Update SSL configuration

We don't need to use a separate CA chain for these certs, instead it is
sufficient to just trust the self-signed cert.

Moreover, we have been cheating by copying the same certs and keys to
various directories for each service, so instead of bothering with
keeping separate certs let's just formalize having a single pair. The
cert will be used as its own CA and added to the system trusted
certificates. The key still needs to be privately readable by certain
system users, so we'll still copy that into the ssl directories for
each service.

Also, since we'll be changing these keys, make sure they are set up to
notify the service they're supporting.

Additionally, automate the trusting of our self-signed certs on the
compute hosts which previously was done manually. The compute hosts
need to be able to use encrypted rabbitmq and make API calls to
keystone and neutron.

Change-Id: Ibeea608e965e58c496a95b2f02a4bf6b13e15f0e

manifests/compute.pp

@@ -2,11 +2,18 @@ class infracloud::compute(
   $nova_rabbit_password,
   $neutron_rabbit_password,
   $neutron_admin_password,
+  $ssl_cert_file_contents = undef, #TODO: make required
   $br_name,
   $controller_public_address,
   $controller_management_address,
 ) {
 
+  ### Certificate Chain ###
+
+  class { '::infracloud::cacert':
+    cacert_content => $ssl_cert_file_contents,
+  }
+
   ### Networking ###
 
   class {'::infracloud::veth':

manifests/controller.pp

@@ -14,31 +14,32 @@ class infracloud::controller(
   $neutron_admin_password,
   $nova_admin_password,
   $keystone_admin_token,
-  $ssl_chain_file_contents,
-  $keystone_ssl_key_file_contents,
-  $keystone_ssl_cert_file_contents,
-  $neutron_ssl_key_file_contents,
-  $neutron_ssl_cert_file_contents,
-  $glance_ssl_key_file_contents,
-  $glance_ssl_cert_file_contents,
-  $nova_ssl_key_file_contents,
-  $nova_ssl_cert_file_contents,
   $br_name,
   $controller_management_address,
   $controller_public_address = $::fqdn,
+  $ssl_key_file_contents = undef, # TODO(crinkle): make required
+  $ssl_cert_file_contents = undef, # TODO(crinkle): make required
+  # Non-functional parameters
+  # TODO(crinkle): remove
+  $ssl_chain_file_contents = undef,
+  $keystone_ssl_key_file_contents = undef,
+  $keystone_ssl_cert_file_contents = undef,
+  $neutron_ssl_key_file_contents = undef,
+  $neutron_ssl_cert_file_contents = undef,
+  $glance_ssl_key_file_contents = undef,
+  $glance_ssl_cert_file_contents = undef,
+  $nova_ssl_key_file_contents = undef,
+  $nova_ssl_cert_file_contents = undef,
 ) {
 
   $keystone_auth_uri = "https://${controller_public_address}:5000"
   $keystone_admin_uri = "https://${controller_public_address}:35357"
+  $ssl_cert_path = '/etc/ssl/certs/openstack_infra_ca.pem'
 
   ### Certificate Chain ###
 
-  # This chain file needs to sign every other cert
-  $ssl_chain_path = "/etc/ssl/certs/${controller_public_address}-ca.pem"
-  file { $ssl_chain_path:
-    ensure  => present,
-    content => $ssl_chain_file_contents,
-    mode    => '0644',
+  class { '::infracloud::cacert':
+    cacert_content => $ssl_cert_file_contents,
   }
 
   ### Networking ###
@@ -115,20 +116,18 @@ class infracloud::controller(
   include ::apache
 
   $keystone_ssl_key_path = "/etc/ssl/private/${controller_public_address}-keystone.pem"
-  $keystone_ssl_cert_path = "/etc/ssl/certs/${controller_public_address}-keystone.pem"
 
   # keystone vhost
   class { '::keystone::wsgi::apache':
     ssl_key   => $keystone_ssl_key_path,
-    ssl_cert  => $keystone_ssl_cert_path,
-    ssl_chain => $ssl_chain_path,
+    ssl_cert  => $ssl_cert_path,
+    subscribe => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'keystone':
-    key_content  => $keystone_ssl_key_file_contents,
-    cert_content => $keystone_ssl_cert_file_contents,
+  infracloud::ssl_key { 'keystone':
+    key_content => $ssl_key_file_contents,
     key_path    => $keystone_ssl_key_path,
-    cert_path    => $keystone_ssl_cert_path,
+    notify      => Service['httpd'],
   }
 
   ### Glance ###
@@ -145,14 +144,14 @@ class infracloud::controller(
     keystone_password   => $glance_admin_password,
     auth_uri            => $keystone_auth_uri,
     identity_uri        => $keystone_admin_uri,
-    cert_file           => "/etc/glance/ssl/certs/${controller_public_address}.pem",
+    cert_file           => $ssl_cert_path,
     key_file            => "/etc/glance/ssl/private/${controller_public_address}.pem",
+    subscribe           => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'glance':
-    key_content  => $glance_ssl_key_file_contents,
-    cert_content => $glance_ssl_cert_file_contents,
-    before       => Service['glance-api'],
+  infracloud::ssl_key { 'glance':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['glance-api'],
   }
 
   # glance-registry.conf
@@ -198,14 +197,14 @@ class infracloud::controller(
     rabbit_password => $neutron_rabbit_password,
     rabbit_host     => $controller_management_address,
     use_ssl         => true,
-    cert_file       => "/etc/neutron/ssl/certs/${controller_public_address}.pem",
+    cert_file       => $ssl_cert_path,
     key_file        => "/etc/neutron/ssl/private/${controller_public_address}.pem",
+    subscribe       => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'neutron':
-    key_content  => $neutron_ssl_key_file_contents,
-    cert_content => $neutron_ssl_cert_file_contents,
-    before       => Service['neutron-server'],
+  infracloud::ssl_key { 'neutron':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['neutron-server'],
     require     => Package['neutron'],
   }
 
@@ -302,13 +301,13 @@ class infracloud::controller(
     rabbit_host         => $controller_management_address,
     glance_api_servers  => "https://${controller_public_address}:9292",
     use_ssl             => true,
-    cert_file           => "/etc/nova/ssl/certs/${controller_public_address}.pem",
+    cert_file           => $ssl_cert_path,
     key_file            => "/etc/nova/ssl/private/${controller_public_address}.pem",
+    subscribe           => Class['::infracloud::cacert'],
   }
-  infracloud::ssl { 'nova':
-    key_content  => $nova_ssl_key_file_contents,
-    cert_content => $nova_ssl_cert_file_contents,
-    before       => Service['nova-api'],
+  infracloud::ssl_key { 'nova':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['nova-api'],
     require     => Class['::nova'],
   }
 

manifests/ssl_key.pp

@@ -1,23 +1,16 @@
-define infracloud::ssl(
+define infracloud::ssl_key(
   $key_content,
-  $cert_content,
   $key_path = undef,
-  $cert_path = undef,
 ) {
   if $key_path == undef {
     $_key_path  = "/etc/${name}/ssl/private/${::fqdn}.pem"
   } else {
     $_key_path = $key_path
   }
-  if $cert_path == undef {
-    $_cert_path = "/etc/${name}/ssl/certs/${::fqdn}.pem"
-  } else {
-    $_cert_path = $cert_path
-  }
 
   # If the user isn't providing an unexpected path, create the directory
   # structure.
-  if $key_path == undef and $cert_path == undef {
+  if $key_path == undef {
     file { "/etc/${name}/ssl":
       ensure => directory,
       owner  => $name,
@@ -30,13 +23,6 @@ define infracloud::ssl(
       require => File["/etc/${name}/ssl"],
       before  => File[$_key_path]
     }
-    file { "/etc/${name}/ssl/certs":
-      ensure  => directory,
-      owner   => $name,
-      mode    => '0750',
-      require => File["/etc/${name}/ssl"],
-      before  => File[$_cert_path],
-    }
   }
 
   file { $_key_path:
@@ -45,9 +31,4 @@ define infracloud::ssl(
     owner   => $name,
     mode    => '0600',
   }
-  file { $_cert_path:
-    ensure  => present,
-    content => $cert_content,
-    mode    => '0644',
-  }
 }