Refactor SSL setup to use CA to sign certificates
Users can now use Packstack generated CA or provide Subordinate CA to packstack to sign certificates used by OpenStack. Resolves: rhbz#1163866 Change-Id: Idd89dbb7f197a194fd87576be6d95a75d059231e
This commit is contained in:
parent
41f3e9e86c
commit
1c0c36bf40
@ -104,6 +104,43 @@ Global Options
|
|||||||
**CONFIG_USE_SUBNETS**
|
**CONFIG_USE_SUBNETS**
|
||||||
Specify 'y' if you want to use subnet addresses (in CIDR format) instead of interface names in following options: CONFIG_NOVA_COMPUTE_PRIVIF, CONFIG_NOVA_NETWORK_PRIVIF, CONFIG_NOVA_NETWORK_PUBIF, CONFIG_NEUTRON_OVS_BRIDGE_IFACES, CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS, CONFIG_NEUTRON_OVS_TUNNEL_IF. This is useful for cases when interface names are not same on all installation hosts.
|
Specify 'y' if you want to use subnet addresses (in CIDR format) instead of interface names in following options: CONFIG_NOVA_COMPUTE_PRIVIF, CONFIG_NOVA_NETWORK_PRIVIF, CONFIG_NOVA_NETWORK_PUBIF, CONFIG_NEUTRON_OVS_BRIDGE_IFACES, CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS, CONFIG_NEUTRON_OVS_TUNNEL_IF. This is useful for cases when interface names are not same on all installation hosts.
|
||||||
|
|
||||||
|
SSL setup
|
||||||
|
---------
|
||||||
|
Packstack supports ability to be get CA certificate and use it to sign all certificates used in Openstack deployment. Standard workflow for this would be creating Subordinate CA. If Root CA is given to Packstack it is not safe to use it for anything else. If no CA is provided and CONFIG_SSL_CACERT_SELFSIGN is set to 'y' Packstack will use Selfsigned CA.
|
||||||
|
|
||||||
|
**CONFIG_SSL_CERT_DIR**
|
||||||
|
Enter the path to use to store generated SSL certificates in.
|
||||||
|
|
||||||
|
**CONFIG_SSL_CACERT_FILE**
|
||||||
|
Specify filepath for CA cert file. If CONFIG_SSL_CACERT_SELFSIGN is set to 'n' it has to be preexisting file.
|
||||||
|
|
||||||
|
**CONFIG_SSL_CACERT_KEY_FILE**
|
||||||
|
Specify filepath for CA cert key file. If CONFIG_SSL_CACERT_SELFSIGN is set to 'n' it has to be preexisting file.
|
||||||
|
|
||||||
|
**CONFIG_SSL_CACERT_SELFSIGN**
|
||||||
|
Specify 'y' if you want Packstack to pregenerate the CA Certificate.
|
||||||
|
|
||||||
|
SSL selfsigned CACert options
|
||||||
|
-----------------------------
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_C**
|
||||||
|
Enter the selfsigned CAcert subject country.
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_ST**
|
||||||
|
Enter the selfsigned CAcert subject state.
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_L**
|
||||||
|
Enter the selfsigned CAcert subject location.
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_O**
|
||||||
|
Enter the selfsigned CAcert subject organization.
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_OU**
|
||||||
|
Enter the selfsigned CAcert subject organizational unit.
|
||||||
|
|
||||||
|
**CONFIG_SELFSIGN_CACERT_SUBJECT_CN**
|
||||||
|
Enter the selfsigned CAcert subject common name.
|
||||||
|
|
||||||
vCenter Config Parameters
|
vCenter Config Parameters
|
||||||
-------------------------
|
-------------------------
|
||||||
|
|
||||||
@ -227,21 +264,6 @@ AMQP Config SSL parameters
|
|||||||
**CONFIG_AMQP_NSS_CERTDB_PW**
|
**CONFIG_AMQP_NSS_CERTDB_PW**
|
||||||
Password for the NSS certificate database of the AMQP service.
|
Password for the NSS certificate database of the AMQP service.
|
||||||
|
|
||||||
**CONFIG_AMQP_SSL_PORT**
|
|
||||||
Port on which the AMQP service listens for SSL connections.
|
|
||||||
|
|
||||||
**CONFIG_AMQP_SSL_CACERT_FILE**
|
|
||||||
File name of the CAcertificate that the AMQP service will use for verification.
|
|
||||||
|
|
||||||
**CONFIG_AMQP_SSL_CERT_FILE**
|
|
||||||
File name of the certificate that the AMQP service will use for verification.
|
|
||||||
|
|
||||||
**CONFIG_AMQP_SSL_KEY_FILE**
|
|
||||||
File name of the private key that the AMQP service will use for verification.
|
|
||||||
|
|
||||||
**CONFIG_AMQP_SSL_SELF_SIGNED**
|
|
||||||
Specify 'y' to automatically generate a self-signed SSL certificate and key. ['y', 'n']
|
|
||||||
|
|
||||||
AMQP Config Athentication parameters
|
AMQP Config Athentication parameters
|
||||||
------------------------------------
|
------------------------------------
|
||||||
|
|
||||||
@ -687,6 +709,12 @@ Nova Options
|
|||||||
**CONFIG_NOVA_COMPUTE_MANAGER**
|
**CONFIG_NOVA_COMPUTE_MANAGER**
|
||||||
Manager that runs the Compute service.
|
Manager that runs the Compute service.
|
||||||
|
|
||||||
|
**CONFIG_VNC_SSL_CERT**
|
||||||
|
PEM encoded certificate to be used for ssl on the https server, leave blank if one should be generated, this certificate should not require a passphrase. If CONFIG_HORIZON_SSL is set to 'n' this parameter is ignored.
|
||||||
|
|
||||||
|
**CONFIG_VNC_SSL_KEY**
|
||||||
|
SSL keyfile corresponding to the certificate if one was entered. If CONFIG_HORIZON_SSL is set to 'n' this parameter is ignored.
|
||||||
|
|
||||||
Nova Network Options
|
Nova Network Options
|
||||||
--------------------
|
--------------------
|
||||||
|
|
||||||
@ -816,13 +844,13 @@ OpenStack Horizon Config parameters
|
|||||||
SSL Config parameters
|
SSL Config parameters
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
**CONFIG_SSL_CERT**
|
**CONFIG_HORIZON_SSL_CERT**
|
||||||
PEM-encoded certificate to be used for SSL connections on the https server (the certificate should not require a passphrase). To generate a certificate, leave blank.
|
PEM-encoded certificate to be used for SSL connections on the https server (the certificate should not require a passphrase). To generate a certificate, leave blank.
|
||||||
|
|
||||||
**CONFIG_SSL_KEY**
|
**CONFIG_HORIZON_SSL_KEY**
|
||||||
SSL keyfile corresponding to the certificate if one was specified.
|
SSL keyfile corresponding to the certificate if one was specified.
|
||||||
|
|
||||||
**CONFIG_SSL_CACHAIN**
|
**CONFIG_HORIZON_SSL_CACHAIN**
|
||||||
PEM-encoded CA certificates from which the certificate chain of the server certificate can be assembled.
|
PEM-encoded CA certificates from which the certificate chain of the server certificate can be assembled.
|
||||||
|
|
||||||
OpenStack Swift Config parameters
|
OpenStack Swift Config parameters
|
||||||
|
@ -32,7 +32,8 @@ __all__ = ('ParamValidationError', 'validate_integer', 'validate_float',
|
|||||||
'validate_multi_ip', 'validate_file', 'validate_ping',
|
'validate_multi_ip', 'validate_file', 'validate_ping',
|
||||||
'validate_multi_ping', 'validate_ssh', 'validate_multi_ssh',
|
'validate_multi_ping', 'validate_ssh', 'validate_multi_ssh',
|
||||||
'validate_sshkey', 'validate_ldap_url', 'validate_ldap_dn',
|
'validate_sshkey', 'validate_ldap_url', 'validate_ldap_dn',
|
||||||
'validate_export', 'validate_multi_export')
|
'validate_export', 'validate_multi_export',
|
||||||
|
'validate_writeable_directory')
|
||||||
|
|
||||||
|
|
||||||
def validate_integer(param, options=None):
|
def validate_integer(param, options=None):
|
||||||
@ -197,6 +198,23 @@ def validate_file(param, options=None):
|
|||||||
raise ParamValidationError(msg % param)
|
raise ParamValidationError(msg % param)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_writeable_directory(param, options=None):
|
||||||
|
"""
|
||||||
|
Raises ParamValidationError if provided directory does not exist or
|
||||||
|
is not writeable.
|
||||||
|
"""
|
||||||
|
if not param:
|
||||||
|
return
|
||||||
|
|
||||||
|
options = options or []
|
||||||
|
if not ((os.path.isdir(param) and os.access(param, os.W_OK)) or
|
||||||
|
os.access(os.path.join(param, os.pardir), os.W_OK)):
|
||||||
|
logging.debug('validate_writeable_directory(%s, options=%s) failed.' %
|
||||||
|
(param, options))
|
||||||
|
msg = 'Given directory does not exist or is not writeable: %s'
|
||||||
|
raise ParamValidationError(msg % param)
|
||||||
|
|
||||||
|
|
||||||
def validate_ping(param, options=None):
|
def validate_ping(param, options=None):
|
||||||
"""
|
"""
|
||||||
Raises ParamValidationError if provided host does not answer to ICMP
|
Raises ParamValidationError if provided host does not answer to ICMP
|
||||||
|
@ -14,7 +14,10 @@
|
|||||||
import os
|
import os
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
|
from OpenSSL import crypto
|
||||||
|
from time import time
|
||||||
from packstack.installer import basedefs
|
from packstack.installer import basedefs
|
||||||
|
from packstack.installer import utils
|
||||||
from packstack.installer.setup_controller import Controller
|
from packstack.installer.setup_controller import Controller
|
||||||
|
|
||||||
controller = Controller()
|
controller = Controller()
|
||||||
@ -84,6 +87,73 @@ def createFirewallResources(hiera_key, default_value='{}'):
|
|||||||
return "create_resources(packstack::firewall, %s)\n\n" % hiera_function
|
return "create_resources(packstack::firewall, %s)\n\n" % hiera_function
|
||||||
|
|
||||||
|
|
||||||
|
def generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file):
|
||||||
|
"""
|
||||||
|
Wrapper on top of openssl
|
||||||
|
"""
|
||||||
|
# We have to check whether the certificate already exists
|
||||||
|
cert_dir = os.path.join(config['CONFIG_SSL_CERT_DIR'], 'certs')
|
||||||
|
local_cert_name = host + os.path.basename(ssl_cert_file)
|
||||||
|
local_cert_path = os.path.join(cert_dir, local_cert_name)
|
||||||
|
if not os.path.exists(local_cert_path):
|
||||||
|
ca_file = open(config['CONFIG_SSL_CACERT_FILE'], 'rt').read()
|
||||||
|
ca_key_file = open(config['CONFIG_SSL_CACERT_KEY_FILE'], 'rt').read()
|
||||||
|
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file)
|
||||||
|
ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file)
|
||||||
|
|
||||||
|
k = crypto.PKey()
|
||||||
|
k.generate_key(crypto.TYPE_RSA, 4096)
|
||||||
|
mail = config['CONFIG_SELFSIGN_CACERT_SUBJECT_MAIL']
|
||||||
|
hostinfo = config['HOST_DETAILS'][host]
|
||||||
|
fqdn = hostinfo['fqdn']
|
||||||
|
cert = crypto.X509()
|
||||||
|
subject = cert.get_subject()
|
||||||
|
subject.C = config['CONFIG_SELFSIGN_CACERT_SUBJECT_C']
|
||||||
|
subject.ST = config['CONFIG_SELFSIGN_CACERT_SUBJECT_ST']
|
||||||
|
subject.L = config['CONFIG_SELFSIGN_CACERT_SUBJECT_L']
|
||||||
|
subject.O = config['CONFIG_SELFSIGN_CACERT_SUBJECT_O']
|
||||||
|
subject.OU = config['CONFIG_SELFSIGN_CACERT_SUBJECT_OU']
|
||||||
|
subject.CN = "%s/%s" % (service, fqdn)
|
||||||
|
subject.emailAddress = mail
|
||||||
|
|
||||||
|
cert.add_extensions([
|
||||||
|
crypto.X509Extension(
|
||||||
|
"keyUsage".encode('ascii'),
|
||||||
|
False,
|
||||||
|
"nonRepudiation,digitalSignature,keyEncipherment".encode('ascii')),
|
||||||
|
crypto.X509Extension(
|
||||||
|
"extendedKeyUsage".encode('ascii'),
|
||||||
|
False,
|
||||||
|
"clientAuth,serverAuth".encode('ascii')),
|
||||||
|
])
|
||||||
|
|
||||||
|
cert.gmtime_adj_notBefore(0)
|
||||||
|
cert.gmtime_adj_notAfter(315360000)
|
||||||
|
cert.set_issuer(ca.get_subject())
|
||||||
|
cert.set_pubkey(k)
|
||||||
|
serial = int(time())
|
||||||
|
cert.set_serial_number(serial)
|
||||||
|
cert.sign(ca_key, 'sha1')
|
||||||
|
|
||||||
|
final_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
|
||||||
|
final_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
|
||||||
|
deliver_ssl_file(ca_file, config['CONFIG_SSL_CACERT_FILE'], host)
|
||||||
|
deliver_ssl_file(final_cert, ssl_cert_file, host)
|
||||||
|
deliver_ssl_file(final_key, ssl_key_file, host)
|
||||||
|
|
||||||
|
with open(local_cert_path, 'w') as f:
|
||||||
|
f.write(final_cert)
|
||||||
|
|
||||||
|
|
||||||
|
def deliver_ssl_file(content, path, host):
|
||||||
|
server = utils.ScriptRunner(host)
|
||||||
|
server.append("grep -- '{content}' {path} || "
|
||||||
|
"echo '{content}' > {path} ".format(
|
||||||
|
content=content,
|
||||||
|
path=path))
|
||||||
|
server.execute()
|
||||||
|
|
||||||
|
|
||||||
def gethostlist(CONF):
|
def gethostlist(CONF):
|
||||||
hosts = []
|
hosts = []
|
||||||
for key, value in CONF.items():
|
for key, value in CONF.items():
|
||||||
|
@ -26,6 +26,7 @@ from packstack.modules.documentation import update_params_usage
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- AMQP Packstack Plugin Initialization --------------
|
# ------------- AMQP Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -106,68 +107,6 @@ def initConfig(controller):
|
|||||||
"USE_DEFAULT": False,
|
"USE_DEFAULT": False,
|
||||||
"NEED_CONFIRM": True,
|
"NEED_CONFIRM": True,
|
||||||
"CONDITION": False},
|
"CONDITION": False},
|
||||||
|
|
||||||
{"CMD_OPTION": "amqp-ssl-port",
|
|
||||||
"PROMPT": "Enter the SSL port for the AMQP service",
|
|
||||||
"OPTION_LIST": [],
|
|
||||||
"VALIDATORS": [validators.validate_not_empty],
|
|
||||||
"DEFAULT_VALUE": "5671",
|
|
||||||
"MASK_INPUT": False,
|
|
||||||
"LOOSE_VALIDATION": True,
|
|
||||||
"CONF_NAME": "CONFIG_AMQP_SSL_PORT",
|
|
||||||
"USE_DEFAULT": False,
|
|
||||||
"NEED_CONFIRM": False,
|
|
||||||
"CONDITION": False},
|
|
||||||
|
|
||||||
{"CMD_OPTION": "amqp-ssl-cacert-file",
|
|
||||||
"PROMPT": ("Enter the filename of the SSL CAcertificate for the AMQP"
|
|
||||||
" service"),
|
|
||||||
"OPTION_LIST": [],
|
|
||||||
"VALIDATORS": [validators.validate_not_empty],
|
|
||||||
"DEFAULT_VALUE": "/etc/pki/tls/certs/amqp_selfcert.pem",
|
|
||||||
"MASK_INPUT": False,
|
|
||||||
"LOOSE_VALIDATION": True,
|
|
||||||
"CONF_NAME": "CONFIG_AMQP_SSL_CACERT_FILE",
|
|
||||||
"USE_DEFAULT": False,
|
|
||||||
"NEED_CONFIRM": False,
|
|
||||||
"CONDITION": False},
|
|
||||||
|
|
||||||
{"CMD_OPTION": "amqp-ssl-cert-file",
|
|
||||||
"PROMPT": ("Enter the filename of the SSL certificate for the AMQP "
|
|
||||||
"service"),
|
|
||||||
"OPTION_LIST": [],
|
|
||||||
"VALIDATORS": [validators.validate_not_empty],
|
|
||||||
"DEFAULT_VALUE": "/etc/pki/tls/certs/amqp_selfcert.pem",
|
|
||||||
"MASK_INPUT": False,
|
|
||||||
"LOOSE_VALIDATION": True,
|
|
||||||
"CONF_NAME": "CONFIG_AMQP_SSL_CERT_FILE",
|
|
||||||
"USE_DEFAULT": False,
|
|
||||||
"NEED_CONFIRM": False,
|
|
||||||
"CONDITION": False},
|
|
||||||
|
|
||||||
{"CMD_OPTION": "amqp-ssl-key-file",
|
|
||||||
"PROMPT": "Enter the private key filename",
|
|
||||||
"OPTION_LIST": [],
|
|
||||||
"VALIDATORS": [validators.validate_not_empty],
|
|
||||||
"DEFAULT_VALUE": "/etc/pki/tls/private/amqp_selfkey.pem",
|
|
||||||
"MASK_INPUT": False,
|
|
||||||
"LOOSE_VALIDATION": True,
|
|
||||||
"CONF_NAME": "CONFIG_AMQP_SSL_KEY_FILE",
|
|
||||||
"USE_DEFAULT": False,
|
|
||||||
"NEED_CONFIRM": False,
|
|
||||||
"CONDITION": False},
|
|
||||||
|
|
||||||
{"CMD_OPTION": "amqp-ssl-self-signed",
|
|
||||||
"PROMPT": "Generate Self Signed SSL Certificate",
|
|
||||||
"OPTION_LIST": ["y", "n"],
|
|
||||||
"VALIDATORS": [validators.validate_not_empty],
|
|
||||||
"DEFAULT_VALUE": "y",
|
|
||||||
"MASK_INPUT": False,
|
|
||||||
"LOOSE_VALIDATION": True,
|
|
||||||
"CONF_NAME": "CONFIG_AMQP_SSL_SELF_SIGNED",
|
|
||||||
"USE_DEFAULT": False,
|
|
||||||
"NEED_CONFIRM": False,
|
|
||||||
"CONDITION": False},
|
|
||||||
]
|
]
|
||||||
update_params_usage(basedefs.PACKSTACK_DOC, params, sectioned=False)
|
update_params_usage(basedefs.PACKSTACK_DOC, params, sectioned=False)
|
||||||
group = {"GROUP_NAME": "AMQPSSL",
|
group = {"GROUP_NAME": "AMQPSSL",
|
||||||
@ -227,25 +166,22 @@ def initSequences(controller):
|
|||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
server = utils.ScriptRunner(config['CONFIG_AMQP_HOST'])
|
server = utils.ScriptRunner(config['CONFIG_AMQP_HOST'])
|
||||||
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
config['CONFIG_AMQP_ENABLE_SSL'] = True
|
config['CONFIG_AMQP_SSL_ENABLED'] = True
|
||||||
config['CONFIG_AMQP_PROTOCOL'] = 'ssl'
|
config['CONFIG_AMQP_PROTOCOL'] = 'ssl'
|
||||||
config['CONFIG_AMQP_CLIENTS_PORT'] = "5671"
|
config['CONFIG_AMQP_CLIENTS_PORT'] = "5671"
|
||||||
if config['CONFIG_AMQP_SSL_SELF_SIGNED'] == 'y':
|
amqp_host = config['CONFIG_AMQP_HOST']
|
||||||
server.append(
|
service = 'AMQP'
|
||||||
"openssl req -batch -new -x509 -nodes -keyout %s "
|
ssl_key_file = '/etc/pki/tls/private/ssl_amqp.key'
|
||||||
"-out %s -days 1095"
|
ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp.crt'
|
||||||
% (config['CONFIG_AMQP_SSL_KEY_FILE'],
|
cacert = config['CONFIG_AMQP_SSL_CACERT_FILE'] = (
|
||||||
config['CONFIG_AMQP_SSL_CERT_FILE'])
|
config['CONFIG_SSL_CACERT_FILE']
|
||||||
)
|
)
|
||||||
server.execute()
|
generate_ssl_cert(config, amqp_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
else:
|
else:
|
||||||
# Set default values
|
# Set default values
|
||||||
config['CONFIG_AMQP_CLIENTS_PORT'] = "5672"
|
config['CONFIG_AMQP_CLIENTS_PORT'] = "5672"
|
||||||
config['CONFIG_AMQP_SSL_PORT'] = "5671"
|
config['CONFIG_AMQP_SSL_ENABLED'] = False
|
||||||
config['CONFIG_AMQP_SSL_CERT_FILE'] = ''
|
|
||||||
config['CONFIG_AMQP_SSL_KEY_FILE'] = ''
|
|
||||||
config['CONFIG_AMQP_NSS_CERTDB_PW'] = ''
|
|
||||||
config['CONFIG_AMQP_ENABLE_SSL'] = False
|
|
||||||
config['CONFIG_AMQP_PROTOCOL'] = 'tcp'
|
config['CONFIG_AMQP_PROTOCOL'] = 'tcp'
|
||||||
|
|
||||||
if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n':
|
if config['CONFIG_AMQP_ENABLE_AUTH'] == 'n':
|
||||||
|
@ -29,6 +29,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- Ceilometer Packstack Plugin Initialization --------------
|
# ------------- Ceilometer Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -274,6 +275,18 @@ def create_manifest(config, messages):
|
|||||||
sentinel_fallbacks = ''
|
sentinel_fallbacks = ''
|
||||||
config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks
|
config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks
|
||||||
|
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
|
||||||
|
)
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
service = 'ceilometer'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
fw_details = dict()
|
fw_details = dict()
|
||||||
key = "ceilometer_api"
|
key = "ceilometer_api"
|
||||||
fw_details.setdefault(key, {})
|
fw_details.setdefault(key, {})
|
||||||
|
@ -31,6 +31,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------------ Cinder Packstack Plugin initialization ------------------
|
# ------------------ Cinder Packstack Plugin initialization ------------------
|
||||||
|
|
||||||
@ -657,6 +658,18 @@ def create_keystone_manifest(config, messages):
|
|||||||
|
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_STORAGE_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_CINDER_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_cinder.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_CINDER_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_cinder.key'
|
||||||
|
)
|
||||||
|
service = 'cinder'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestdata = getManifestTemplate(get_mq(config, "cinder"))
|
manifestdata = getManifestTemplate(get_mq(config, "cinder"))
|
||||||
manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST']
|
manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST']
|
||||||
manifestdata += getManifestTemplate("cinder")
|
manifestdata += getManifestTemplate("cinder")
|
||||||
|
@ -20,13 +20,15 @@ import os
|
|||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from packstack.installer import basedefs
|
from packstack.installer import basedefs
|
||||||
from packstack.installer import validators
|
|
||||||
from packstack.installer import exceptions
|
from packstack.installer import exceptions
|
||||||
from packstack.installer import utils
|
from packstack.installer import utils
|
||||||
|
from packstack.installer import validators
|
||||||
|
|
||||||
from packstack.modules.documentation import update_params_usage
|
from packstack.modules.documentation import update_params_usage
|
||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
from packstack.modules.ospluginutils import deliver_ssl_file
|
||||||
|
|
||||||
# ------------- Horizon Packstack Plugin Initialization --------------
|
# ------------- Horizon Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -59,9 +61,6 @@ def initConfig(controller):
|
|||||||
|
|
||||||
params = [
|
params = [
|
||||||
{"CMD_OPTION": "os-ssl-cert",
|
{"CMD_OPTION": "os-ssl-cert",
|
||||||
"USAGE": ("PEM encoded certificate to be used for ssl on the https "
|
|
||||||
"server, leave blank if one should be generated, this "
|
|
||||||
"certificate should not require a passphrase"),
|
|
||||||
"PROMPT": ("Enter the path to a PEM encoded certificate to be used "
|
"PROMPT": ("Enter the path to a PEM encoded certificate to be used "
|
||||||
"on the https server, leave blank if one should be "
|
"on the https server, leave blank if one should be "
|
||||||
"generated, this certificate should not require "
|
"generated, this certificate should not require "
|
||||||
@ -71,14 +70,13 @@ def initConfig(controller):
|
|||||||
"DEFAULT_VALUE": '',
|
"DEFAULT_VALUE": '',
|
||||||
"MASK_INPUT": False,
|
"MASK_INPUT": False,
|
||||||
"LOOSE_VALIDATION": True,
|
"LOOSE_VALIDATION": True,
|
||||||
"CONF_NAME": "CONFIG_SSL_CERT",
|
"CONF_NAME": "CONFIG_HORIZON_SSL_CERT",
|
||||||
"USE_DEFAULT": False,
|
"USE_DEFAULT": False,
|
||||||
"NEED_CONFIRM": False,
|
"NEED_CONFIRM": False,
|
||||||
"CONDITION": False},
|
"CONDITION": False,
|
||||||
|
"DEPRECATES": ['CONFIG_SSL_CERT']},
|
||||||
|
|
||||||
{"CMD_OPTION": "os-ssl-key",
|
{"CMD_OPTION": "os-ssl-key",
|
||||||
"USAGE": ("SSL keyfile corresponding to the certificate if one was "
|
|
||||||
"entered"),
|
|
||||||
"PROMPT": ("Enter the SSL keyfile corresponding to the certificate "
|
"PROMPT": ("Enter the SSL keyfile corresponding to the certificate "
|
||||||
"if one was entered"),
|
"if one was entered"),
|
||||||
"OPTION_LIST": [],
|
"OPTION_LIST": [],
|
||||||
@ -86,14 +84,13 @@ def initConfig(controller):
|
|||||||
"DEFAULT_VALUE": "",
|
"DEFAULT_VALUE": "",
|
||||||
"MASK_INPUT": False,
|
"MASK_INPUT": False,
|
||||||
"LOOSE_VALIDATION": True,
|
"LOOSE_VALIDATION": True,
|
||||||
"CONF_NAME": "CONFIG_SSL_KEY",
|
"CONF_NAME": "CONFIG_HORIZON_SSL_KEY",
|
||||||
"USE_DEFAULT": False,
|
"USE_DEFAULT": False,
|
||||||
"NEED_CONFIRM": False,
|
"NEED_CONFIRM": False,
|
||||||
"CONDITION": False},
|
"CONDITION": False,
|
||||||
|
"DEPRECATES": ['CONFIG_SSL_KEY']},
|
||||||
|
|
||||||
{"CMD_OPTION": "os-ssl-cachain",
|
{"CMD_OPTION": "os-ssl-cachain",
|
||||||
"USAGE": ("PEM encoded CA certificates from which the certificate "
|
|
||||||
"chain of the server certificate can be assembled."),
|
|
||||||
"PROMPT": ("Enter the CA cahin file corresponding to the certificate "
|
"PROMPT": ("Enter the CA cahin file corresponding to the certificate "
|
||||||
"if one was entered"),
|
"if one was entered"),
|
||||||
"OPTION_LIST": [],
|
"OPTION_LIST": [],
|
||||||
@ -101,10 +98,11 @@ def initConfig(controller):
|
|||||||
"DEFAULT_VALUE": "",
|
"DEFAULT_VALUE": "",
|
||||||
"MASK_INPUT": False,
|
"MASK_INPUT": False,
|
||||||
"LOOSE_VALIDATION": True,
|
"LOOSE_VALIDATION": True,
|
||||||
"CONF_NAME": "CONFIG_SSL_CACHAIN",
|
"CONF_NAME": "CONFIG_HORIZON_SSL_CACERT",
|
||||||
"USE_DEFAULT": False,
|
"USE_DEFAULT": False,
|
||||||
"NEED_CONFIRM": False,
|
"NEED_CONFIRM": False,
|
||||||
"CONDITION": False},
|
"CONDITION": False,
|
||||||
|
"DEPRECATES": ['CONFIG_SSL_CACHAIN']},
|
||||||
]
|
]
|
||||||
update_params_usage(basedefs.PACKSTACK_DOC, params, sectioned=False)
|
update_params_usage(basedefs.PACKSTACK_DOC, params, sectioned=False)
|
||||||
group = {"GROUP_NAME": "OSSSL",
|
group = {"GROUP_NAME": "OSSSL",
|
||||||
@ -138,15 +136,14 @@ def create_manifest(config, messages):
|
|||||||
config["CONFIG_HORIZON_PORT"] = 80
|
config["CONFIG_HORIZON_PORT"] = 80
|
||||||
sslmanifestdata = ''
|
sslmanifestdata = ''
|
||||||
if config["CONFIG_HORIZON_SSL"] == 'y':
|
if config["CONFIG_HORIZON_SSL"] == 'y':
|
||||||
config["CONFIG_HORIZON_SSL"] = True
|
|
||||||
config["CONFIG_HORIZON_PORT"] = 443
|
config["CONFIG_HORIZON_PORT"] = 443
|
||||||
proto = "https"
|
proto = "https"
|
||||||
|
|
||||||
# Are we using the users cert/key files
|
# Are we using the users cert/key files
|
||||||
if config["CONFIG_SSL_CERT"]:
|
if config["CONFIG_HORIZON_SSL_CERT"]:
|
||||||
ssl_cert = config["CONFIG_SSL_CERT"]
|
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"]
|
||||||
ssl_key = config["CONFIG_SSL_KEY"]
|
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"]
|
||||||
ssl_chain = config["CONFIG_SSL_CACHAIN"]
|
ssl_chain_file = config["CONFIG_HORIZON_SSL_CACERT"]
|
||||||
|
|
||||||
if not os.path.exists(ssl_cert):
|
if not os.path.exists(ssl_cert):
|
||||||
raise exceptions.ParamValidationError(
|
raise exceptions.ParamValidationError(
|
||||||
@ -160,19 +157,32 @@ def create_manifest(config, messages):
|
|||||||
raise exceptions.ParamValidationError(
|
raise exceptions.ParamValidationError(
|
||||||
"The file %s doesn't exist" % ssl_chain)
|
"The file %s doesn't exist" % ssl_chain)
|
||||||
|
|
||||||
resources = config.setdefault('RESOURCES', {})
|
final_cert = open(ssl_cert_file, 'rt').read()
|
||||||
host_resources = resources.setdefault(horizon_host, [])
|
final_key = open(ssl_key_file, 'rt').read()
|
||||||
host_resources.append((ssl_cert, 'ssl_ps_server.crt'))
|
final_cacert = open(ssl_chain_file, 'rt').read()
|
||||||
host_resources.append((ssl_key, 'ssl_ps_server.key'))
|
host = config['CONFIG_CONTROLLER_HOST']
|
||||||
host_resources.append((ssl_chain, 'ssl_ps_chain.crt'))
|
deliver_ssl_file(final_cacert, ssl_chain_file, host)
|
||||||
|
deliver_ssl_file(final_cert, ssl_cert_file, host)
|
||||||
|
deliver_ssl_file(final_key, ssl_key_file, host)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
|
ssl_cert_file = config["CONFIG_HORIZON_SSL_CERT"] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_dashboard.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config["CONFIG_HORIZON_SSL_KEY"] = (
|
||||||
|
'/etc/pki/tls/private/ssl_dashboard.key'
|
||||||
|
)
|
||||||
|
cacert = config['CONFIG_SSL_CACERT_FILE']
|
||||||
|
config["CONFIG_HORIZON_SSL_CACERT"] = cacert
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
service = 'dashboard'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
messages.append(
|
messages.append(
|
||||||
"%sNOTE%s : A certificate was generated to be used for ssl, "
|
"%sNOTE%s : A certificate was generated to be used for ssl, "
|
||||||
"You should change the ssl certificate configured in "
|
"You should change the ssl certificate configured in "
|
||||||
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
|
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
|
||||||
% (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host))
|
% (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host))
|
||||||
else:
|
|
||||||
config["CONFIG_HORIZON_SSL"] = False
|
|
||||||
|
|
||||||
config["CONFIG_HORIZON_NEUTRON_LB"] = False
|
config["CONFIG_HORIZON_NEUTRON_LB"] = False
|
||||||
config["CONFIG_HORIZON_NEUTRON_FW"] = False
|
config["CONFIG_HORIZON_NEUTRON_FW"] = False
|
||||||
|
@ -26,6 +26,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- Glance Packstack Plugin Initialization --------------
|
# ------------- Glance Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -118,6 +119,18 @@ def create_keystone_manifest(config, messages):
|
|||||||
|
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_STORAGE_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_GLANCE_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_glance.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_GLANCE_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_glance.key'
|
||||||
|
)
|
||||||
|
service = 'glance'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST']
|
manifestfile = "%s_glance.pp" % config['CONFIG_STORAGE_HOST']
|
||||||
manifestdata = getManifestTemplate("glance")
|
manifestdata = getManifestTemplate("glance")
|
||||||
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
|
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
|
||||||
|
@ -28,6 +28,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- Heat Packstack Plugin Initialization --------------
|
# ------------- Heat Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -170,6 +171,18 @@ def initSequences(controller):
|
|||||||
# ------------------------ step functions -------------------------
|
# ------------------------ step functions -------------------------
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_HEAT_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_heat.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_HEAT_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_heat.key'
|
||||||
|
)
|
||||||
|
service = 'heat'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
|
manifestfile = "%s_heat.pp" % config['CONFIG_CONTROLLER_HOST']
|
||||||
manifestdata = getManifestTemplate(get_mq(config, "heat"))
|
manifestdata = getManifestTemplate(get_mq(config, "heat"))
|
||||||
manifestdata += getManifestTemplate("heat")
|
manifestdata += getManifestTemplate("heat")
|
||||||
|
@ -26,6 +26,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------------ Ironic Packstack Plugin initialization ------------------
|
# ------------------ Ironic Packstack Plugin initialization ------------------
|
||||||
|
|
||||||
@ -90,6 +91,17 @@ def initSequences(controller):
|
|||||||
# -------------------------- step functions --------------------------
|
# -------------------------- step functions --------------------------
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_IRONIC_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_ironic.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_IRONIC_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_ironic.key'
|
||||||
|
)
|
||||||
|
service = 'ironic'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestfile = "%s_ironic.pp" % config['CONFIG_CONTROLLER_HOST']
|
manifestfile = "%s_ironic.pp" % config['CONFIG_CONTROLLER_HOST']
|
||||||
manifestdata = getManifestTemplate(get_mq(config, "ironic"))
|
manifestdata = getManifestTemplate(get_mq(config, "ironic"))
|
||||||
|
@ -26,6 +26,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- Manila Packstack Plugin Initialization --------------
|
# ------------- Manila Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -491,6 +492,18 @@ def create_manifest(config, messages):
|
|||||||
if config['CONFIG_UNSUPPORTED'] != 'y':
|
if config['CONFIG_UNSUPPORTED'] != 'y':
|
||||||
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
|
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_STORAGE_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_MANILA_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_manila.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_MANILA_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_manila.key'
|
||||||
|
)
|
||||||
|
service = 'manila'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
# Change these from text to Boolean values
|
# Change these from text to Boolean values
|
||||||
boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS',
|
boolean_keys = ['CONFIG_MANILA_GENERIC_DRV_HANDLES_SHARE_SERVERS',
|
||||||
'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS']
|
'CONFIG_MANILA_NETAPP_DRV_HANDLES_SHARE_SERVERS']
|
||||||
|
@ -29,6 +29,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------- Neutron Packstack Plugin Initialization --------------
|
# ------------- Neutron Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
@ -518,7 +519,20 @@ def create_manifests(config, messages):
|
|||||||
|
|
||||||
plugin_manifest = 'neutron_ml2_plugin'
|
plugin_manifest = 'neutron_ml2_plugin'
|
||||||
|
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_cert_file = config['CONFIG_NEUTRON_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_neutron.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_NEUTRON_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_neutron.key'
|
||||||
|
)
|
||||||
|
service = 'neutron'
|
||||||
|
|
||||||
for host in q_hosts:
|
for host in q_hosts:
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
generate_ssl_cert(config, host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifest_file = "%s_neutron.pp" % (host,)
|
manifest_file = "%s_neutron.pp" % (host,)
|
||||||
manifest_data = getManifestTemplate("neutron")
|
manifest_data = getManifestTemplate("neutron")
|
||||||
manifest_data += getManifestTemplate(get_mq(config, "neutron"))
|
manifest_data += getManifestTemplate(get_mq(config, "neutron"))
|
||||||
|
@ -32,6 +32,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
from packstack.modules.ospluginutils import manifestfiles
|
from packstack.modules.ospluginutils import manifestfiles
|
||||||
|
|
||||||
# ------------- Nova Packstack Plugin Initialization --------------
|
# ------------- Nova Packstack Plugin Initialization --------------
|
||||||
@ -128,6 +129,33 @@ def initConfig(controller):
|
|||||||
"NEED_CONFIRM": False,
|
"NEED_CONFIRM": False,
|
||||||
"CONDITION": False},
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "nova-ssl-cert",
|
||||||
|
"PROMPT": ("Enter the path to a PEM encoded certificate to be used "
|
||||||
|
"on the https server, leave blank if one should be "
|
||||||
|
"generated, this certificate should not require "
|
||||||
|
"a passphrase"),
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [],
|
||||||
|
"DEFAULT_VALUE": '',
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": True,
|
||||||
|
"CONF_NAME": "CONFIG_VNC_SSL_CERT",
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "nova-ssl-key",
|
||||||
|
"PROMPT": ("Enter the SSL keyfile corresponding to the certificate "
|
||||||
|
"if one was entered"),
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [],
|
||||||
|
"DEFAULT_VALUE": "",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": True,
|
||||||
|
"CONF_NAME": "CONFIG_VNC_SSL_KEY",
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
],
|
],
|
||||||
|
|
||||||
"NOVA_NETWORK": [
|
"NOVA_NETWORK": [
|
||||||
@ -458,6 +486,11 @@ def create_conductor_manifest(config, messages):
|
|||||||
def create_compute_manifest(config, messages):
|
def create_compute_manifest(config, messages):
|
||||||
global compute_hosts, network_hosts
|
global compute_hosts, network_hosts
|
||||||
|
|
||||||
|
if config["CONFIG_HORIZON_SSL"] == 'y':
|
||||||
|
config["CONFIG_VNCPROXY_PROTOCOL"] = "https"
|
||||||
|
else:
|
||||||
|
config["CONFIG_VNCPROXY_PROTOCOL"] = "http"
|
||||||
|
|
||||||
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
|
migrate_protocol = config['CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL']
|
||||||
if migrate_protocol == 'ssh':
|
if migrate_protocol == 'ssh':
|
||||||
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
|
config['CONFIG_NOVA_COMPUTE_MIGRATE_URL'] = (
|
||||||
@ -550,6 +583,18 @@ def create_compute_manifest(config, messages):
|
|||||||
messages.append(str(ex))
|
messages.append(str(ex))
|
||||||
|
|
||||||
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
|
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_cert_file = config['CONFIG_CEILOMETER_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_CEILOMETER_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_ceilometer.key'
|
||||||
|
)
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
service = 'ceilometer'
|
||||||
|
generate_ssl_cert(config, host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
mq_template = get_mq(config, "nova_ceilometer")
|
mq_template = get_mq(config, "nova_ceilometer")
|
||||||
manifestdata += getManifestTemplate(mq_template)
|
manifestdata += getManifestTemplate(mq_template)
|
||||||
manifestdata += getManifestTemplate("nova_ceilometer")
|
manifestdata += getManifestTemplate("nova_ceilometer")
|
||||||
@ -630,6 +675,33 @@ def create_sched_manifest(config, messages):
|
|||||||
|
|
||||||
|
|
||||||
def create_vncproxy_manifest(config, messages):
|
def create_vncproxy_manifest(config, messages):
|
||||||
|
if config["CONFIG_HORIZON_SSL"] == 'y':
|
||||||
|
if config["CONFIG_VNC_SSL_CERT"]:
|
||||||
|
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
|
||||||
|
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
|
||||||
|
if not os.path.exists(ssl_cert):
|
||||||
|
raise exceptions.ParamValidationError(
|
||||||
|
"The file %s doesn't exist" % ssl_cert_file)
|
||||||
|
|
||||||
|
if not os.path.exists(ssl_key):
|
||||||
|
raise exceptions.ParamValidationError(
|
||||||
|
"The file %s doesn't exist" % ssl_key_file)
|
||||||
|
|
||||||
|
final_cert = open(ssl_cert_file, 'rt').read()
|
||||||
|
final_key = open(ssl_key_file, 'rt').read()
|
||||||
|
deliver_ssl_file(final_cert, ssl_cert_file, config['CONFIG_CONTROLLER_HOST'])
|
||||||
|
deliver_ssl_file(final_key, ssl_key_file, config['CONFIG_CONTROLLER_HOST'])
|
||||||
|
|
||||||
|
else:
|
||||||
|
config["CONFIG_VNC_SSL_CERT"] = '/etc/pki/tls/certs/ssl_vnc.crt'
|
||||||
|
config["CONFIG_VNC_SSL_KEY"] = '/etc/pki/tls/private/ssl_vnc.key'
|
||||||
|
ssl_key_file = config["CONFIG_VNC_SSL_KEY"]
|
||||||
|
ssl_cert_file = config["CONFIG_VNC_SSL_CERT"]
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
service = 'vnc'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
|
manifestfile = "%s_nova.pp" % config['CONFIG_CONTROLLER_HOST']
|
||||||
manifestdata = getManifestTemplate("nova_vncproxy")
|
manifestdata = getManifestTemplate("nova_vncproxy")
|
||||||
appendManifestFile(manifestfile, manifestdata)
|
appendManifestFile(manifestfile, manifestdata)
|
||||||
@ -681,6 +753,20 @@ def create_common_manifest(config, messages):
|
|||||||
data += getManifestTemplate("nova_common_nopw")
|
data += getManifestTemplate("nova_common_nopw")
|
||||||
appendManifestFile(os.path.split(manifestfile)[1], data)
|
appendManifestFile(os.path.split(manifestfile)[1], data)
|
||||||
|
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
nova_hosts = compute_hosts
|
||||||
|
nova_hosts |= set([config.get('CONFIG_CONTROLLER_HOST')])
|
||||||
|
ssl_cert_file = config['CONFIG_NOVA_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_nova.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_NOVA_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_nova.key'
|
||||||
|
)
|
||||||
|
service = 'nova'
|
||||||
|
for host in nova_hosts:
|
||||||
|
generate_ssl_cert(config, host, service,
|
||||||
|
ssl_key_file, ssl_cert_file)
|
||||||
|
|
||||||
|
|
||||||
def create_neutron_manifest(config, messages):
|
def create_neutron_manifest(config, messages):
|
||||||
if config['CONFIG_NEUTRON_INSTALL'] != "y":
|
if config['CONFIG_NEUTRON_INSTALL'] != "y":
|
||||||
|
@ -26,6 +26,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------------ Sahara installer initialization ------------------
|
# ------------------ Sahara installer initialization ------------------
|
||||||
|
|
||||||
@ -90,13 +91,24 @@ def initSequences(controller):
|
|||||||
def create_keystone_manifest(config, messages):
|
def create_keystone_manifest(config, messages):
|
||||||
if config['CONFIG_UNSUPPORTED'] != 'y':
|
if config['CONFIG_UNSUPPORTED'] != 'y':
|
||||||
config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST']
|
config['CONFIG_SAHARA_HOST'] = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
manifestfile = "%s_keystone.pp" % config['CONFIG_SAHARA_HOST']
|
||||||
manifestfile = "%s_keystone.pp" % config['CONFIG_CONTROLLER_HOST']
|
|
||||||
manifestdata = getManifestTemplate("keystone_sahara")
|
manifestdata = getManifestTemplate("keystone_sahara")
|
||||||
appendManifestFile(manifestfile, manifestdata)
|
appendManifestFile(manifestfile, manifestdata)
|
||||||
|
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_host = config['CONFIG_SAHARA_HOST']
|
||||||
|
ssl_cert_file = config['CONFIG_SAHARA_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_sahara.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_SAHARA_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_sahara.key'
|
||||||
|
)
|
||||||
|
service = 'sahara'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
manifestfile = "%s_sahara.pp" % config['CONFIG_STORAGE_HOST']
|
manifestfile = "%s_sahara.pp" % config['CONFIG_STORAGE_HOST']
|
||||||
manifestdata = getManifestTemplate(get_mq(config, "sahara"))
|
manifestdata = getManifestTemplate(get_mq(config, "sahara"))
|
||||||
manifestdata += getManifestTemplate("sahara.pp")
|
manifestdata += getManifestTemplate("sahara.pp")
|
||||||
|
288
packstack/plugins/ssl_001.py
Normal file
288
packstack/plugins/ssl_001.py
Normal file
@ -0,0 +1,288 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
# implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
"""
|
||||||
|
Plugin responsible for managing SSL options
|
||||||
|
"""
|
||||||
|
import os
|
||||||
|
|
||||||
|
from OpenSSL import crypto
|
||||||
|
from socket import gethostname
|
||||||
|
|
||||||
|
from packstack.installer import basedefs
|
||||||
|
from packstack.installer import utils
|
||||||
|
from packstack.installer import validators
|
||||||
|
|
||||||
|
from packstack.modules.documentation import update_params_usage
|
||||||
|
|
||||||
|
# ------------- SSL Packstack Plugin Initialization --------------
|
||||||
|
|
||||||
|
PLUGIN_NAME = "SSL"
|
||||||
|
PLUGIN_NAME_COLORED = utils.color_text(PLUGIN_NAME, 'blue')
|
||||||
|
|
||||||
|
|
||||||
|
def initConfig(controller):
|
||||||
|
params = {
|
||||||
|
"SSL": [
|
||||||
|
{"CMD_OPTION": "ssl-cacert-file",
|
||||||
|
"PROMPT": ("Enter the filename of the SSL CAcertificate, if the"
|
||||||
|
" CONFIG_SSL_CACERT_SELFSIGN is set to y the path "
|
||||||
|
"will be CONFIG_SSL_CERT_DIR/certs/selfcert.crt"),
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "/etc/pki/tls/certs/selfcert.crt",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": True,
|
||||||
|
"CONF_NAME": "CONFIG_SSL_CACERT_FILE",
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "ssl-cacert-key-file",
|
||||||
|
"PROMPT": ("Enter the filename of the SSL CAcertificate Key file"
|
||||||
|
", if the CONFIG_SSL_CACERT_SELFSIGN is set to y the "
|
||||||
|
"path will be CONFIG_SSL_CERT_DIR/keys/selfkey.key"),
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "/etc/pki/tls/private/selfkey.key",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": True,
|
||||||
|
"CONF_NAME": "CONFIG_SSL_CACERT_KEY_FILE",
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "ssl-cert-dir",
|
||||||
|
"PROMPT": ("Enter the path to use to store generated SSL certificates in"),
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty,
|
||||||
|
validators.validate_writeable_directory],
|
||||||
|
"DEFAULT_VALUE": "~/packstackca/",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": True,
|
||||||
|
"CONF_NAME": "CONFIG_SSL_CERT_DIR",
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "ssl-cacert-selfsign",
|
||||||
|
"PROMPT": "Should packstack use selfsigned CAcert.",
|
||||||
|
"OPTION_LIST": ["y", "n"],
|
||||||
|
"VALIDATORS": [validators.validate_options],
|
||||||
|
"DEFAULT_VALUE": "y",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SSL_CACERT_SELFSIGN',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False}
|
||||||
|
],
|
||||||
|
|
||||||
|
"SSL_SELFSIGN": [
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-country",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject country.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "--",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_C',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-state",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject state.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "State",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_ST',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-location",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject location.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "City",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_L',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-organization",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject organization.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "openstack",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_O',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-organizational-unit",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject organizational unit.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "packstack",
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_OU',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-common-name",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject common name.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": gethostname(),
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_CN',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
|
||||||
|
{"CMD_OPTION": "selfsign-cacert-subject-email",
|
||||||
|
"PROMPT": "Enter the selfsigned CAcert subject admin email.",
|
||||||
|
"OPTION_LIST": [],
|
||||||
|
"VALIDATORS": [validators.validate_not_empty],
|
||||||
|
"DEFAULT_VALUE": "admin@%s" % gethostname(),
|
||||||
|
"MASK_INPUT": False,
|
||||||
|
"LOOSE_VALIDATION": False,
|
||||||
|
"CONF_NAME": 'CONFIG_SELFSIGN_CACERT_SUBJECT_MAIL',
|
||||||
|
"USE_DEFAULT": False,
|
||||||
|
"NEED_CONFIRM": False,
|
||||||
|
"CONDITION": False},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
update_params_usage(basedefs.PACKSTACK_DOC, params)
|
||||||
|
|
||||||
|
groups = [
|
||||||
|
{"GROUP_NAME": "SSL",
|
||||||
|
"DESCRIPTION": "SSL Config parameters",
|
||||||
|
"PRE_CONDITION": lambda x: 'yes',
|
||||||
|
"PRE_CONDITION_MATCH": "yes",
|
||||||
|
"POST_CONDITION": False,
|
||||||
|
"POST_CONDITION_MATCH": True},
|
||||||
|
|
||||||
|
{"GROUP_NAME": "SSL_SELFSIGN",
|
||||||
|
"DESCRIPTION": "SSL selfsigned CAcert Config parameters",
|
||||||
|
"PRE_CONDITION": 'CONFIG_SSL_CACERT_SELFSIGN',
|
||||||
|
"PRE_CONDITION_MATCH": "y",
|
||||||
|
"POST_CONDITION": False,
|
||||||
|
"POST_CONDITION_MATCH": True}
|
||||||
|
]
|
||||||
|
for group in groups:
|
||||||
|
controller.addGroup(group, params[group['GROUP_NAME']])
|
||||||
|
|
||||||
|
|
||||||
|
def initSequences(controller):
|
||||||
|
ssl_steps = [
|
||||||
|
{'title': 'Setting up CACERT',
|
||||||
|
'functions': [create_self_signed_cert]}
|
||||||
|
]
|
||||||
|
controller.addSequence("Setting up SSL", [], [],
|
||||||
|
ssl_steps)
|
||||||
|
|
||||||
|
|
||||||
|
# ------------------------- helper functions -------------------------
|
||||||
|
|
||||||
|
def create_self_signed_cert(config, messages):
|
||||||
|
"""
|
||||||
|
OpenSSL wrapper to create selfsigned CA.
|
||||||
|
"""
|
||||||
|
|
||||||
|
if (config['CONFIG_AMQP_ENABLE_SSL'] != 'y' and
|
||||||
|
config["CONFIG_HORIZON_SSL"] != 'y'):
|
||||||
|
return
|
||||||
|
|
||||||
|
if not os.path.isdir(config['CONFIG_SSL_CERT_DIR']):
|
||||||
|
os.mkdir(config['CONFIG_SSL_CERT_DIR'])
|
||||||
|
certs = os.path.join(config['CONFIG_SSL_CERT_DIR'], 'certs')
|
||||||
|
if not os.path.isdir(certs):
|
||||||
|
os.mkdir(certs)
|
||||||
|
keys = os.path.join(config['CONFIG_SSL_CERT_DIR'], 'keys')
|
||||||
|
if not os.path.isdir(keys):
|
||||||
|
os.mkdir(keys)
|
||||||
|
|
||||||
|
if config['CONFIG_SSL_CACERT_SELFSIGN'] != 'y':
|
||||||
|
return
|
||||||
|
|
||||||
|
CERT_FILE = config['CONFIG_SSL_CACERT_FILE'] = (
|
||||||
|
'%s/certs/selfcert.crt' % config['CONFIG_SSL_CERT_DIR']
|
||||||
|
)
|
||||||
|
KEY_FILE = config['CONFIG_SSL_CACERT_KEY_FILE'] = (
|
||||||
|
'%s/keys/selfcert.crt' % config['CONFIG_SSL_CERT_DIR']
|
||||||
|
)
|
||||||
|
if not os.path.exists(CERT_FILE) or not os.path.exists(KEY_FILE):
|
||||||
|
# create a key pair
|
||||||
|
k = crypto.PKey()
|
||||||
|
k.generate_key(crypto.TYPE_RSA, 4096)
|
||||||
|
|
||||||
|
# create a self-signed cert
|
||||||
|
mail = config['CONFIG_SELFSIGN_CACERT_SUBJECT_MAIL']
|
||||||
|
cert = crypto.X509()
|
||||||
|
subject = cert.get_subject()
|
||||||
|
subject.C = config['CONFIG_SELFSIGN_CACERT_SUBJECT_C']
|
||||||
|
subject.ST = config['CONFIG_SELFSIGN_CACERT_SUBJECT_ST']
|
||||||
|
subject.L = config['CONFIG_SELFSIGN_CACERT_SUBJECT_L']
|
||||||
|
subject.O = config['CONFIG_SELFSIGN_CACERT_SUBJECT_O']
|
||||||
|
subject.OU = config['CONFIG_SELFSIGN_CACERT_SUBJECT_OU']
|
||||||
|
subject.CN = config['CONFIG_SELFSIGN_CACERT_SUBJECT_CN']
|
||||||
|
subject.emailAddress = mail
|
||||||
|
cert.set_serial_number(1000)
|
||||||
|
cert.gmtime_adj_notBefore(0)
|
||||||
|
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
|
||||||
|
cert.set_issuer(cert.get_subject())
|
||||||
|
cert.set_pubkey(k)
|
||||||
|
|
||||||
|
# CA extensions
|
||||||
|
cert.add_extensions([
|
||||||
|
crypto.X509Extension("basicConstraints".encode('ascii'), False,
|
||||||
|
"CA:TRUE".encode('ascii')),
|
||||||
|
crypto.X509Extension("keyUsage".encode('ascii'), False,
|
||||||
|
"keyCertSign, cRLSign".encode('ascii')),
|
||||||
|
crypto.X509Extension("subjectKeyIdentifier".encode('ascii'), False,
|
||||||
|
"hash".encode('ascii'),
|
||||||
|
subject=cert),
|
||||||
|
])
|
||||||
|
|
||||||
|
cert.add_extensions([
|
||||||
|
crypto.X509Extension(
|
||||||
|
"authorityKeyIdentifier".encode('ascii'), False,
|
||||||
|
"keyid:always".encode('ascii'), issuer=cert)
|
||||||
|
])
|
||||||
|
|
||||||
|
cert.sign(k, 'sha1')
|
||||||
|
|
||||||
|
open((CERT_FILE), "wt").write(
|
||||||
|
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
|
||||||
|
open((KEY_FILE), "wt").write(
|
||||||
|
crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
|
||||||
|
|
||||||
|
messages.append(
|
||||||
|
"%sNOTE%s : A selfsigned CA certificate was generated to be used "
|
||||||
|
"for ssl, you should still change it do subordinate CA cert. In "
|
||||||
|
"any case please save the contents of %s."
|
||||||
|
% (utils.COLORS['red'], utils.COLORS['nocolor'],
|
||||||
|
config['CONFIG_SSL_CERT_DIR']))
|
@ -26,6 +26,7 @@ from packstack.modules.shortcuts import get_mq
|
|||||||
from packstack.modules.ospluginutils import appendManifestFile
|
from packstack.modules.ospluginutils import appendManifestFile
|
||||||
from packstack.modules.ospluginutils import createFirewallResources
|
from packstack.modules.ospluginutils import createFirewallResources
|
||||||
from packstack.modules.ospluginutils import getManifestTemplate
|
from packstack.modules.ospluginutils import getManifestTemplate
|
||||||
|
from packstack.modules.ospluginutils import generate_ssl_cert
|
||||||
|
|
||||||
# ------------------ Trove Packstack Plugin initialization ------------------
|
# ------------------ Trove Packstack Plugin initialization ------------------
|
||||||
|
|
||||||
@ -143,6 +144,18 @@ def create_keystone_manifest(config, messages):
|
|||||||
|
|
||||||
|
|
||||||
def create_manifest(config, messages):
|
def create_manifest(config, messages):
|
||||||
|
if config['CONFIG_AMQP_ENABLE_SSL'] == 'y':
|
||||||
|
ssl_cert_file = config['CONFIG_TROVE_SSL_CERT'] = (
|
||||||
|
'/etc/pki/tls/certs/ssl_amqp_trove.crt'
|
||||||
|
)
|
||||||
|
ssl_key_file = config['CONFIG_TROVE_SSL_KEY'] = (
|
||||||
|
'/etc/pki/tls/private/ssl_amqp_trove.key'
|
||||||
|
)
|
||||||
|
ssl_host = config['CONFIG_CONTROLLER_HOST']
|
||||||
|
service = 'trove'
|
||||||
|
generate_ssl_cert(config, ssl_host, service, ssl_key_file,
|
||||||
|
ssl_cert_file)
|
||||||
|
|
||||||
if (config['CONFIG_TROVE_NOVA_USER'] == 'admin' and
|
if (config['CONFIG_TROVE_NOVA_USER'] == 'admin' and
|
||||||
config['CONFIG_TROVE_NOVA_PW'] == ''):
|
config['CONFIG_TROVE_NOVA_PW'] == ''):
|
||||||
config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_KEYSTONE_ADMIN_PW']
|
config['CONFIG_TROVE_NOVA_PW'] = config['CONFIG_KEYSTONE_ADMIN_PW']
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
$amqp = hiera('CONFIG_AMQP_BACKEND')
|
$amqp = hiera('CONFIG_AMQP_BACKEND')
|
||||||
$amqp_enable_ssl = hiera('CONFIG_AMQP_ENABLE_SSL')
|
$amqp_enable_ssl = hiera('CONFIG_AMQP_SSL_ENABLED')
|
||||||
|
|
||||||
case $amqp {
|
case $amqp {
|
||||||
'qpid': {
|
'qpid': {
|
||||||
@ -21,10 +21,9 @@ define enable_rabbitmq {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if $::amqp_enable_ssl {
|
if $::amqp_enable_ssl {
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE')
|
$kombu_ssl_keyfile = '/etc/pki/tls/private/ssl_amqp.key'
|
||||||
$kombu_ssl_keyfile = hiera('CONFIG_AMQP_SSL_KEY_FILE')
|
$kombu_ssl_certfile = '/etc/pki/tls/certs/ssl_amqp.crt'
|
||||||
$kombu_ssl_certfile = hiera('CONFIG_AMQP_SSL_CERT_FILE')
|
|
||||||
|
|
||||||
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
file { $files_to_set_owner:
|
file { $files_to_set_owner:
|
||||||
@ -35,7 +34,8 @@ define enable_rabbitmq {
|
|||||||
}
|
}
|
||||||
|
|
||||||
class { '::rabbitmq':
|
class { '::rabbitmq':
|
||||||
ssl_port => hiera('CONFIG_AMQP_SSL_PORT'),
|
port => undef,
|
||||||
|
ssl_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
ssl_only => true,
|
ssl_only => true,
|
||||||
ssl => $::amqp_enable_ssl,
|
ssl => $::amqp_enable_ssl,
|
||||||
ssl_cacert => $kombu_ssl_ca_certs,
|
ssl_cacert => $kombu_ssl_ca_certs,
|
||||||
@ -46,7 +46,7 @@ define enable_rabbitmq {
|
|||||||
package_provider => 'yum',
|
package_provider => 'yum',
|
||||||
admin_enable => false,
|
admin_enable => false,
|
||||||
# FIXME: it's ugly to not to require client certs
|
# FIXME: it's ugly to not to require client certs
|
||||||
ssl_fail_if_no_peer_cert => false,
|
ssl_fail_if_no_peer_cert => true,
|
||||||
config_variables => {
|
config_variables => {
|
||||||
'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
|
'tcp_listen_options' => '[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]',
|
||||||
'loopback_users' => '[]',
|
'loopback_users' => '[]',
|
||||||
@ -100,10 +100,10 @@ define enable_qpid($enable_ssl = 'n', $enable_auth = 'n') {
|
|||||||
default => 'no',
|
default => 'no',
|
||||||
},
|
},
|
||||||
clustered => false,
|
clustered => false,
|
||||||
ssl_port => hiera('CONFIG_AMQP_SSL_PORT'),
|
ssl_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
ssl_cert => hiera('CONFIG_AMQP_SSL_CERT_FILE'),
|
ssl_cert => '/etc/pki/tls/certs/ssl_amqp.crt',
|
||||||
ssl_key => hiera('CONFIG_AMQP_SSL_KEY_FILE'),
|
ssl_key => '/etc/pki/tls/private/ssl_amqp.key',
|
||||||
ssl_database_password => hiera('CONFIG_AMQP_NSS_CERTDB_PW'),
|
ssl_database_password => hiera('CONFIG_AMQP_NSS_CERTDB_PW'),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,10 +1,27 @@
|
|||||||
class { '::ceilometer':
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
|
$kombu_ssl_keyfile = hiera('CONFIG_CEILOMETER_SSL_KEY', undef)
|
||||||
verbose => true,
|
$kombu_ssl_certfile = hiera('CONFIG_CEILOMETER_SSL_CERT', undef)
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
if $kombu_ssl_keyfile {
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
file { $files_to_set_owner:
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
owner => 'ceilometer',
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
group => 'ceilometer',
|
||||||
|
require => Package['openstack-ceilometer-common'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
|
class { '::ceilometer':
|
||||||
|
metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
|
||||||
|
verbose => true,
|
||||||
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -1,13 +1,30 @@
|
|||||||
$cinder_rab_cfg_cinder_db_pw = hiera('CONFIG_CINDER_DB_PW')
|
$cinder_rab_cfg_cinder_db_pw = hiera('CONFIG_CINDER_DB_PW')
|
||||||
$cinder_rab_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
$cinder_rab_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_CINDER_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_CINDER_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'cinder',
|
||||||
|
group => 'cinder',
|
||||||
|
require => Class['cinder'],
|
||||||
|
notify => Service['cinder-api'],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
class { '::cinder':
|
class { '::cinder':
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
database_connection => "mysql://cinder:${cinder_rab_cfg_cinder_db_pw}@${cinder_rab_cfg_mariadb_host}/cinder",
|
database_connection => "mysql://cinder:${cinder_rab_cfg_cinder_db_pw}@${cinder_rab_cfg_mariadb_host}/cinder",
|
||||||
verbose => true,
|
verbose => true,
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -1,9 +1,23 @@
|
|||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_GLANCE_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_GLANCE_SSL_CERT', undef)
|
||||||
|
|
||||||
class { '::glance::notify::rabbitmq':
|
if $kombu_ssl_keyfile {
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
file { $files_to_set_owner:
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
owner => 'glance',
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
group => 'glance',
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
require => Class['::glance::notify::rabbitmq'],
|
||||||
|
notify => Service['glance-api'],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
class { '::glance::notify::rabbitmq':
|
||||||
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2,6 +2,20 @@ $heat_rabbitmq_cfg_ctrl_host = hiera('CONFIG_KEYSTONE_HOST_URL')
|
|||||||
$heat_rabbitmq_cfg_heat_db_pw = hiera('CONFIG_HEAT_DB_PW')
|
$heat_rabbitmq_cfg_heat_db_pw = hiera('CONFIG_HEAT_DB_PW')
|
||||||
$heat_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
$heat_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_HEAT_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_HEAT_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'heat',
|
||||||
|
group => 'heat',
|
||||||
|
require => Package['openstack-heat-common'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
class { '::heat':
|
class { '::heat':
|
||||||
keystone_host => $heat_rabbitmq_cfg_ctrl_host,
|
keystone_host => $heat_rabbitmq_cfg_ctrl_host,
|
||||||
keystone_password => hiera('CONFIG_HEAT_KS_PW'),
|
keystone_password => hiera('CONFIG_HEAT_KS_PW'),
|
||||||
@ -10,10 +24,13 @@ class { '::heat':
|
|||||||
rpc_backend => 'heat.openstack.common.rpc.impl_kombu',
|
rpc_backend => 'heat.openstack.common.rpc.impl_kombu',
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
verbose => true,
|
verbose => true,
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
database_connection => "mysql://heat:${heat_rabbitmq_cfg_heat_db_pw}@${heat_rabbitmq_cfg_mariadb_host}/heat",
|
database_connection => "mysql://heat:${heat_rabbitmq_cfg_heat_db_pw}@${heat_rabbitmq_cfg_mariadb_host}/heat",
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -19,6 +19,11 @@ $bind_host = hiera('CONFIG_IP_VERSION') ? {
|
|||||||
'ipv4' => '0.0.0.0',
|
'ipv4' => '0.0.0.0',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$horizon_ssl = hiera('CONFIG_HORIZON_SSL') ? {
|
||||||
|
'y' => true,
|
||||||
|
'n' => false,
|
||||||
|
}
|
||||||
|
|
||||||
class {'::horizon':
|
class {'::horizon':
|
||||||
secret_key => hiera('CONFIG_HORIZON_SECRET_KEY'),
|
secret_key => hiera('CONFIG_HORIZON_SECRET_KEY'),
|
||||||
keystone_url => "http://${keystone_host}:5000/v2.0",
|
keystone_url => "http://${keystone_host}:5000/v2.0",
|
||||||
@ -29,48 +34,18 @@ class {'::horizon':
|
|||||||
compress_offline => false,
|
compress_offline => false,
|
||||||
django_debug => $is_django_debug,
|
django_debug => $is_django_debug,
|
||||||
file_upload_temp_dir => '/var/tmp',
|
file_upload_temp_dir => '/var/tmp',
|
||||||
listen_ssl => hiera('CONFIG_HORIZON_SSL'),
|
listen_ssl => $horizon_ssl,
|
||||||
horizon_cert => '/etc/pki/tls/certs/ssl_ps_server.crt',
|
horizon_cert => hiera('CONFIG_HORIZON_SSL_CERT', undef),
|
||||||
horizon_key => '/etc/pki/tls/private/ssl_ps_server.key',
|
horizon_key => hiera('CONFIG_HORIZON_SSL_KEY', undef),
|
||||||
horizon_ca => '/etc/pki/tls/certs/ssl_ps_chain.crt',
|
horizon_ca => hiera('CONFIG_HORIZON_SSL_CACERT', undef),
|
||||||
neutron_options => {
|
neutron_options => {
|
||||||
'enable_lb' => hiera('CONFIG_HORIZON_NEUTRON_LB'),
|
'enable_lb' => hiera('CONFIG_HORIZON_NEUTRON_LB'),
|
||||||
'enable_firewall' => hiera('CONFIG_HORIZON_NEUTRON_FW'),
|
'enable_firewall' => hiera('CONFIG_HORIZON_NEUTRON_FW'),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
$is_horizon_ssl = hiera('CONFIG_HORIZON_SSL')
|
if $horizon_ssl {
|
||||||
|
|
||||||
if $is_horizon_ssl == true {
|
|
||||||
file {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
|
|
||||||
ensure => file,
|
|
||||||
content => template('packstack/ssl/generate_ssl_certs.sh.erb'),
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
exec {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
|
|
||||||
require => File['/etc/pki/tls/certs/ps_generate_ssl_certs.ssh'],
|
|
||||||
notify => Service['httpd'],
|
|
||||||
before => Class['horizon'],
|
|
||||||
} ->
|
|
||||||
exec { 'nova-novncproxy-restart':
|
|
||||||
# ps_generate_ssl_certs.ssh is generating ssl certs for nova-novncproxy
|
|
||||||
# so openstack-nova-novncproxy should be restarted.
|
|
||||||
path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
|
|
||||||
command => 'systemctl restart openstack-nova-novncproxy.service',
|
|
||||||
logoutput => 'on_failure',
|
|
||||||
}
|
|
||||||
|
|
||||||
apache::listen { '443': }
|
apache::listen { '443': }
|
||||||
|
|
||||||
# little bit of hatred as we'll have to patch upstream puppet-horizon
|
|
||||||
file_line {'horizon_ssl_wsgi_fix':
|
|
||||||
path => '/etc/httpd/conf.d/15-horizon_ssl_vhost.conf',
|
|
||||||
match => 'WSGIProcessGroup.*',
|
|
||||||
line => ' WSGIProcessGroup horizon-ssl',
|
|
||||||
require => File['15-horizon_ssl_vhost.conf'],
|
|
||||||
notify => Service['httpd'],
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class { '::memcached':
|
class { '::memcached':
|
||||||
|
@ -1,14 +1,31 @@
|
|||||||
$ironic_rabbitmq_cfg_ironic_db_pw = hiera('CONFIG_IRONIC_DB_PW')
|
$ironic_rabbitmq_cfg_ironic_db_pw = hiera('CONFIG_IRONIC_DB_PW')
|
||||||
$ironic_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
$ironic_rabbitmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_IRONIC_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_IRONIC_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'ironic',
|
||||||
|
group => 'ironic',
|
||||||
|
require => Package['openstack-ironic-common'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
class { '::ironic':
|
class { '::ironic':
|
||||||
rpc_backend => 'ironic.openstack.common.rpc.impl_kombu',
|
rpc_backend => 'ironic.openstack.common.rpc.impl_kombu',
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_user => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_user => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
database_connection => "mysql://ironic:${ironic_rabbitmq_cfg_ironic_db_pw}@${ironic_rabbitmq_cfg_mariadb_host}/ironic",
|
database_connection => "mysql://ironic:${ironic_rabbitmq_cfg_ironic_db_pw}@${ironic_rabbitmq_cfg_mariadb_host}/ironic",
|
||||||
debug => true,
|
debug => true,
|
||||||
verbose => true,
|
verbose => true,
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -1,3 +1,17 @@
|
|||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_MANILA_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_MANILA_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'manila',
|
||||||
|
group => 'manila',
|
||||||
|
# manila user on RH/Fedora is provided by python-manila
|
||||||
|
require => Package['openstack-manila'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
$db_pw = hiera('CONFIG_MANILA_DB_PW')
|
$db_pw = hiera('CONFIG_MANILA_DB_PW')
|
||||||
$mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
$mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
||||||
@ -5,7 +19,7 @@ $mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
|||||||
class { '::manila':
|
class { '::manila':
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
sql_connection => "mysql://manila:${db_pw}@${mariadb_host}/manila",
|
sql_connection => "mysql://manila:${db_pw}@${mariadb_host}/manila",
|
||||||
|
@ -94,6 +94,6 @@ firewall { '001 nagios incoming':
|
|||||||
}
|
}
|
||||||
|
|
||||||
# ensure that we won't stop listening on 443 if horizon has ssl enabled
|
# ensure that we won't stop listening on 443 if horizon has ssl enabled
|
||||||
if hiera('CONFIG_HORIZON_SSL') {
|
if hiera('CONFIG_HORIZON_SSL') == 'y' {
|
||||||
apache::listen { '443': }
|
apache::listen { '443': }
|
||||||
}
|
}
|
||||||
|
@ -3,11 +3,26 @@ $bind_host = hiera('CONFIG_IP_VERSION') ? {
|
|||||||
'ipv4' => '0.0.0.0',
|
'ipv4' => '0.0.0.0',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_NEUTRON_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_NEUTRON_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'neutron',
|
||||||
|
group => 'neutron',
|
||||||
|
require => Class['neutron'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class { '::neutron':
|
class { '::neutron':
|
||||||
bind_host => $bind_host,
|
bind_host => $bind_host,
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_user => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_user => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
core_plugin => hiera('CONFIG_NEUTRON_CORE_PLUGIN'),
|
core_plugin => hiera('CONFIG_NEUTRON_CORE_PLUGIN'),
|
||||||
@ -15,4 +30,7 @@ class { '::neutron':
|
|||||||
service_plugins => hiera_array('SERVICE_PLUGINS'),
|
service_plugins => hiera_array('SERVICE_PLUGINS'),
|
||||||
verbose => true,
|
verbose => true,
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -1,14 +1,30 @@
|
|||||||
|
$ceilometer_kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$ceilometer_kombu_ssl_keyfile = hiera('CONFIG_CEILOMETER_SSL_KEY', undef)
|
||||||
|
$ceilometer_kombu_ssl_certfile = hiera('CONFIG_CEILOMETER_SSL_CERT', undef)
|
||||||
|
|
||||||
class { '::ceilometer':
|
if $ceilometer_kombu_ssl_keyfile {
|
||||||
metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
|
$ceilometer_files_to_set_owner = [ $ceilometer_kombu_ssl_keyfile, $ceilometer_kombu_ssl_certfile ]
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
file { $ceilometer_files_to_set_owner:
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
owner => 'ceilometer',
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
group => 'ceilometer',
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
require => Package['nova-common'],
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
}
|
||||||
verbose => true,
|
File[$ceilometer_files_to_set_owner] ~> Service<||>
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
}
|
||||||
# for some strange reason ceilometer needs to be in nova group
|
|
||||||
require => Package['nova-common'],
|
class { '::ceilometer':
|
||||||
|
metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
|
||||||
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
|
verbose => true,
|
||||||
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
|
# for some strange reason ceilometer needs to be in nova group
|
||||||
|
require => Package['nova-common'],
|
||||||
|
kombu_ssl_ca_certs => $ceilometer_kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $ceilometer_kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $ceilometer_kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
$private_key = {
|
$private_key = {
|
||||||
type => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
'type' => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
||||||
key => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
key => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
||||||
}
|
}
|
||||||
$public_key = {
|
$public_key = {
|
||||||
type => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
'type' => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
||||||
key => hiera('NOVA_MIGRATION_KEY_PUBLIC'),
|
key => hiera('NOVA_MIGRATION_KEY_PUBLIC'),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,23 +1,41 @@
|
|||||||
$private_key = {
|
$private_key = {
|
||||||
type => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
'type' => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
||||||
key => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
key => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
||||||
}
|
}
|
||||||
$public_key = {
|
$public_key = {
|
||||||
type => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
'type' => hiera('NOVA_MIGRATION_KEY_TYPE'),
|
||||||
key => hiera('NOVA_MIGRATION_KEY_PUBLIC'),
|
key => hiera('NOVA_MIGRATION_KEY_PUBLIC'),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_NOVA_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_NOVA_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'nova',
|
||||||
|
group => 'nova',
|
||||||
|
require => Package['nova-common'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
$nova_common_rabbitmq_cfg_storage_host = hiera('CONFIG_STORAGE_HOST_URL')
|
$nova_common_rabbitmq_cfg_storage_host = hiera('CONFIG_STORAGE_HOST_URL')
|
||||||
|
|
||||||
class { '::nova':
|
class { '::nova':
|
||||||
glance_api_servers => "${nova_common_rabbitmq_cfg_storage_host}:9292",
|
glance_api_servers => "${nova_common_rabbitmq_cfg_storage_host}:9292",
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
verbose => true,
|
verbose => true,
|
||||||
debug => hiera('CONFIG_DEBUG_MODE'),
|
debug => hiera('CONFIG_DEBUG_MODE'),
|
||||||
nova_public_key => $public_key,
|
nova_public_key => $public_key,
|
||||||
nova_private_key => $private_key,
|
nova_private_key => $private_key,
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -27,18 +27,6 @@ nova_config{
|
|||||||
value => hiera('CONFIG_NOVA_COMPUTE_MIGRATE_URL');
|
value => hiera('CONFIG_NOVA_COMPUTE_MIGRATE_URL');
|
||||||
}
|
}
|
||||||
|
|
||||||
if $is_horizon_ssl == undef {
|
|
||||||
$is_horizon_ssl = hiera('CONFIG_HORIZON_SSL')
|
|
||||||
}
|
|
||||||
|
|
||||||
if $vncproxy_protocol == undef {
|
|
||||||
$vncproxy_protocol = $is_horizon_ssl ? {
|
|
||||||
true => 'https',
|
|
||||||
false => 'http',
|
|
||||||
default => 'http',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($::fqdn == '' or $::fqdn =~ /localhost/) {
|
if ($::fqdn == '' or $::fqdn =~ /localhost/) {
|
||||||
# For cases where FQDNs have not been correctly set
|
# For cases where FQDNs have not been correctly set
|
||||||
$vncproxy_server = choose_my_ip(hiera('HOST_LIST'))
|
$vncproxy_server = choose_my_ip(hiera('HOST_LIST'))
|
||||||
@ -49,7 +37,7 @@ if ($::fqdn == '' or $::fqdn =~ /localhost/) {
|
|||||||
class { '::nova::compute':
|
class { '::nova::compute':
|
||||||
enabled => true,
|
enabled => true,
|
||||||
vncproxy_host => hiera('CONFIG_KEYSTONE_HOST_URL'),
|
vncproxy_host => hiera('CONFIG_KEYSTONE_HOST_URL'),
|
||||||
vncproxy_protocol => $vncproxy_protocol,
|
vncproxy_protocol => hiera('CONFIG_VNCPROXY_PROTOCOL'),
|
||||||
vncserver_proxyclient_address => $vncproxy_server,
|
vncserver_proxyclient_address => $vncproxy_server,
|
||||||
compute_manager => hiera('CONFIG_NOVA_COMPUTE_MANAGER'),
|
compute_manager => hiera('CONFIG_NOVA_COMPUTE_MANAGER'),
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,8 @@
|
|||||||
if $is_horizon_ssl == undef {
|
if hiera('CONFIG_HORIZON_SSL') == 'y' {
|
||||||
$is_horizon_ssl = hiera('CONFIG_HORIZON_SSL')
|
|
||||||
}
|
|
||||||
|
|
||||||
if $is_horizon_ssl == true {
|
|
||||||
nova_config {
|
nova_config {
|
||||||
'DEFAULT/ssl_only': value => true;
|
'DEFAULT/ssl_only': value => true;
|
||||||
'DEFAULT/cert': value => '/etc/nova/nova.crt';
|
'DEFAULT/cert': value => hiera('CONFIG_VNC_SSL_CERT');
|
||||||
'DEFAULT/key': value => '/etc/nova/nova.key';
|
'DEFAULT/key': value => hiera('CONFIG_VNC_SSL_KEY');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,7 +1,24 @@
|
|||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_SAHARA_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_SAHARA_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'sahara',
|
||||||
|
group => 'sahara',
|
||||||
|
require => Package['openstack-sahara'],
|
||||||
|
}
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
class { '::sahara::notify::rabbitmq':
|
class { '::sahara::notify::rabbitmq':
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -2,10 +2,25 @@ $trove_rabmq_cfg_trove_db_pw = hiera('CONFIG_TROVE_DB_PW')
|
|||||||
$trove_rabmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
$trove_rabmq_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST_URL')
|
||||||
$trove_rabmq_cfg_controller_host = hiera('CONFIG_KEYSTONE_HOST_URL')
|
$trove_rabmq_cfg_controller_host = hiera('CONFIG_KEYSTONE_HOST_URL')
|
||||||
|
|
||||||
|
$kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE', undef)
|
||||||
|
$kombu_ssl_keyfile = hiera('CONFIG_TROVE_SSL_KEY', undef)
|
||||||
|
$kombu_ssl_certfile = hiera('CONFIG_TROVE_SSL_CERT', undef)
|
||||||
|
|
||||||
|
if $kombu_ssl_keyfile {
|
||||||
|
$files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
|
||||||
|
file { $files_to_set_owner:
|
||||||
|
owner => 'trove',
|
||||||
|
group => 'trove',
|
||||||
|
}
|
||||||
|
Package<|tag=='trove'|> -> File[$files_to_set_owner]
|
||||||
|
File[$files_to_set_owner] ~> Service<||>
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class { '::trove':
|
class { '::trove':
|
||||||
rpc_backend => 'trove.openstack.common.rpc.impl_kombu',
|
rpc_backend => 'trove.openstack.common.rpc.impl_kombu',
|
||||||
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
rabbit_host => hiera('CONFIG_AMQP_HOST_URL'),
|
||||||
rabbit_use_ssl => hiera('CONFIG_AMQP_ENABLE_SSL'),
|
rabbit_use_ssl => hiera('CONFIG_AMQP_SSL_ENABLED'),
|
||||||
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
rabbit_port => hiera('CONFIG_AMQP_CLIENTS_PORT'),
|
||||||
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
rabbit_userid => hiera('CONFIG_AMQP_AUTH_USER'),
|
||||||
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
|
||||||
@ -17,4 +32,7 @@ class { '::trove':
|
|||||||
cinder_url => "http://${trove_rabmq_cfg_controller_host}:8776/v1",
|
cinder_url => "http://${trove_rabmq_cfg_controller_host}:8776/v1",
|
||||||
swift_url => "http://${trove_rabmq_cfg_controller_host}:8080/v1/AUTH_",
|
swift_url => "http://${trove_rabmq_cfg_controller_host}:8080/v1/AUTH_",
|
||||||
use_neutron => hiera('CONFIG_NEUTRON_INSTALL'),
|
use_neutron => hiera('CONFIG_NEUTRON_INSTALL'),
|
||||||
|
kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
|
||||||
|
kombu_ssl_keyfile => $kombu_ssl_keyfile,
|
||||||
|
kombu_ssl_certfile => $kombu_ssl_certfile,
|
||||||
}
|
}
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
netaddr>=0.7.6
|
netaddr>=0.7.6
|
||||||
PyYAML>=3.10
|
PyYAML>=3.10
|
||||||
docutils>=0.11
|
docutils>=0.11
|
||||||
|
pyOpenSSL
|
||||||
|
cryptography
|
||||||
|
2
setup.py
2
setup.py
@ -104,7 +104,7 @@ setup(
|
|||||||
include_package_data=True,
|
include_package_data=True,
|
||||||
long_description=read('README.md'),
|
long_description=read('README.md'),
|
||||||
zip_safe=False,
|
zip_safe=False,
|
||||||
install_requires=['netaddr', 'PyYAML', 'docutils'],
|
install_requires=['netaddr', 'pyOpenSSL', 'PyYAML', 'docutils'],
|
||||||
classifiers=[
|
classifiers=[
|
||||||
"Development Status :: 3 - Alpha",
|
"Development Status :: 3 - Alpha",
|
||||||
"Topic :: Utilities",
|
"Topic :: Utilities",
|
||||||
|
@ -91,7 +91,8 @@ class CommandLineTestCase(PackstackTestCaseMixin, TestCase):
|
|||||||
sys.argv = ['packstack', '--debug',
|
sys.argv = ['packstack', '--debug',
|
||||||
'--ssh-public-key=%s' % dummy_public_key,
|
'--ssh-public-key=%s' % dummy_public_key,
|
||||||
'--install-hosts=127.0.0.1', '--os-swift-install=y',
|
'--install-hosts=127.0.0.1', '--os-swift-install=y',
|
||||||
'--nagios-install=y', '--use-epel=y']
|
'--nagios-install=y', '--use-epel=y', '--ssl-cacert-selfsign=y',
|
||||||
|
'--ssl-cert-dir=%s' % os.path.expanduser('~/')]
|
||||||
|
|
||||||
# There is no puppet logfile to validate, so replace
|
# There is no puppet logfile to validate, so replace
|
||||||
# ospluginutils.validate_puppet_logfile with a mock function
|
# ospluginutils.validate_puppet_logfile with a mock function
|
||||||
|
@ -73,7 +73,15 @@ class ValidatorsTestCase(PackstackTestCaseMixin, TestCase):
|
|||||||
|
|
||||||
def test_validate_file(self):
|
def test_validate_file(self):
|
||||||
"""Test packstack.installer.validators.validate_file."""
|
"""Test packstack.installer.validators.validate_file."""
|
||||||
fname = os.path.join(self.tempdir, '.test_validate_file')
|
dname = os.path.join(self.tempdir, '.test_validate_file')
|
||||||
|
bad_name = os.path.join(self.tempdir, '.me_no_exists')
|
||||||
|
os.mkdir(dname)
|
||||||
|
validate_writeable_directory(dname)
|
||||||
|
self.assertRaises(ParamValidationError, validate_writeable_directory, bad_name)
|
||||||
|
|
||||||
|
def test_validate_writeable_directory(self):
|
||||||
|
"""Test packstack.installer.validators.validate_writeable_directory."""
|
||||||
|
fname = os.path.join(self.tempdir, '.test_validate_writeable_directory')
|
||||||
bad_name = os.path.join(self.tempdir, '.me_no_exists')
|
bad_name = os.path.join(self.tempdir, '.me_no_exists')
|
||||||
with open(fname, 'w') as f:
|
with open(fname, 'w') as f:
|
||||||
f.write('test')
|
f.write('test')
|
||||||
|
@ -2,3 +2,4 @@ nose
|
|||||||
coverage
|
coverage
|
||||||
hacking>=0.9.5,<0.10
|
hacking>=0.9.5,<0.10
|
||||||
netaddr
|
netaddr
|
||||||
|
pyOpenSSL
|
||||||
|
Loading…
Reference in New Issue
Block a user