From 9c6682effe3a4dc0f7ad05d076c29055e28e4f71 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Thu, 11 Feb 2016 14:01:28 -0800 Subject: [PATCH] Update SSL configuration We don't need to use a separate CA chain for these certs, instead it is sufficient to just trust the self-signed cert. Moreover, we have been cheating by copying the same certs and keys to various directories for each service, so instead of bothering with keeping separate certs let's just formalize having a single pair. The cert will be used as its own CA and added to the system trusted certificates. The key still needs to be privately readable by certain system users, so we'll still copy that into the ssl directories for each service. Also, since we'll be changing these keys, make sure they are set up to notify the service they're supporting. Additionally, automate the trusting of our self-signed certs on the compute hosts which previously was done manually. The compute hosts need to be able to use encrypted rabbitmq and make API calls to keystone and neutron. Change-Id: Ibeea608e965e58c496a95b2f02a4bf6b13e15f0e --- manifests/compute.pp | 7 +++ manifests/controller.pp | 79 ++++++++++++++++---------------- manifests/{ssl.pp => ssl_key.pp} | 23 +--------- 3 files changed, 48 insertions(+), 61 deletions(-) rename manifests/{ssl.pp => ssl_key.pp} (56%) diff --git a/manifests/compute.pp b/manifests/compute.pp index de2b983..a9ec4bf 100644 --- a/manifests/compute.pp +++ b/manifests/compute.pp @@ -2,11 +2,18 @@ class infracloud::compute( $nova_rabbit_password, $neutron_rabbit_password, $neutron_admin_password, + $ssl_cert_file_contents = undef, #TODO: make required $br_name, $controller_public_address, $controller_management_address, ) { + ### Certificate Chain ### + + class { '::infracloud::cacert': + cacert_content => $ssl_cert_file_contents, + } + ### Networking ### class {'::infracloud::veth': diff --git a/manifests/controller.pp b/manifests/controller.pp index 15e67b0..082d0a3 100644 --- a/manifests/controller.pp +++ b/manifests/controller.pp @@ -14,31 +14,32 @@ class infracloud::controller( $neutron_admin_password, $nova_admin_password, $keystone_admin_token, - $ssl_chain_file_contents, - $keystone_ssl_key_file_contents, - $keystone_ssl_cert_file_contents, - $neutron_ssl_key_file_contents, - $neutron_ssl_cert_file_contents, - $glance_ssl_key_file_contents, - $glance_ssl_cert_file_contents, - $nova_ssl_key_file_contents, - $nova_ssl_cert_file_contents, $br_name, $controller_management_address, $controller_public_address = $::fqdn, + $ssl_key_file_contents = undef, # TODO(crinkle): make required + $ssl_cert_file_contents = undef, # TODO(crinkle): make required + # Non-functional parameters + # TODO(crinkle): remove + $ssl_chain_file_contents = undef, + $keystone_ssl_key_file_contents = undef, + $keystone_ssl_cert_file_contents = undef, + $neutron_ssl_key_file_contents = undef, + $neutron_ssl_cert_file_contents = undef, + $glance_ssl_key_file_contents = undef, + $glance_ssl_cert_file_contents = undef, + $nova_ssl_key_file_contents = undef, + $nova_ssl_cert_file_contents = undef, ) { $keystone_auth_uri = "https://${controller_public_address}:5000" $keystone_admin_uri = "https://${controller_public_address}:35357" + $ssl_cert_path = '/etc/ssl/certs/openstack_infra_ca.pem' ### Certificate Chain ### - # This chain file needs to sign every other cert - $ssl_chain_path = "/etc/ssl/certs/${controller_public_address}-ca.pem" - file { $ssl_chain_path: - ensure => present, - content => $ssl_chain_file_contents, - mode => '0644', + class { '::infracloud::cacert': + cacert_content => $ssl_cert_file_contents, } ### Networking ### @@ -115,20 +116,18 @@ class infracloud::controller( include ::apache $keystone_ssl_key_path = "/etc/ssl/private/${controller_public_address}-keystone.pem" - $keystone_ssl_cert_path = "/etc/ssl/certs/${controller_public_address}-keystone.pem" # keystone vhost class { '::keystone::wsgi::apache': ssl_key => $keystone_ssl_key_path, - ssl_cert => $keystone_ssl_cert_path, - ssl_chain => $ssl_chain_path, + ssl_cert => $ssl_cert_path, + subscribe => Class['::infracloud::cacert'], } - infracloud::ssl { 'keystone': - key_content => $keystone_ssl_key_file_contents, - cert_content => $keystone_ssl_cert_file_contents, - key_path => $keystone_ssl_key_path, - cert_path => $keystone_ssl_cert_path, + infracloud::ssl_key { 'keystone': + key_content => $ssl_key_file_contents, + key_path => $keystone_ssl_key_path, + notify => Service['httpd'], } ### Glance ### @@ -145,14 +144,14 @@ class infracloud::controller( keystone_password => $glance_admin_password, auth_uri => $keystone_auth_uri, identity_uri => $keystone_admin_uri, - cert_file => "/etc/glance/ssl/certs/${controller_public_address}.pem", + cert_file => $ssl_cert_path, key_file => "/etc/glance/ssl/private/${controller_public_address}.pem", + subscribe => Class['::infracloud::cacert'], } - infracloud::ssl { 'glance': - key_content => $glance_ssl_key_file_contents, - cert_content => $glance_ssl_cert_file_contents, - before => Service['glance-api'], + infracloud::ssl_key { 'glance': + key_content => $ssl_key_file_contents, + notify => Service['glance-api'], } # glance-registry.conf @@ -198,15 +197,15 @@ class infracloud::controller( rabbit_password => $neutron_rabbit_password, rabbit_host => $controller_management_address, use_ssl => true, - cert_file => "/etc/neutron/ssl/certs/${controller_public_address}.pem", + cert_file => $ssl_cert_path, key_file => "/etc/neutron/ssl/private/${controller_public_address}.pem", + subscribe => Class['::infracloud::cacert'], } - infracloud::ssl { 'neutron': - key_content => $neutron_ssl_key_file_contents, - cert_content => $neutron_ssl_cert_file_contents, - before => Service['neutron-server'], - require => Package['neutron'], + infracloud::ssl_key { 'neutron': + key_content => $ssl_key_file_contents, + notify => Service['neutron-server'], + require => Package['neutron'], } # keystone user, role, service, endpoints for neutron service @@ -302,14 +301,14 @@ class infracloud::controller( rabbit_host => $controller_management_address, glance_api_servers => "https://${controller_public_address}:9292", use_ssl => true, - cert_file => "/etc/nova/ssl/certs/${controller_public_address}.pem", + cert_file => $ssl_cert_path, key_file => "/etc/nova/ssl/private/${controller_public_address}.pem", + subscribe => Class['::infracloud::cacert'], } - infracloud::ssl { 'nova': - key_content => $nova_ssl_key_file_contents, - cert_content => $nova_ssl_cert_file_contents, - before => Service['nova-api'], - require => Class['::nova'], + infracloud::ssl_key { 'nova': + key_content => $ssl_key_file_contents, + notify => Service['nova-api'], + require => Class['::nova'], } # keystone user, role, service, endpoints for nova service diff --git a/manifests/ssl.pp b/manifests/ssl_key.pp similarity index 56% rename from manifests/ssl.pp rename to manifests/ssl_key.pp index 4bcbdb3..3325bd9 100644 --- a/manifests/ssl.pp +++ b/manifests/ssl_key.pp @@ -1,23 +1,16 @@ -define infracloud::ssl( +define infracloud::ssl_key( $key_content, - $cert_content, $key_path = undef, - $cert_path = undef, ) { if $key_path == undef { $_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem" } else { $_key_path = $key_path } - if $cert_path == undef { - $_cert_path = "/etc/${name}/ssl/certs/${::fqdn}.pem" - } else { - $_cert_path = $cert_path - } # If the user isn't providing an unexpected path, create the directory # structure. - if $key_path == undef and $cert_path == undef { + if $key_path == undef { file { "/etc/${name}/ssl": ensure => directory, owner => $name, @@ -30,13 +23,6 @@ define infracloud::ssl( require => File["/etc/${name}/ssl"], before => File[$_key_path] } - file { "/etc/${name}/ssl/certs": - ensure => directory, - owner => $name, - mode => '0750', - require => File["/etc/${name}/ssl"], - before => File[$_cert_path], - } } file { $_key_path: @@ -45,9 +31,4 @@ define infracloud::ssl( owner => $name, mode => '0600', } - file { $_cert_path: - ensure => present, - content => $cert_content, - mode => '0644', - } }