Browse Source

migrate plugins from 1.0.0 to 2.0.0 package version

Change-Id: Ib7f3578a14a30c3bbd7b1bd9fa92cfd3aee7f193
sbartel 3 years ago
parent
commit
a68502c8c3

+ 35
- 7
README.md View File

@@ -15,7 +15,7 @@ Requirements
15 15
 
16 16
 | Requirement                      | Version/Comment                                         |
17 17
 |----------------------------------|---------------------------------------------------------|
18
-| Mirantis Openstack compatibility | 6.0                                                     |
18
+| Mirantis Openstack compatibility | 6.1                                                     |
19 19
 |----------------------------------|---------------------------------------------------------|
20 20
 | Crt & Key files                  | You have a crt & key files to provide before deployment |
21 21
 
@@ -43,20 +43,20 @@ Https plugin installation
43 43
 
44 44
     ``pip install fuel-plugin-builder``
45 45
 
46
-3. Build nova-nfs Fuel plugin:
46
+3. Build tls Fuel plugin:
47 47
 
48 48
    ``fpb --build fuel-plugin-tls/``
49 49
 
50
-4. The tls-<x.x.x>.fp file will be created in the plugin folder (fuel-plugin-tls)
50
+4. The tls-<x.x.x>.rpm file will be created in the plugin folder (fuel-plugin-tls)
51 51
 
52 52
 5. Move this file to the Fuel Master node with secure copy (scp):
53 53
 
54
-   ``scp tls-<x.x.x>.fp root@:<the_Fuel_Master_node_IP address>:/tmp``
54
+   ``scp tls-<x.x.x>.rpm root@:<the_Fuel_Master_node_IP address>:/tmp``
55 55
    ``cd /tmp``
56 56
 
57
-6. Install the nova-nfs plugin:
57
+6. Install the tls plugin:
58 58
 
59
-   ``fuel plugins --install tls-<x.x.x>.fp``
59
+   ``fuel plugins --install tls-<x.x.x>.rpm``
60 60
 
61 61
 6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI.
62 62
 
@@ -78,7 +78,7 @@ https plugin configuration
78 78
     - the certificate .key content
79 79
 
80 80
 	
81
-You must pass your .crt and .key files via fuel UI (settings tab)
81
+You must pass your .crt, .key, .ca files via fuel UI (settings tab)
82 82
 When you pass the content of the files in fuel ui, some "space" characters will appear, don't care about this puppet will remove it.
83 83
 
84 84
 CRT file must be in the following format : 
@@ -136,6 +136,30 @@ X43ceACVpWiv5DmBtEUrB8dbwxEJFaoPGqEswwdh1FDxzfsPdapyqGI5B8zRjnpa
136 136
 SR2QEYok/8lZeDgUOhXkGg==
137 137
 -----END PRIVATE KEY-----
138 138
 
139
+CA file must be in the following format : 
140
+
141
+-----BEGIN CERTIFICATE-----
142
+MIIDXTCCAkWgAwIBAgIJAJHydV1v41XIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
143
+BAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
144
+aWRnaXRzIFB0eSBMdGQwHhcNMTUwMTMwMTAyNDU3WhcNMTYwMTMwMTAyNDU3WjBF
145
+MQswCQYDVQQGEwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
146
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
147
+CgKCAQEAqwHssa1A2alSVh8ZZvKffGaix7mSFMDsFjUgPShqbAZ8xGQynvrHPel9
148
+A8E6ml0sGzHDwk8gobpu7k1wuMhcs7Np88xu5GtR1DhZWQ8MUGWHfflyjguMjtzF
149
+pZg4j0M14SE2INwwsRRtvC0/aeV1/q7HqfTk7+y01g/N4OKvYwndNp2lbSjBZZF4
150
+qbL9QD5iesOptxRryJ8tcm47i6hC4LTunz9pgVI13rtlOoqtXjf07ytMydBbzpeR
151
+4joaPAjbPf5ywf+I/n8XFxy6QPC9qAm2H3Gpo/5bb7+9S8AOhYqvWEKNotvyX1E8
152
+aiDLV+LHkL45Xpx47YBty6L8qNuejwIDAQABo1AwTjAdBgNVHQ4EFgQUVQNmpJDO
153
+w5eVB3yjU80NUZSKZlcwHwYDVR0jBBgwFoAUVQNmpJDOw5eVB3yjU80NUZSKZlcw
154
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAqadjZT7kMXRf5bp14nfI
155
+20m6G/i5aHBo+0v+6lRtmk5wD/D6VsOh+R/HjjDDo68y/WEWXxQbuOYX+HZCABpf
156
+VTA4oLvY4t3gtzt9Q21VtK/l5e3yyxo2JBnsPqc5wmWDlNO8aImF+QrvovkuyTV5
157
+mX6suZgby4eTllmVzBNK/+FMuPlsSPwB8SxEbu04aOIcwbn4LCCZJZEG6INVGSS8
158
+SRg1iER8mu2Jf45JKkMFDqUhCUp/ejM2t686O7olqKtmF53rDSBnzhtabdgTIx3F
159
+RjCb281gwvwSgyFfUgt5TIIq1o/kci2N33zuxaifFVz6DtDxKegoZg73bUMg/OA2
160
+bg==
161
+-----END CERTIFICATE-----
162
+
139 163
 Here is a screenshot of the fields
140 164
 
141 165
 ![tls fields](./figures/tls-plugin.png "tls-fields")
@@ -159,6 +183,10 @@ None.
159 183
 Release Notes
160 184
 -------------
161 185
 
186
+**2.0.0**
187
+
188
+* migrate plugins from 1.0.0 to 2.0.0 package version
189
+
162 190
 **1.0.0**
163 191
 
164 192
 * Initial release of the plugin

+ 16
- 27
deployment_scripts/puppet/manifests/site.pp View File

@@ -1,30 +1,19 @@
1
-$fuel_settings 			= parseyaml(file('/etc/astute.yaml')) 
2
-$tls_hash    			  = $::fuel_settings['tls']
3
-$horizon_crt				= $tls_hash['horizon_crt']
4
-$horizon_key				= $tls_hash['horizon_key']
5
-$nodes_hash       			= $::fuel_settings['nodes']
6
-if ($::fuel_settings['deployment_mode'] == 'multinode') {   
7
-  $controller 				= filter_nodes($nodes_hash,'role','controller')
8
-  $controller_node_public 	= $controller[0]['public_address'] 
9
-	class  { 'tls::controller':
10
-    horizon_crt 	=>	$horizon_crt,
11
-	  horizon_key 	=>	$horizon_key,
12
-	  external_ip 	=>  $controller_node_public,
13
-	  bind_address  =>  $controller_node_public
14
-  }
15
-}
16
-else {
17
-	$controllers 			= concat(filter_nodes($nodes_hash,'role','primary-controller'), filter_nodes($nodes_hash,'role','controller'))
18
-	$public_virtual_ip  	= $::fuel_settings['public_vip']
19
-	$internal_virtual_ip 	= $::fuel_settings['management_vip']
20
-	class { 'tls::controller_ha':
21
-		controllers			=> $controllers,
22
-		public_virtual_ip	=> $public_virtual_ip,
23
-		internal_virtual_ip	=> $internal_virtual_ip,
24
-    horizon_crt   =>  $horizon_crt,
25
-    horizon_key   =>  $horizon_key,
26
-    external_ip   =>  $public_virtual_ip
27
-	}
1
+$tls_hash    			= hiera('tls')
2
+$horizon_crt			= $tls_hash['horizon_crt']
3
+$horizon_key			= $tls_hash['horizon_key']
4
+$horizon_ca				= $tls_hash['horizon_ca']
5
+$nodes_hash       		= hiera('nodes')
6
+$controllers 			= hiera('controllers')
7
+$public_virtual_ip  	= hiera('public_vip')
8
+$internal_virtual_ip 	= hiera('management_vip')
9
+class { 'tls::controller':
10
+	controllers			=> $controllers,
11
+	public_virtual_ip	=> $public_virtual_ip,
12
+	internal_virtual_ip	=> $internal_virtual_ip,
13
+    horizon_crt         =>  $horizon_crt,
14
+    horizon_key         =>  $horizon_key,
15
+    horizon_ca          =>  $horizon_ca,
16
+    external_ip         =>  $public_virtual_ip
28 17
 }
29 18
   
30 19
   

+ 5
- 13
deployment_scripts/puppet/manifests/site_compute.pp View File

@@ -1,18 +1,10 @@
1
-$fuel_settings 			= parseyaml(file('/etc/astute.yaml'))
2
-$tls_hash    			  = $::fuel_settings['tls']
1
+$tls_hash    			  = hiera('tls')
3 2
 $horizon_crt				= $tls_hash['horizon_crt']
4 3
 $horizon_key				= $tls_hash['horizon_key']
5
-$nodes_hash       	= $::fuel_settings['nodes']
6
- 
7
-if ($::fuel_settings['deployment_mode'] == 'multinode') { 
8
-  $controller 	    = filter_nodes($nodes_hash,'role','controller')
9
-  $internal_ip 	    = $controller[0]['internal_address']
10
-  $public_ip 	      = $controller[0]['public_address'] 
11
-}
12
-else { 
13
-	$public_ip  	    = $::fuel_settings['public_vip']
14
-	$internal_ip 	    = $::fuel_settings['management_vip']
15
-}
4
+$nodes_hash       	= hiera('nodes')
5
+$public_ip  	      = hiera('public_vip')
6
+$internal_ip 	      = hiera('management_vip')
7
+
16 8
 class { 'tls::compute':
17 9
   public_virtual_ip   => $public_ip,
18 10
   internal_virtual_ip => $internal_ip,

+ 8
- 1
deployment_scripts/puppet/modules/tls/files/format.sh View File

@@ -2,7 +2,8 @@
2 2
 
3 3
 CRT=$1
4 4
 KEY=$2
5
-SSL_PATH=$3
5
+CA=$3
6
+SSL_PATH=$4
6 7
 ############################################################################################################################
7 8
 # Horizon part
8 9
 ############################################################################################################################
@@ -14,6 +15,12 @@ echo "-----BEGIN PRIVATE KEY-----" > $SSL_PATH/horizon.key
14 15
 echo $KEY  | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.key
15 16
 echo "-----END PRIVATE KEY-----" >> $SSL_PATH/horizon.key
16 17
 
18
+echo "-----BEGIN CERTIFICATE-----" > $SSL_PATH/horizon.ca
19
+echo $CA  | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.ca
20
+echo "-----END CERTIFICATE-----" >> $SSL_PATH/horizon.ca
21
+
22
+
23
+
17 24
 ############################################################################################################################
18 25
 # Nova part
19 26
 ############################################################################################################################

+ 21
- 11
deployment_scripts/puppet/modules/tls/manifests/controller.pp View File

@@ -1,9 +1,16 @@
1 1
 class tls::controller(
2
+  $controllers,
3
+  $public_virtual_ip,
4
+  $internal_virtual_ip,
2 5
   $horizon_crt,
3 6
   $horizon_key,
4
-  $external_ip,
5
-  $bind_address
7
+  $horizon_ca,
8
+  $external_ip
6 9
 ) {
10
+  $nodes_hash = hiera('nodes')
11
+  $node = filter_nodes($nodes_hash,'name',$::hostname)
12
+  $internal_address = $node[0]['internal_address']
13
+  $bind_address = $internal_address
7 14
   $server_hostname = $external_ip
8 15
   include tls::params
9 16
   $apache_tls_path = $tls::params::apache_tls_path
@@ -33,20 +40,23 @@ class tls::controller(
33 40
        require => File["$apache_tls_path"]
34 41
    }
35 42
    exec {'format.sh':
36
-       command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\' \'${apache_tls_path}\'\"",
43
+       command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\'  \'${horizon_ca}\' \'${apache_tls_path}\'\"",
37 44
        path => '/usr/sbin:/usr/bin:/sbin:/bin',
38 45
        require => File['format.sh'],
39
-       before  => File['openstack-dashboard.conf'],
40 46
    }
41
-  class { 'tls::horizon::horizon':
42
-    horizon_crt   =>  $horizon_crt,
43
-    horizon_key   =>  $horizon_key,
44
-    bind_address   =>  $bind_address
45
-  }  
46 47
   class { 'tls::nova::novnc_controller':
47 48
     server_hostname   =>  $server_hostname,
48 49
     novnc_service   =>  $tls::params::nova_novnc_service,
49
-    httpd_service   =>  $tls::params::httpd_service_name      
50
-  }  
50
+    httpd_service   =>  $tls::params::httpd_service_name
51
+  }->
52
+  class { 'tls::horizon::horizon':
53
+    bind_address   =>  $bind_address,
54
+    controllers           =>  $controllers,
55
+    public_virtual_ip     =>  $public_virtual_ip,
56
+    internal_virtual_ip   =>  $internal_virtual_ip,
57
+  }->  
58
+  exec { "ha_proxy_restart":
59
+    command => "/usr/sbin/crm resource restart p_haproxy",
60
+  }
51 61
 }
52 62
   

+ 0
- 29
deployment_scripts/puppet/modules/tls/manifests/controller_ha.pp View File

@@ -1,29 +0,0 @@
1
-class tls::controller_ha(
2
-  $controllers,
3
-  $public_virtual_ip,
4
-  $internal_virtual_ip,
5
-  $horizon_crt,
6
-  $horizon_key,
7
-  $external_ip
8
-) {
9
-  $nodes_hash = $::fuel_settings['nodes']
10
-  $node = filter_nodes($nodes_hash,'name',$::hostname)
11
-  $internal_address = $node[0]['internal_address']
12
-  $bind_address = $internal_address
13
-  class { 'tls::controller':
14
-    horizon_crt   =>  $horizon_crt,
15
-    horizon_key   =>  $horizon_key,
16
-    external_ip   =>  $external_ip,
17
-    bind_address   =>  $bind_address
18
-  }    
19
-  class { 'tls::horizon::horizon_ha':
20
-    controllers           =>  $controllers,
21
-    public_virtual_ip     =>  $public_virtual_ip,
22
-    internal_virtual_ip   =>  $internal_virtual_ip,
23
-  }
24
-  exec { "ha_proxy_restart":
25
-    command => "/usr/sbin/crm resource restart p_haproxy",
26
-    require => Class['tls::horizon::horizon_ha'],
27
-  }
28
-}
29
-  

+ 161
- 32
deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp View File

@@ -1,13 +1,39 @@
1 1
 class tls::horizon::horizon(
2
-  $horizon_crt,
3
-  $horizon_key,
4
-  $bind_address,
2
+  $bind_address = '*',
3
+  $controllers,
4
+  $public_virtual_ip,
5
+  $internal_virtual_ip,
5 6
 ) {
6 7
   include tls::params
7
-
8
-  $root_url       = $tls::params::root_url
9
-  $ssl_cert_file  = $tls::params::tls_cert_file
10
-  $ssl_key_file   = $tls::params::tls_key_file
8
+  $ssl_port                       = 443
9
+  $horizon_hash                   = hiera_hash('horizon',{})
10
+  $root_url                       = $tls::params::root_url
11
+  $horizon_cert                   = $tls::params::tls_cert_file
12
+  $horizon_key                    = $tls::params::tls_key_file
13
+  $horizon_ca                     = $tls::params::tls_ca_file
14
+  $controller_internal_addresses  = nodes_to_hash($controllers,'name','internal_address')
15
+  $controller_nodes               = ipsort(values($controller_internal_addresses))
16
+  $cache_server_ip                = hiera('memcache_servers', $controller_nodes)
17
+  $cache_server_port              = hiera('memcache_server_port', '11211')
18
+  $swift                          = false
19
+  $neutron                        = hiera('use_neutron')
20
+  $horizon_app_links              = undef
21
+  $keystone_host                  = hiera('management_vip')
22
+  $keystone_scheme                = 'http'
23
+  $keystone_default_role          = '_member_'
24
+  $verbose                        = hiera('verbose', true)
25
+  $debug                          = hiera('debug')
26
+  $api_result_limit               = 1000
27
+  $package_ensure                 = hiera('horizon_package_ensure', 'installed')
28
+  $use_ssl                        = true
29
+  $use_syslog                     = hiera('use_syslog', true)
30
+  $log_level                      = 'WARNING'
31
+  $nova_quota                     = hiera('nova_quota')
32
+  $local_settings_template        = 'openstack/horizon/local_settings.py.erb'
33
+  $django_session_engine          = 'django.contrib.sessions.backends.cache'
34
+  $servername                     = hiera('public_vip')
35
+  $cache_backend                  = 'horizon.backends.memcached.HorizonMemcached'
36
+  $cache_options                  = ["'SOCKET_TIMEOUT': 1","'SERVER_RETRIES': 1","'DEAD_RETRY': 1"]
11 37
   
12 38
   #update horizon config file
13 39
   exec { "USE_SSL":
@@ -51,35 +77,138 @@ class tls::horizon::horizon(
51 77
     }
52 78
   }
53 79
 
54
-  #update apache config file 
55
-  file { 'openstack-dashboard.conf' :
56
-    ensure  => present,
57
-    path    => $tls::params::apache_conf_file,
58
-    owner   => 'root',
59
-    group   => 'root',
60
-    mode    => '0755',
61
-    content => template('tls/openstack-dashboard.conf.erb'),
62
-    notify  => Service[$tls::params::httpd_service_name],
80
+  if $horizon_hash['secret_key'] {
81
+    $secret_key = $horizon_hash['secret_key']
82
+  } else {
83
+    $secret_key = 'dummy_secret_key'
63 84
   }
64 85
 
65
-  file { 'port.conf' :
66
-    ensure  => present,
67
-    path    => $tls::params::apache_port_file,
68
-    owner   => 'root',
69
-    group   => 'root',
70
-    mode    => '0755',
71
-    content => template('tls/port.conf.erb'),
72
-    notify  => Service[$tls::params::httpd_service_name],
86
+  if $debug { #syslog and nondebug case
87
+    #We don't realy want django debug, it is too verbose.
88
+    $django_debug   = false
89
+    $django_verbose = false
90
+    $log_level_real = 'DEBUG'
91
+  } elsif $verbose {
92
+    $django_verbose = true
93
+    $django_debug   = false
94
+    $log_level_real = 'INFO'
95
+  } else {
96
+    $django_verbose = false
97
+    $django_debug   = false
98
+    $log_level_real = $log_level
73 99
   }
74 100
 
75
-  file { 'vhost.conf' :
76
-    ensure  => present,
77
-    path    => $tls::params::apache_vhost_file,
78
-    owner   => 'root',
79
-    group   => 'root',
80
-    mode    => '0755',
81
-    content => template('tls/vhost.erb'),
82
-    notify  => Service[$tls::params::httpd_service_name],
101
+  apache::listen{ $ssl_port:}
102
+  apache::namevirtualhost{ "*:$ssl_port":}
103
+
104
+  class { '::horizon':
105
+    bind_address            => $bind_address,
106
+    cache_server_ip         => $cache_server_ip,
107
+    cache_server_port       => $cache_server_port,
108
+    cache_backend           => $cache_backend,
109
+    cache_options           => $cache_options,
110
+    secret_key              => $secret_key,
111
+    swift                   => $swift,
112
+    package_ensure          => $package_ensure,
113
+    horizon_app_links       => $horizon_app_links,
114
+    keystone_host           => $keystone_host,
115
+    keystone_scheme         => $keystone_scheme,
116
+    keystone_default_role   => $keystone_default_role,
117
+    django_debug            => $django_debug,
118
+    api_result_limit        => $api_result_limit,
119
+    listen_ssl              => $use_ssl,
120
+    log_level               => $log_level_real,
121
+    local_settings_template => $local_settings_template,
122
+    configure_apache        => false,
123
+    django_session_engine   => $django_session_engine,
124
+    allowed_hosts           => '*',
125
+    secure_cookies          => false,
126
+    horizon_cert           => $horizon_cert ,
127
+    horizon_key            => $horizon_key,
128
+    horizon_ca             => $horizon_ca
129
+  }
130
+
131
+  class { '::horizon::wsgi::apache':
132
+    priority       => false,
133
+    servername     => $public_virtual_ip,
134
+    bind_address   => $bind_address,
135
+    wsgi_processes => $wsgi_processes,
136
+    wsgi_threads   => $wsgi_threads,
137
+    horizon_cert           => $horizon_cert ,
138
+    horizon_key            => $horizon_key,
139
+    horizon_ca            => $horizon_ca,
140
+    listen_ssl     => $use_ssl,
141
+    extra_params      => {
142
+      default_vhost   => true,
143
+      add_listen      => false,
144
+      ssl_protocol    => '+TLSv1',
145
+      ssl_cipher      => 'HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM',
146
+      custom_fragment => template("openstack/horizon/wsgi_vhost_custom.erb"),
147
+    },
148
+  } ~>
149
+  Service[$::apache::params::service_name]
150
+
151
+  Haproxy::Service        { use_include => true }
152
+  Haproxy::Balancermember { use_include => true }
153
+
154
+  $haproxy_config_options = {
155
+   'option'      => ['ssl-hello-chk', 'tcpka'],
156
+   'stick-table' => 'type ip size 200k expire 30m',
157
+   'stick'       => 'on src',
158
+   'balance'     => 'source',
159
+   'timeout'     => ['client 3h', 'server 3h'],
160
+   'mode'        => 'tcp',
161
+  }
162
+
163
+  haproxy::listen { 'horizon-ssl':
164
+    order     => '017',
165
+    ipaddress => $public_virtual_ip,
166
+    ports     => '443',
167
+    options   => $haproxy_config_options,
168
+    mode      => 'tcp',
169
+  }
170
+
171
+  haproxy::balancermember { 'horizon-ssl':
172
+    order             => '017',
173
+    listening_service => 'horizon-tls',
174
+    server_names      => filter_hash($controllers, 'name'),
175
+    ipaddresses       => filter_hash($controllers, 'internal_address'),
176
+    ports             => '443',
177
+    options           => 'weight 1 check',
178
+    define_cookies    => false,
179
+    define_backups    => false,
180
+  }
181
+
182
+  ##################################################################################
183
+
184
+  $haproxy_config_options_nova = {
185
+   'option'      => ['ssl-hello-chk', 'tcpka'],
186
+   'mode'        => 'tcp',
187
+  }
188
+
189
+  haproxy::listen { 'nova-novncproxy':
190
+    order     => '170',
191
+    ipaddress => $public_virtual_ip,
192
+    ports     => '6080',
193
+    options   => $haproxy_config_options_nova,
194
+    mode      => 'tcp',
195
+  }
196
+
197
+  haproxy::balancermember { 'nova-novncproxy':
198
+    order             => '170',
199
+    listening_service => 'horizon-tls',
200
+    server_names      => filter_hash($controllers, 'name'),
201
+    ipaddresses       => filter_hash($controllers, 'internal_address'),
202
+    ports             => '6080',
203
+    options           => 'check',
204
+    define_cookies    => false,
205
+    define_backups    => false,
206
+  }
207
+  ######################################################################################
208
+
209
+  service { 'haproxy':
210
+    enable  => true,
211
+    ensure  => running,
83 212
   }
84 213
 
85 214
 }

+ 0
- 74
deployment_scripts/puppet/modules/tls/manifests/horizon/horizon_ha.pp View File

@@ -1,74 +0,0 @@
1
-class tls::horizon::horizon_ha (
2
-  $controllers,
3
-  $public_virtual_ip,
4
-  $internal_virtual_ip,
5
-) {
6
-
7
-  require tls::horizon::horizon
8
-  include tls::params
9
-
10
-  Haproxy::Service        { use_include => true }
11
-  Haproxy::Balancermember { use_include => true }
12
-
13
-  $haproxy_config_options = {
14
-   'option'      => ['ssl-hello-chk', 'tcpka'],
15
-   'stick-table' => 'type ip size 200k expire 30m',
16
-   'stick'       => 'on src',
17
-   'balance'     => 'source',
18
-   'timeout'     => ['client 3h', 'server 3h'],
19
-   'mode'        => 'tcp',
20
-  }
21
-
22
-  haproxy::listen { 'horizon-ssl':
23
-    order     => '017',
24
-    ipaddress => $public_virtual_ip,
25
-    ports     => '443',
26
-    options   => $haproxy_config_options,
27
-    mode      => 'tcp',
28
-  }
29
-
30
-  haproxy::balancermember { 'horizon-ssl':
31
-    order             => '017',
32
-    listening_service => 'horizon-tls',
33
-    server_names      => filter_hash($controllers, 'name'),
34
-    ipaddresses       => filter_hash($controllers, 'internal_address'),
35
-    ports             => '443',
36
-    options           => 'weight 1 check',
37
-    define_cookies    => false,
38
-    define_backups    => false,
39
-  }
40
-  
41
-  ##################################################################################
42
-  
43
-  $haproxy_config_options_nova = {
44
-   'option'      => ['ssl-hello-chk', 'tcpka'],
45
-   'mode'        => 'tcp',
46
-  }
47
- 
48
-  haproxy::listen { 'nova-novncproxy':
49
-    order     => '170',
50
-    ipaddress => $public_virtual_ip,
51
-    ports     => '6080',
52
-    options   => $haproxy_config_options_nova,
53
-    mode      => 'tcp',
54
-  }
55
-
56
-  haproxy::balancermember { 'nova-novncproxy':
57
-    order             => '170',
58
-    listening_service => 'horizon-tls',
59
-    server_names      => filter_hash($controllers, 'name'),
60
-    ipaddresses       => filter_hash($controllers, 'internal_address'),
61
-    ports             => '6080',
62
-    options           => 'check',
63
-    define_cookies    => false,
64
-    define_backups    => false,
65
-  }
66
-  ######################################################################################
67
-
68
-  
69
-  service { 'haproxy':
70
-    enable  => true,
71
-    ensure  => running,
72
-  }
73
-
74
-}

+ 1
- 6
deployment_scripts/puppet/modules/tls/manifests/nova/novnc_controller.pp View File

@@ -16,9 +16,4 @@ class tls::nova::novnc_controller (
16 16
     enable  => true,
17 17
     ensure  => running,
18 18
   }
19
-
20
-  service { $httpd_service:
21
-    enable  => true,
22
-    ensure  => running,
23
-  }
24
-}
19
+}

+ 18
- 16
deployment_scripts/puppet/modules/tls/manifests/params.pp View File

@@ -1,30 +1,32 @@
1 1
 class tls::params {
2 2
   if $::osfamily == 'Debian' {
3
-    $httpd_service_name 	= 'apache2'
3
+    $httpd_service_name 	  = 'apache2'
4 4
     $horizon_settings_file 	= '/etc/openstack-dashboard/local_settings.py'
5
-    $usergroup 				= 'nogroup'
5
+    $usergroup 				      = 'nogroup'
6 6
 	  $nova_compute_service 	= 'nova-compute'
7
-	  $nova_novnc_service 	= 'nova-novncproxy'
8
-    $apache_tls_path 		= '/etc/apache2/TLS'
9
-    $tls_cert_file			= '/etc/apache2/TLS/horizon.crt'
10
-    $tls_key_file			= '/etc/apache2/TLS/horizon.key'
7
+	  $nova_novnc_service 	  = 'nova-novncproxy'
8
+    $apache_tls_path 		    = '/etc/apache2/TLS'
9
+    $tls_cert_file			    = '/etc/apache2/TLS/horizon.crt'
10
+    $tls_key_file			      = '/etc/apache2/TLS/horizon.key'
11
+    $tls_ca_file            = '/etc/apache2/TLS/horizon.ca'
11 12
     $root_url               = '/horizon'	
12
-    $apache_conf_file 		= '/etc/apache2/conf-available/openstack-dashboard.conf'
13
+    $apache_conf_file 		  = '/etc/apache2/conf-available/openstack-dashboard.conf'
13 14
     $apache_vhost_file      = '/etc/apache2/sites-available/openstack-dashboard.conf'
14
-    $apache_port_file		= '/etc/apache2/ports.conf'	
15
+    $apache_port_file		    = '/etc/apache2/ports.conf'	
15 16
   } elsif($::osfamily == 'RedHat') {
16
-    $httpd_service_name 	= 'httpd'
17
+    $httpd_service_name 	  = 'httpd'
17 18
     $horizon_settings_file 	= '/etc/openstack-dashboard/local_settings'
18
-    $usergroup 				= 'nobody'
19
+    $usergroup 				      = 'nobody'
19 20
     $nova_compute_service 	= 'openstack-nova-compute'
20
-    $nova_novnc_service 	= 'openstack-nova-novncproxy'	
21
-    $apache_tls_path 		= '/etc/httpd/TLS'
22
-    $tls_cert_file			= '/etc/httpd/TLS/horizon.crt'
23
-    $tls_key_file			= '/etc/httpd/TLS/horizon.key'
21
+    $nova_novnc_service 	  = 'openstack-nova-novncproxy'	
22
+    $apache_tls_path 		    = '/etc/httpd/TLS'
23
+    $tls_cert_file			    = '/etc/httpd/TLS/horizon.crt'
24
+    $tls_key_file			      = '/etc/httpd/TLS/horizon.key'
25
+    $tls_ca_file            = '/etc/httpd/TLS/horizon.ca'
24 26
     $root_url               = '/dashboard'	
25
-    $apache_conf_file 		= '/etc/httpd/conf.d/openstack-dashboard.conf'
27
+    $apache_conf_file 		  = '/etc/httpd/conf.d/openstack-dashboard.conf'
26 28
     $apache_vhost_file      = '/etc/httpd/conf.d/ssl.conf'
27
-    $apache_port_file		= '/etc/httpd/conf.d/ports.conf'	
29
+    $apache_port_file		    = '/etc/httpd/conf.d/ports.conf'	
28 30
   } else {
29 31
     fail("unsupported family ${::osfamily}")
30 32
   }

+ 0
- 58
deployment_scripts/puppet/modules/tls/templates/openstack-dashboard.conf.erb View File

@@ -1,58 +0,0 @@
1
-#
2
-# This file autogenerated by Puppet
3
-# Do not edit, changes will be overwritten
4
-#
5
-<%
6
-if @memorysize_mb.to_i < 1200 or @processorcount.to_i <= 3
7
-  wsgi_daemon_processes = 3
8
-  wsgi_daemon_threads = 10
9
-else
10
-  wsgi_daemon_processes = @processorcount
11
-  wsgi_daemon_threads = 15
12
-end
13
-
14
-if @osfamily == 'RedHat' %>
15
-WSGIDaemonProcess dashboard processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %>
16
-WSGIProcessGroup dashboard
17
-WSGISocketPrefix run/wsgi
18
-
19
-WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
20
-Alias /static /usr/share/openstack-dashboard/static
21
-
22
-<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
23
-  <IfModule mod_deflate.c>
24
-    SetOutputFilter DEFLATE
25
-    <IfModule mod_headers.c>
26
-      # Make sure proxies don’t deliver the wrong content
27
-      Header append Vary User-Agent env=!dont-vary
28
-    </IfModule>
29
-  </IfModule>
30
-
31
-  Order allow,deny
32
-  Allow from all
33
-</Directory>
34
-
35
-<Directory /usr/share/openstack-dashboard/static>
36
-  <IfModule mod_expires.c>
37
-    ExpiresActive On
38
-    ExpiresDefault "access 6 month"
39
-  </IfModule>
40
-  <IfModule mod_deflate.c>
41
-    SetOutputFilter DEFLATE
42
-  </IfModule>
43
-
44
-  Order allow,deny
45
-  Allow from all
46
-</Directory>
47
-<%
48
-end
49
-if @osfamily == 'Debian' %>
50
-WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
51
-WSGIDaemonProcess horizon user=horizon group=horizon processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %>
52
-WSGIProcessGroup horizon
53
-Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
54
-<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
55
-  Order allow,deny
56
-  Allow from all
57
-</Directory>
58
-<% end %>

+ 0
- 21
deployment_scripts/puppet/modules/tls/templates/port.conf.erb View File

@@ -1,21 +0,0 @@
1
-# If you just change the port or add more ports here, you will likely also
2
-# have to change the VirtualHost statement
3
-
4
-NameVirtualHost *:80
5
-Listen <%= @bind_address %>:80
6
-
7
-<% if @osfamily == 'RedHat' -%>
8
-NameVirtualHost *:443
9
-Listen <%= @bind_address %>:443
10
-<% else %>
11
-<IfModule mod_ssl.c>
12
-    # Server Name Indication for SSL named virtual hosts is currently not
13
-    # supported by MSIE on Windows XP.
14
-    NameVirtualHost *:443
15
-    Listen <%= @bind_address %>:443
16
-</IfModule>
17
-
18
-<IfModule mod_gnutls.c>
19
-    Listen <%= @bind_address %>:443
20
-</IfModule>
21
-<% end %>

+ 0
- 37
deployment_scripts/puppet/modules/tls/templates/vhost.erb View File

@@ -1,37 +0,0 @@
1
-#
2
-# This file autogenerated by Puppet
3
-# Do not edit, changes will be overwritten
4
-#
5
-
6
-# SSL support
7
-<% if @osfamily == 'RedHat' -%>
8
-LoadModule ssl_module modules/mod_ssl.so
9
-<% end -%>
10
-
11
-SSLPassPhraseDialog  builtin
12
-SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
13
-SSLSessionCacheTimeout  300
14
-SSLMutex default
15
-SSLRandomSeed startup file:/dev/urandom  256
16
-SSLRandomSeed connect builtin
17
-SSLCryptoDevice builtin
18
-
19
-<% if @use_syslog -%>
20
-ErrorLog syslog:local1
21
-<% end -%>
22
-
23
-<VirtualHost *:80>
24
-  RedirectMatch permanent ^/$ <%= @root_url %>/
25
-  RewriteEngine On
26
-  RewriteCond %{HTTPS} off
27
-  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
28
-</VirtualHost>
29
-
30
-<VirtualHost *:443>
31
-  RedirectMatch permanent ^/$ <%= @root_url %>/
32
-  SSLEngine on
33
-  SSLProtocol +TLSv1
34
-  SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
35
-  SSLCertificateFile <%= @ssl_cert_file %>
36
-  SSLCertificateKeyFile <%= @ssl_key_file %>
37
-</VirtualHost>

+ 1
- 1
deployment_scripts/puppet/modules/tls/tests/init.pp View File

@@ -9,5 +9,5 @@
9 9
 # Learn more about module testing here:
10 10
 # http://docs.puppetlabs.com/guides/tests_smoke.html
11 11
 #
12
-include tls::controller_ha
12
+include tls::controller
13 13
 include tls::compute

+ 7
- 1
environment_config.yaml View File

@@ -9,5 +9,11 @@ attributes:
9 9
     value: ""
10 10
     label: "Key"
11 11
     description: "Certificate .key content"
12
-    weight: 10
12
+    weight: 11
13
+    type: "password"
14
+  horizon_ca:
15
+    value: ""
16
+    label: "CA"
17
+    description: "Certificate .ca content"
18
+    weight: 12
13 19
     type: "password"

+ 9
- 14
metadata.yaml View File

@@ -6,29 +6,24 @@ version: 1.0.0
6 6
 # Description
7 7
 description: Enables the Transport Layer Security (TLS) protocol to secure openstack
8 8
 # Required fuel version
9
-fuel_version: ['6.0']
9
+fuel_version: ['6.1']
10
+
11
+authors: [Orange]
12
+licenses: [Apache License Version 2.0]
13
+homepage: https://github.com/stackforge/fuel-plugin-tls
14
+groups: []
10 15
 
11 16
 # The plugin is compatible with releases in the list
12 17
 releases:
13 18
   - os: ubuntu
14
-    version: 2014.2-6.0
15
-    mode: ['ha', 'multinode']
16
-    deployment_scripts_path: deployment_scripts/
17
-    repository_path: repositories/ubuntu
18
-  - os: centos
19
-    version: 2014.2-6.0
20
-    mode: ['ha', 'multinode']
21
-    deployment_scripts_path: deployment_scripts/
22
-    repository_path: repositories/centos
23
-  - os: ubuntu
24
-    version: 2014.2-6.0.1
19
+    version: 2014.2-6.1
25 20
     mode: ['ha', 'multinode']
26 21
     deployment_scripts_path: deployment_scripts/
27 22
     repository_path: repositories/ubuntu
28 23
   - os: centos
29
-    version: 2014.2-6.0.1
24
+    version: 2014.2-6.1
30 25
     mode: ['ha', 'multinode']
31 26
     deployment_scripts_path: deployment_scripts/
32 27
     repository_path: repositories/centos
33 28
 # Version of plugin package
34
-package_version: '1.0.0'
29
+package_version: '2.0.0'

+ 3
- 3
tasks.yaml View File

@@ -1,13 +1,13 @@
1 1
 # Deployment is required for controllers
2
-- role: ['controller']
3
-  stage: post_deployment
2
+- role: ['primary-controller','controller']
3
+  stage: post_deployment/6003
4 4
   type: puppet
5 5
   parameters:
6 6
     puppet_manifest: puppet/manifests/site.pp
7 7
     puppet_modules:  "puppet/modules/:/etc/puppet/modules/"
8 8
     timeout: 360
9 9
 - role: ['compute']
10
-  stage: post_deployment
10
+  stage: post_deployment/6004
11 11
   type: puppet
12 12
   parameters:
13 13
     puppet_manifest: puppet/manifests/site_compute.pp

Loading…
Cancel
Save