diff --git a/README.md b/README.md index 2b443b256..44f418a02 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ scenario](#All-In-One). | - | scenario001 | scenario002 | scenario003 | scenario-aio | |:----------:|:-----------:|:-----------:|:-----------:|:-------------: +| ssl | no | yes | no | no | | keystone | X | X | X | X | | glance | rbd | swift | file | file | | nova | rbd | X | X | X | diff --git a/files/puppet_openstack.pem b/files/puppet_openstack.pem new file mode 100644 index 000000000..50c01ad01 --- /dev/null +++ b/files/puppet_openstack.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV +BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw +EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2 +NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi +ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN +BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p +3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ +45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF +ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6 +IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6 +B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm +8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a +Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi +PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT +xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I +epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb +JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD +uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP +/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go +XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd +uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB +QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e +XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN +ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb +UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN +3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3 +IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9 +i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5 +UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU +LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq +l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh +EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz +ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0 +50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY +6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9 +lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t +jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO +ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ +knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9 +I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU +v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6 +LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj +NvVFs8W/3TAiZXoZVqKttZuE9g== +-----END PRIVATE KEY----- diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index 411bd4e8a..39560f9bd 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -15,17 +15,29 @@ # include ::openstack_integration -include ::openstack_integration::rabbitmq +include ::openstack_integration::cacert +class { '::openstack_integration::rabbitmq': + ssl => true, +} include ::openstack_integration::mysql include ::openstack_integration::keystone class { '::openstack_integration::glance': backend => 'swift', + ssl => true, +} +class { '::openstack_integration::neutron': + ssl => true, +} +class { '::openstack_integration::nova': + ssl => true, +} +class { '::openstack_integration::cinder': + ssl => true, } -include ::openstack_integration::neutron -include ::openstack_integration::nova -include ::openstack_integration::cinder include ::openstack_integration::swift -include ::openstack_integration::ironic +class { '::openstack_integration::ironic': + ssl => true, +} include ::openstack_integration::mongodb include ::openstack_integration::provision diff --git a/manifests/cacert.pp b/manifests/cacert.pp new file mode 100644 index 000000000..07539e2b5 --- /dev/null +++ b/manifests/cacert.pp @@ -0,0 +1,20 @@ +class openstack_integration::cacert { + + include ::openstack_integration::params + + file { $::openstack_integration::params::cert_path: + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///modules/openstack_integration/puppet_openstack.pem', + selinux_ignore_defaults => true, + replace => true, + } + exec { 'update-ca-certificates': + command => $::openstack_integration::params::update_ca_certs_cmd, + subscribe => File[$::openstack_integration::params::cert_path], + refreshonly => true, + } + +} diff --git a/manifests/cinder.pp b/manifests/cinder.pp index 43732f85d..4d5acc76f 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -5,10 +5,21 @@ # Can be 'iscsi' or 'rbd'. # Defaults to 'iscsi'. # +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# class openstack_integration::cinder ( $backend = 'iscsi', + $ssl = false, ) { + if $ssl { + $rabbit_port = '5671' + } else { + $rabbit_port = '5672' + } + rabbitmq_user { 'cinder': admin => true, password => 'an_even_bigger_secret', @@ -32,8 +43,10 @@ class openstack_integration::cinder ( class { '::cinder': database_connection => 'mysql+pymysql://cinder:cinder@127.0.0.1/cinder?charset=utf8', rabbit_host => '127.0.0.1', + rabbit_port => $rabbit_port, rabbit_userid => 'cinder', rabbit_password => 'an_even_bigger_secret', + rabbit_use_ssl => $ssl, verbose => true, debug => true, } diff --git a/manifests/glance.pp b/manifests/glance.pp index fbf494824..79ccb6c72 100644 --- a/manifests/glance.pp +++ b/manifests/glance.pp @@ -5,10 +5,21 @@ # Can be 'file', 'swift' or 'rbd'. # Defaults to 'file'. # +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# class openstack_integration::glance ( $backend = 'file', + $ssl = false, ) { + if $ssl { + $rabbit_port = '5671' + } else { + $rabbit_port = '5672' + } + rabbitmq_user { 'glance': admin => true, password => 'an_even_bigger_secret', @@ -79,7 +90,9 @@ class openstack_integration::glance ( rabbit_userid => 'glance', rabbit_password => 'an_even_bigger_secret', rabbit_host => '127.0.0.1', + rabbit_port => $rabbit_port, notification_driver => 'messagingv2', + rabbit_use_ssl => $ssl, } } diff --git a/manifests/ironic.pp b/manifests/ironic.pp index 581a2a343..ed6d72d36 100644 --- a/manifests/ironic.pp +++ b/manifests/ironic.pp @@ -1,4 +1,18 @@ -class openstack_integration::ironic { +# Configure the Ironic service +# +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# +class openstack_integration::ironic ( + $ssl = false, +) { + + if $ssl { + $rabbit_port = '5671' + } else { + $rabbit_port = '5672' + } rabbitmq_user { 'ironic': admin => true, @@ -18,6 +32,8 @@ class openstack_integration::ironic { rabbit_userid => 'ironic', rabbit_password => 'an_even_bigger_secret', rabbit_host => '127.0.0.1', + rabbit_port => $rabbit_port, + rabbit_use_ssl => $ssl, database_connection => 'mysql+pymysql://ironic:ironic@127.0.0.1/ironic?charset=utf8', debug => true, verbose => true, diff --git a/manifests/neutron.pp b/manifests/neutron.pp index ce21b7b8d..4aa23ab62 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -1,4 +1,18 @@ -class openstack_integration::neutron { +# Configure the Neutron services +# +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# +class openstack_integration::neutron ( + $ssl = false, +) { + + if $ssl { + $rabbit_port = '5671' + } else { + $rabbit_port = '5672' + } rabbitmq_user { 'neutron': admin => true, @@ -24,6 +38,8 @@ class openstack_integration::neutron { rabbit_user => 'neutron', rabbit_password => 'an_even_bigger_secret', rabbit_host => '127.0.0.1', + rabbit_port => $rabbit_port, + rabbit_use_ssl => $ssl, allow_overlapping_ips => true, core_plugin => 'ml2', service_plugins => ['router', 'metering', 'firewall'], diff --git a/manifests/nova.pp b/manifests/nova.pp index d1f18896a..869ed9261 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -5,10 +5,21 @@ # to use Libvirt RBD backend. # Defaults to false. # +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# class openstack_integration::nova ( $libvirt_rbd = false, + $ssl = false, ) { + if $ssl { + $rabbit_port = '5671' + } else { + $rabbit_port = '5672' + } + rabbitmq_user { 'nova': admin => true, password => 'an_even_bigger_secret', @@ -36,8 +47,10 @@ class openstack_integration::nova ( database_connection => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8', api_database_connection => 'mysql+pymysql://nova_api:nova@127.0.0.1/nova_api?charset=utf8', rabbit_host => '127.0.0.1', + rabbit_port => $rabbit_port, rabbit_userid => 'nova', rabbit_password => 'an_even_bigger_secret', + rabbit_use_ssl => $ssl, glance_api_servers => 'http://127.0.0.1:9292', verbose => true, debug => true, diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 000000000..4c1ac98ce --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,19 @@ +class openstack_integration::params { + + case $::osfamily { + 'RedHat': { + $cacert_path = '/etc/ssl/certs/ca-bundle.crt' + $cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt' + $update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract' + } + 'Debian': { + $cacert_path = '/etc/ssl/certs/puppet_openstack.pem' + $cert_path = '/usr/local/share/ca-certificates/puppet_openstack.crt' + $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates' + } + default: { + fail("Unsupported osfamily: ${::osfamily} operatingsystem") + } + } + +} diff --git a/manifests/rabbitmq.pp b/manifests/rabbitmq.pp index 6597a6d9d..21726eb22 100644 --- a/manifests/rabbitmq.pp +++ b/manifests/rabbitmq.pp @@ -1,4 +1,14 @@ -class openstack_integration::rabbitmq { +# Configure the RabbitMQ service +# +# [*ssl*] +# (optional) Boolean to enable or not SSL. +# Defaults to false. +# +class openstack_integration::rabbitmq ( + $ssl = false, +) { + + include ::openstack_integration::params case $::osfamily { 'Debian': { @@ -12,9 +22,33 @@ class openstack_integration::rabbitmq { } } - class { '::rabbitmq': - delete_guest_user => true, - package_provider => $package_provider, + if $ssl { + file { '/etc/rabbitmq/ssl/private': + ensure => directory, + owner => 'root', + mode => '0755', + selinux_ignore_defaults => true, + before => File["/etc/rabbitmq/ssl/private/${::fqdn}.pem"], + } + openstack_integration::ssl_key { 'rabbitmq': + key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem", + require => File['/etc/rabbitmq/ssl'], + notify => Service['rabbitmq-server'], + } + class { '::rabbitmq': + delete_guest_user => true, + package_provider => $package_provider, + ssl => true, + ssl_only => true, + ssl_cacert => $::openstack_integration::params::cacert_path, + ssl_cert => $::openstack_integration::params::cert_path, + ssl_key => "/etc/rabbitmq/ssl/private/${::fqdn}.pem", + } + } else { + class { '::rabbitmq': + delete_guest_user => true, + package_provider => $package_provider, + } } rabbitmq_vhost { '/': provider => 'rabbitmqctl', diff --git a/manifests/ssl_key.pp b/manifests/ssl_key.pp new file mode 100644 index 000000000..87d281f6f --- /dev/null +++ b/manifests/ssl_key.pp @@ -0,0 +1,42 @@ +# Deploy SSL private keys +# +# [*key_path*] +# (optional) Path of SSL private key +# Defaults to undef. +# +define openstack_integration::ssl_key( + $key_path = undef, +) { + if $key_path == undef { + $_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem" + } else { + $_key_path = $key_path + } + + # If the user isn't providing an unexpected path, create the directory + # structure. + if $key_path == undef { + file { "/etc/${name}/ssl": + ensure => directory, + owner => $name, + mode => '0775', + selinux_ignore_defaults => true, + } + file { "/etc/${name}/ssl/private": + ensure => directory, + owner => $name, + mode => '0755', + require => File["/etc/${name}/ssl"], + selinux_ignore_defaults => true, + before => File[$_key_path] + } + } + + file { $_key_path: + ensure => present, + owner => $name, + source => 'puppet:///modules/openstack_integration/puppet_openstack.pem', + selinux_ignore_defaults => true, + mode => '0600', + } +}