBty6L8qNuejwIDAQABo1AwTjAdBgNVHQ4EFgQUVQNmpJDO
|
||||
w5eVB3yjU80NUZSKZlcwHwYDVR0jBBgwFoAUVQNmpJDOw5eVB3yjU80NUZSKZlcw
|
||||
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAqadjZT7kMXRf5bp14nfI
|
||||
20m6G/i5aHBo+0v+6lRtmk5wD/D6VsOh+R/HjjDDo68y/WEWXxQbuOYX+HZCABpf
|
||||
VTA4oLvY4t3gtzt9Q21VtK/l5e3yyxo2JBnsPqc5wmWDlNO8aImF+QrvovkuyTV5
|
||||
mX6suZgby4eTllmVzBNK/+FMuPlsSPwB8SxEbu04aOIcwbn4LCCZJZEG6INVGSS8
|
||||
SRg1iER8mu2Jf45JKkMFDqUhCUp/ejM2t686O7olqKtmF53rDSBnzhtabdgTIx3F
|
||||
RjCb281gwvwSgyFfUgt5TIIq1o/kci2N33zuxaifFVz6DtDxKegoZg73bUMg/OA2
|
||||
bg==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Here is a screenshot of the fields
|
||||
|
||||
![tls fields](./figures/tls-plugin.png "tls-fields")
|
||||
|
@ -159,6 +183,10 @@ None.
|
|||
Release Notes
|
||||
-------------
|
||||
|
||||
**2.0.0**
|
||||
|
||||
* migrate plugins from 1.0.0 to 2.0.0 package version
|
||||
|
||||
**1.0.0**
|
||||
|
||||
* Initial release of the plugin
|
||||
|
|
|
@ -1,30 +1,19 @@
|
|||
$fuel_settings = parseyaml(file('/etc/astute.yaml'))
|
||||
$tls_hash = $::fuel_settings['tls']
|
||||
$horizon_crt = $tls_hash['horizon_crt']
|
||||
$horizon_key = $tls_hash['horizon_key']
|
||||
$nodes_hash = $::fuel_settings['nodes']
|
||||
if ($::fuel_settings['deployment_mode'] == 'multinode') {
|
||||
$controller = filter_nodes($nodes_hash,'role','controller')
|
||||
$controller_node_public = $controller[0]['public_address']
|
||||
class { 'tls::controller':
|
||||
horizon_crt => $horizon_crt,
|
||||
horizon_key => $horizon_key,
|
||||
external_ip => $controller_node_public,
|
||||
bind_address => $controller_node_public
|
||||
}
|
||||
}
|
||||
else {
|
||||
$controllers = concat(filter_nodes($nodes_hash,'role','primary-controller'), filter_nodes($nodes_hash,'role','controller'))
|
||||
$public_virtual_ip = $::fuel_settings['public_vip']
|
||||
$internal_virtual_ip = $::fuel_settings['management_vip']
|
||||
class { 'tls::controller_ha':
|
||||
controllers => $controllers,
|
||||
public_virtual_ip => $public_virtual_ip,
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
horizon_crt => $horizon_crt,
|
||||
horizon_key => $horizon_key,
|
||||
external_ip => $public_virtual_ip
|
||||
}
|
||||
$tls_hash = hiera('tls')
|
||||
$horizon_crt = $tls_hash['horizon_crt']
|
||||
$horizon_key = $tls_hash['horizon_key']
|
||||
$horizon_ca = $tls_hash['horizon_ca']
|
||||
$nodes_hash = hiera('nodes')
|
||||
$controllers = hiera('controllers')
|
||||
$public_virtual_ip = hiera('public_vip')
|
||||
$internal_virtual_ip = hiera('management_vip')
|
||||
class { 'tls::controller':
|
||||
controllers => $controllers,
|
||||
public_virtual_ip => $public_virtual_ip,
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
horizon_crt => $horizon_crt,
|
||||
horizon_key => $horizon_key,
|
||||
horizon_ca => $horizon_ca,
|
||||
external_ip => $public_virtual_ip
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -1,18 +1,10 @@
|
|||
$fuel_settings = parseyaml(file('/etc/astute.yaml'))
|
||||
$tls_hash = $::fuel_settings['tls']
|
||||
$tls_hash = hiera('tls')
|
||||
$horizon_crt = $tls_hash['horizon_crt']
|
||||
$horizon_key = $tls_hash['horizon_key']
|
||||
$nodes_hash = $::fuel_settings['nodes']
|
||||
|
||||
if ($::fuel_settings['deployment_mode'] == 'multinode') {
|
||||
$controller = filter_nodes($nodes_hash,'role','controller')
|
||||
$internal_ip = $controller[0]['internal_address']
|
||||
$public_ip = $controller[0]['public_address']
|
||||
}
|
||||
else {
|
||||
$public_ip = $::fuel_settings['public_vip']
|
||||
$internal_ip = $::fuel_settings['management_vip']
|
||||
}
|
||||
$nodes_hash = hiera('nodes')
|
||||
$public_ip = hiera('public_vip')
|
||||
$internal_ip = hiera('management_vip')
|
||||
|
||||
class { 'tls::compute':
|
||||
public_virtual_ip => $public_ip,
|
||||
internal_virtual_ip => $internal_ip,
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
|
||||
CRT=$1
|
||||
KEY=$2
|
||||
SSL_PATH=$3
|
||||
CA=$3
|
||||
SSL_PATH=$4
|
||||
############################################################################################################################
|
||||
# Horizon part
|
||||
############################################################################################################################
|
||||
|
@ -14,6 +15,12 @@ echo "-----BEGIN PRIVATE KEY-----" > $SSL_PATH/horizon.key
|
|||
echo $KEY | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.key
|
||||
echo "-----END PRIVATE KEY-----" >> $SSL_PATH/horizon.key
|
||||
|
||||
echo "-----BEGIN CERTIFICATE-----" > $SSL_PATH/horizon.ca
|
||||
echo $CA | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.ca
|
||||
echo "-----END CERTIFICATE-----" >> $SSL_PATH/horizon.ca
|
||||
|
||||
|
||||
|
||||
############################################################################################################################
|
||||
# Nova part
|
||||
############################################################################################################################
|
||||
|
|
|
@ -1,9 +1,16 @@
|
|||
class tls::controller(
|
||||
$controllers,
|
||||
$public_virtual_ip,
|
||||
$internal_virtual_ip,
|
||||
$horizon_crt,
|
||||
$horizon_key,
|
||||
$external_ip,
|
||||
$bind_address
|
||||
$horizon_ca,
|
||||
$external_ip
|
||||
) {
|
||||
$nodes_hash = hiera('nodes')
|
||||
$node = filter_nodes($nodes_hash,'name',$::hostname)
|
||||
$internal_address = $node[0]['internal_address']
|
||||
$bind_address = $internal_address
|
||||
$server_hostname = $external_ip
|
||||
include tls::params
|
||||
$apache_tls_path = $tls::params::apache_tls_path
|
||||
|
@ -33,20 +40,23 @@ class tls::controller(
|
|||
require => File["$apache_tls_path"]
|
||||
}
|
||||
exec {'format.sh':
|
||||
command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\' \'${apache_tls_path}\'\"",
|
||||
command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\' \'${horizon_ca}\' \'${apache_tls_path}\'\"",
|
||||
path => '/usr/sbin:/usr/bin:/sbin:/bin',
|
||||
require => File['format.sh'],
|
||||
before => File['openstack-dashboard.conf'],
|
||||
}
|
||||
class { 'tls::horizon::horizon':
|
||||
horizon_crt => $horizon_crt,
|
||||
horizon_key => $horizon_key,
|
||||
bind_address => $bind_address
|
||||
}
|
||||
class { 'tls::nova::novnc_controller':
|
||||
server_hostname => $server_hostname,
|
||||
novnc_service => $tls::params::nova_novnc_service,
|
||||
httpd_service => $tls::params::httpd_service_name
|
||||
}
|
||||
httpd_service => $tls::params::httpd_service_name
|
||||
}->
|
||||
class { 'tls::horizon::horizon':
|
||||
bind_address => $bind_address,
|
||||
controllers => $controllers,
|
||||
public_virtual_ip => $public_virtual_ip,
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
}->
|
||||
exec { "ha_proxy_restart":
|
||||
command => "/usr/sbin/crm resource restart p_haproxy",
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
class tls::controller_ha(
|
||||
$controllers,
|
||||
$public_virtual_ip,
|
||||
$internal_virtual_ip,
|
||||
$horizon_crt,
|
||||
$horizon_key,
|
||||
$external_ip
|
||||
) {
|
||||
$nodes_hash = $::fuel_settings['nodes']
|
||||
$node = filter_nodes($nodes_hash,'name',$::hostname)
|
||||
$internal_address = $node[0]['internal_address']
|
||||
$bind_address = $internal_address
|
||||
class { 'tls::controller':
|
||||
horizon_crt => $horizon_crt,
|
||||
horizon_key => $horizon_key,
|
||||
external_ip => $external_ip,
|
||||
bind_address => $bind_address
|
||||
}
|
||||
class { 'tls::horizon::horizon_ha':
|
||||
controllers => $controllers,
|
||||
public_virtual_ip => $public_virtual_ip,
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
}
|
||||
exec { "ha_proxy_restart":
|
||||
command => "/usr/sbin/crm resource restart p_haproxy",
|
||||
require => Class['tls::horizon::horizon_ha'],
|
||||
}
|
||||
}
|
||||
|
|
@ -1,13 +1,39 @@
|
|||
class tls::horizon::horizon(
|
||||
$horizon_crt,
|
||||
$horizon_key,
|
||||
$bind_address,
|
||||
$bind_address = '*',
|
||||
$controllers,
|
||||
$public_virtual_ip,
|
||||
$internal_virtual_ip,
|
||||
) {
|
||||
include tls::params
|
||||
|
||||
$root_url = $tls::params::root_url
|
||||
$ssl_cert_file = $tls::params::tls_cert_file
|
||||
$ssl_key_file = $tls::params::tls_key_file
|
||||
$ssl_port = 443
|
||||
$horizon_hash = hiera_hash('horizon',{})
|
||||
$root_url = $tls::params::root_url
|
||||
$horizon_cert = $tls::params::tls_cert_file
|
||||
$horizon_key = $tls::params::tls_key_file
|
||||
$horizon_ca = $tls::params::tls_ca_file
|
||||
$controller_internal_addresses = nodes_to_hash($controllers,'name','internal_address')
|
||||
$controller_nodes = ipsort(values($controller_internal_addresses))
|
||||
$cache_server_ip = hiera('memcache_servers', $controller_nodes)
|
||||
$cache_server_port = hiera('memcache_server_port', '11211')
|
||||
$swift = false
|
||||
$neutron = hiera('use_neutron')
|
||||
$horizon_app_links = undef
|
||||
$keystone_host = hiera('management_vip')
|
||||
$keystone_scheme = 'http'
|
||||
$keystone_default_role = '_member_'
|
||||
$verbose = hiera('verbose', true)
|
||||
$debug = hiera('debug')
|
||||
$api_result_limit = 1000
|
||||
$package_ensure = hiera('horizon_package_ensure', 'installed')
|
||||
$use_ssl = true
|
||||
$use_syslog = hiera('use_syslog', true)
|
||||
$log_level = 'WARNING'
|
||||
$nova_quota = hiera('nova_quota')
|
||||
$local_settings_template = 'openstack/horizon/local_settings.py.erb'
|
||||
$django_session_engine = 'django.contrib.sessions.backends.cache'
|
||||
$servername = hiera('public_vip')
|
||||
$cache_backend = 'horizon.backends.memcached.HorizonMemcached'
|
||||
$cache_options = ["'SOCKET_TIMEOUT': 1","'SERVER_RETRIES': 1","'DEAD_RETRY': 1"]
|
||||
|
||||
#update horizon config file
|
||||
exec { "USE_SSL":
|
||||
|
@ -51,35 +77,138 @@ class tls::horizon::horizon(
|
|||
}
|
||||
}
|
||||
|
||||
#update apache config file
|
||||
file { 'openstack-dashboard.conf' :
|
||||
ensure => present,
|
||||
path => $tls::params::apache_conf_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('tls/openstack-dashboard.conf.erb'),
|
||||
notify => Service[$tls::params::httpd_service_name],
|
||||
if $horizon_hash['secret_key'] {
|
||||
$secret_key = $horizon_hash['secret_key']
|
||||
} else {
|
||||
$secret_key = 'dummy_secret_key'
|
||||
}
|
||||
|
||||
file { 'port.conf' :
|
||||
ensure => present,
|
||||
path => $tls::params::apache_port_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('tls/port.conf.erb'),
|
||||
notify => Service[$tls::params::httpd_service_name],
|
||||
if $debug { #syslog and nondebug case
|
||||
#We don't realy want django debug, it is too verbose.
|
||||
$django_debug = false
|
||||
$django_verbose = false
|
||||
$log_level_real = 'DEBUG'
|
||||
} elsif $verbose {
|
||||
$django_verbose = true
|
||||
$django_debug = false
|
||||
$log_level_real = 'INFO'
|
||||
} else {
|
||||
$django_verbose = false
|
||||
$django_debug = false
|
||||
$log_level_real = $log_level
|
||||
}
|
||||
|
||||
file { 'vhost.conf' :
|
||||
ensure => present,
|
||||
path => $tls::params::apache_vhost_file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => template('tls/vhost.erb'),
|
||||
notify => Service[$tls::params::httpd_service_name],
|
||||
apache::listen{ $ssl_port:}
|
||||
apache::namevirtualhost{ "*:$ssl_port":}
|
||||
|
||||
class { '::horizon':
|
||||
bind_address => $bind_address,
|
||||
cache_server_ip => $cache_server_ip,
|
||||
cache_server_port => $cache_server_port,
|
||||
cache_backend => $cache_backend,
|
||||
cache_options => $cache_options,
|
||||
secret_key => $secret_key,
|
||||
swift => $swift,
|
||||
package_ensure => $package_ensure,
|
||||
horizon_app_links => $horizon_app_links,
|
||||
keystone_host => $keystone_host,
|
||||
keystone_scheme => $keystone_scheme,
|
||||
keystone_default_role => $keystone_default_role,
|
||||
django_debug => $django_debug,
|
||||
api_result_limit => $api_result_limit,
|
||||
listen_ssl => $use_ssl,
|
||||
log_level => $log_level_real,
|
||||
local_settings_template => $local_settings_template,
|
||||
configure_apache => false,
|
||||
django_session_engine => $django_session_engine,
|
||||
allowed_hosts => '*',
|
||||
secure_cookies => false,
|
||||
horizon_cert => $horizon_cert ,
|
||||
horizon_key => $horizon_key,
|
||||
horizon_ca => $horizon_ca
|
||||
}
|
||||
|
||||
class { '::horizon::wsgi::apache':
|
||||
priority => false,
|
||||
servername => $public_virtual_ip,
|
||||
bind_address => $bind_address,
|
||||
wsgi_processes => $wsgi_processes,
|
||||
wsgi_threads => $wsgi_threads,
|
||||
horizon_cert => $horizon_cert ,
|
||||
horizon_key => $horizon_key,
|
||||
horizon_ca => $horizon_ca,
|
||||
listen_ssl => $use_ssl,
|
||||
extra_params => {
|
||||
default_vhost => true,
|
||||
add_listen => false,
|
||||
ssl_protocol => '+TLSv1',
|
||||
ssl_cipher => 'HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM',
|
||||
custom_fragment => template("openstack/horizon/wsgi_vhost_custom.erb"),
|
||||
},
|
||||
} ~>
|
||||
Service[$::apache::params::service_name]
|
||||
|
||||
Haproxy::Service { use_include => true }
|
||||
Haproxy::Balancermember { use_include => true }
|
||||
|
||||
$haproxy_config_options = {
|
||||
'option' => ['ssl-hello-chk', 'tcpka'],
|
||||
'stick-table' => 'type ip size 200k expire 30m',
|
||||
'stick' => 'on src',
|
||||
'balance' => 'source',
|
||||
'timeout' => ['client 3h', 'server 3h'],
|
||||
'mode' => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::listen { 'horizon-ssl':
|
||||
order => '017',
|
||||
ipaddress => $public_virtual_ip,
|
||||
ports => '443',
|
||||
options => $haproxy_config_options,
|
||||
mode => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::balancermember { 'horizon-ssl':
|
||||
order => '017',
|
||||
listening_service => 'horizon-tls',
|
||||
server_names => filter_hash($controllers, 'name'),
|
||||
ipaddresses => filter_hash($controllers, 'internal_address'),
|
||||
ports => '443',
|
||||
options => 'weight 1 check',
|
||||
define_cookies => false,
|
||||
define_backups => false,
|
||||
}
|
||||
|
||||
##################################################################################
|
||||
|
||||
$haproxy_config_options_nova = {
|
||||
'option' => ['ssl-hello-chk', 'tcpka'],
|
||||
'mode' => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::listen { 'nova-novncproxy':
|
||||
order => '170',
|
||||
ipaddress => $public_virtual_ip,
|
||||
ports => '6080',
|
||||
options => $haproxy_config_options_nova,
|
||||
mode => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::balancermember { 'nova-novncproxy':
|
||||
order => '170',
|
||||
listening_service => 'horizon-tls',
|
||||
server_names => filter_hash($controllers, 'name'),
|
||||
ipaddresses => filter_hash($controllers, 'internal_address'),
|
||||
ports => '6080',
|
||||
options => 'check',
|
||||
define_cookies => false,
|
||||
define_backups => false,
|
||||
}
|
||||
######################################################################################
|
||||
|
||||
service { 'haproxy':
|
||||
enable => true,
|
||||
ensure => running,
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
class tls::horizon::horizon_ha (
|
||||
$controllers,
|
||||
$public_virtual_ip,
|
||||
$internal_virtual_ip,
|
||||
) {
|
||||
|
||||
require tls::horizon::horizon
|
||||
include tls::params
|
||||
|
||||
Haproxy::Service { use_include => true }
|
||||
Haproxy::Balancermember { use_include => true }
|
||||
|
||||
$haproxy_config_options = {
|
||||
'option' => ['ssl-hello-chk', 'tcpka'],
|
||||
'stick-table' => 'type ip size 200k expire 30m',
|
||||
'stick' => 'on src',
|
||||
'balance' => 'source',
|
||||
'timeout' => ['client 3h', 'server 3h'],
|
||||
'mode' => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::listen { 'horizon-ssl':
|
||||
order => '017',
|
||||
ipaddress => $public_virtual_ip,
|
||||
ports => '443',
|
||||
options => $haproxy_config_options,
|
||||
mode => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::balancermember { 'horizon-ssl':
|
||||
order => '017',
|
||||
listening_service => 'horizon-tls',
|
||||
server_names => filter_hash($controllers, 'name'),
|
||||
ipaddresses => filter_hash($controllers, 'internal_address'),
|
||||
ports => '443',
|
||||
options => 'weight 1 check',
|
||||
define_cookies => false,
|
||||
define_backups => false,
|
||||
}
|
||||
|
||||
##################################################################################
|
||||
|
||||
$haproxy_config_options_nova = {
|
||||
'option' => ['ssl-hello-chk', 'tcpka'],
|
||||
'mode' => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::listen { 'nova-novncproxy':
|
||||
order => '170',
|
||||
ipaddress => $public_virtual_ip,
|
||||
ports => '6080',
|
||||
options => $haproxy_config_options_nova,
|
||||
mode => 'tcp',
|
||||
}
|
||||
|
||||
haproxy::balancermember { 'nova-novncproxy':
|
||||
order => '170',
|
||||
listening_service => 'horizon-tls',
|
||||
server_names => filter_hash($controllers, 'name'),
|
||||
ipaddresses => filter_hash($controllers, 'internal_address'),
|
||||
ports => '6080',
|
||||
options => 'check',
|
||||
define_cookies => false,
|
||||
define_backups => false,
|
||||
}
|
||||
######################################################################################
|
||||
|
||||
|
||||
service { 'haproxy':
|
||||
enable => true,
|
||||
ensure => running,
|
||||
}
|
||||
|
||||
}
|
|
@ -16,9 +16,4 @@ class tls::nova::novnc_controller (
|
|||
enable => true,
|
||||
ensure => running,
|
||||
}
|
||||
|
||||
service { $httpd_service:
|
||||
enable => true,
|
||||
ensure => running,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,30 +1,32 @@
|
|||
class tls::params {
|
||||
if $::osfamily == 'Debian' {
|
||||
$httpd_service_name = 'apache2'
|
||||
$httpd_service_name = 'apache2'
|
||||
$horizon_settings_file = '/etc/openstack-dashboard/local_settings.py'
|
||||
$usergroup = 'nogroup'
|
||||
$usergroup = 'nogroup'
|
||||
$nova_compute_service = 'nova-compute'
|
||||
$nova_novnc_service = 'nova-novncproxy'
|
||||
$apache_tls_path = '/etc/apache2/TLS'
|
||||
$tls_cert_file = '/etc/apache2/TLS/horizon.crt'
|
||||
$tls_key_file = '/etc/apache2/TLS/horizon.key'
|
||||
$nova_novnc_service = 'nova-novncproxy'
|
||||
$apache_tls_path = '/etc/apache2/TLS'
|
||||
$tls_cert_file = '/etc/apache2/TLS/horizon.crt'
|
||||
$tls_key_file = '/etc/apache2/TLS/horizon.key'
|
||||
$tls_ca_file = '/etc/apache2/TLS/horizon.ca'
|
||||
$root_url = '/horizon'
|
||||
$apache_conf_file = '/etc/apache2/conf-available/openstack-dashboard.conf'
|
||||
$apache_conf_file = '/etc/apache2/conf-available/openstack-dashboard.conf'
|
||||
$apache_vhost_file = '/etc/apache2/sites-available/openstack-dashboard.conf'
|
||||
$apache_port_file = '/etc/apache2/ports.conf'
|
||||
$apache_port_file = '/etc/apache2/ports.conf'
|
||||
} elsif($::osfamily == 'RedHat') {
|
||||
$httpd_service_name = 'httpd'
|
||||
$httpd_service_name = 'httpd'
|
||||
$horizon_settings_file = '/etc/openstack-dashboard/local_settings'
|
||||
$usergroup = 'nobody'
|
||||
$usergroup = 'nobody'
|
||||
$nova_compute_service = 'openstack-nova-compute'
|
||||
$nova_novnc_service = 'openstack-nova-novncproxy'
|
||||
$apache_tls_path = '/etc/httpd/TLS'
|
||||
$tls_cert_file = '/etc/httpd/TLS/horizon.crt'
|
||||
$tls_key_file = '/etc/httpd/TLS/horizon.key'
|
||||
$nova_novnc_service = 'openstack-nova-novncproxy'
|
||||
$apache_tls_path = '/etc/httpd/TLS'
|
||||
$tls_cert_file = '/etc/httpd/TLS/horizon.crt'
|
||||
$tls_key_file = '/etc/httpd/TLS/horizon.key'
|
||||
$tls_ca_file = '/etc/httpd/TLS/horizon.ca'
|
||||
$root_url = '/dashboard'
|
||||
$apache_conf_file = '/etc/httpd/conf.d/openstack-dashboard.conf'
|
||||
$apache_conf_file = '/etc/httpd/conf.d/openstack-dashboard.conf'
|
||||
$apache_vhost_file = '/etc/httpd/conf.d/ssl.conf'
|
||||
$apache_port_file = '/etc/httpd/conf.d/ports.conf'
|
||||
$apache_port_file = '/etc/httpd/conf.d/ports.conf'
|
||||
} else {
|
||||
fail("unsupported family ${::osfamily}")
|
||||
}
|
||||
|
|
|
@ -1,58 +0,0 @@
|
|||
#
|
||||
# This file autogenerated by Puppet
|
||||
# Do not edit, changes will be overwritten
|
||||
#
|
||||
<%
|
||||
if @memorysize_mb.to_i < 1200 or @processorcount.to_i <= 3
|
||||
wsgi_daemon_processes = 3
|
||||
wsgi_daemon_threads = 10
|
||||
else
|
||||
wsgi_daemon_processes = @processorcount
|
||||
wsgi_daemon_threads = 15
|
||||
end
|
||||
|
||||
if @osfamily == 'RedHat' %>
|
||||
WSGIDaemonProcess dashboard processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %>
|
||||
WSGIProcessGroup dashboard
|
||||
WSGISocketPrefix run/wsgi
|
||||
|
||||
WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
||||
Alias /static /usr/share/openstack-dashboard/static
|
||||
|
||||
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
||||
<IfModule mod_deflate.c>
|
||||
SetOutputFilter DEFLATE
|
||||
<IfModule mod_headers.c>
|
||||
# Make sure proxies don’t deliver the wrong content
|
||||
Header append Vary User-Agent env=!dont-vary
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
<Directory /usr/share/openstack-dashboard/static>
|
||||
<IfModule mod_expires.c>
|
||||
ExpiresActive On
|
||||
ExpiresDefault "access 6 month"
|
||||
</IfModule>
|
||||
<IfModule mod_deflate.c>
|
||||
SetOutputFilter DEFLATE
|
||||
</IfModule>
|
||||
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
<%
|
||||
end
|
||||
if @osfamily == 'Debian' %>
|
||||
WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
||||
WSGIDaemonProcess horizon user=horizon group=horizon processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %>
|
||||
WSGIProcessGroup horizon
|
||||
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
|
||||
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Directory>
|
||||
<% end %>
|
|
@ -1,21 +0,0 @@
|
|||
# If you just change the port or add more ports here, you will likely also
|
||||
# have to change the VirtualHost statement
|
||||
|
||||
NameVirtualHost *:80
|
||||
Listen <%= @bind_address %>:80
|
||||
|
||||
<% if @osfamily == 'RedHat' -%>
|
||||
NameVirtualHost *:443
|
||||
Listen <%= @bind_address %>:443
|
||||
<% else %>
|
||||
<IfModule mod_ssl.c>
|
||||
# Server Name Indication for SSL named virtual hosts is currently not
|
||||
# supported by MSIE on Windows XP.
|
||||
NameVirtualHost *:443
|
||||
Listen <%= @bind_address %>:443
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_gnutls.c>
|
||||
Listen <%= @bind_address %>:443
|
||||
</IfModule>
|
||||
<% end %>
|
|
@ -1,37 +0,0 @@
|
|||
#
|
||||
# This file autogenerated by Puppet
|
||||
# Do not edit, changes will be overwritten
|
||||
#
|
||||
|
||||
# SSL support
|
||||
<% if @osfamily == 'RedHat' -%>
|
||||
LoadModule ssl_module modules/mod_ssl.so
|
||||
<% end -%>
|
||||
|
||||
SSLPassPhraseDialog builtin
|
||||
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
SSLMutex default
|
||||
SSLRandomSeed startup file:/dev/urandom 256
|
||||
SSLRandomSeed connect builtin
|
||||
SSLCryptoDevice builtin
|
||||
|
||||
<% if @use_syslog -%>
|
||||
ErrorLog syslog:local1
|
||||
<% end -%>
|
||||
|
||||
<VirtualHost *:80>
|
||||
RedirectMatch permanent ^/$ <%= @root_url %>/
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} off
|
||||
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
RedirectMatch permanent ^/$ <%= @root_url %>/
|
||||
SSLEngine on
|
||||
SSLProtocol +TLSv1
|
||||
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
|
||||
SSLCertificateFile <%= @ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||
</VirtualHost>
|
|
@ -9,5 +9,5 @@
|
|||
# Learn more about module testing here:
|
||||
# http://docs.puppetlabs.com/guides/tests_smoke.html
|
||||
#
|
||||
include tls::controller_ha
|
||||
include tls::controller
|
||||
include tls::compute
|
||||
|
|
|
@ -9,5 +9,11 @@ attributes:
|
|||
value: ""
|
||||
label: "Key"
|
||||
description: "Certificate .key content"
|
||||
weight: 10
|
||||
weight: 11
|
||||
type: "password"
|
||||
horizon_ca:
|
||||
value: ""
|
||||
label: "CA"
|
||||
description: "Certificate .ca content"
|
||||
weight: 12
|
||||
type: "password"
|
|
@ -6,29 +6,24 @@ version: 1.0.0
|
|||
# Description
|
||||
description: Enables the Transport Layer Security (TLS) protocol to secure openstack
|
||||
# Required fuel version
|
||||
fuel_version: ['6.0']
|
||||
fuel_version: ['6.1']
|
||||
|
||||
authors: [Orange]
|
||||
licenses: [Apache License Version 2.0]
|
||||
homepage: https://github.com/stackforge/fuel-plugin-tls
|
||||
groups: []
|
||||
|
||||
# The plugin is compatible with releases in the list
|
||||
releases:
|
||||
- os: ubuntu
|
||||
version: 2014.2-6.0
|
||||
version: 2014.2-6.1
|
||||
mode: ['ha', 'multinode']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/ubuntu
|
||||
- os: centos
|
||||
version: 2014.2-6.0
|
||||
mode: ['ha', 'multinode']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/centos
|
||||
- os: ubuntu
|
||||
version: 2014.2-6.0.1
|
||||
mode: ['ha', 'multinode']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/ubuntu
|
||||
- os: centos
|
||||
version: 2014.2-6.0.1
|
||||
version: 2014.2-6.1
|
||||
mode: ['ha', 'multinode']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/centos
|
||||
# Version of plugin package
|
||||
package_version: '1.0.0'
|
||||
package_version: '2.0.0'
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# Deployment is required for controllers
|
||||
- role: ['controller']
|
||||
stage: post_deployment
|
||||
- role: ['primary-controller','controller']
|
||||
stage: post_deployment/6003
|
||||
type: puppet
|
||||
parameters:
|
||||
puppet_manifest: puppet/manifests/site.pp
|
||||
puppet_modules: "puppet/modules/:/etc/puppet/modules/"
|
||||
timeout: 360
|
||||
- role: ['compute']
|
||||
stage: post_deployment
|
||||
stage: post_deployment/6004
|
||||
type: puppet
|
||||
parameters:
|
||||
puppet_manifest: puppet/manifests/site_compute.pp
|
||||
|
|
Loading…
Reference in New Issue