openstack/puppet-openstack-integration
Code Issues Proposed changes
puppet-openstack-integration/manifests/glance.pp
Emilien Macchi 3874255b9f scenario002: switch Keystone/Glance/Ironic/Nova to SSL 
* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments.
* Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again
  later in a next iteration.
* Deploy Ironic API under WSGI instead of eventlet.
* Switch Glance API, Ironic API and Keystone to SSL.
* Configure Tempest with SSL endpoints when needed.
* Reduce the Ironic tests because of [1].

[1] https://bugs.launchpad.net/ironic/+bug/1554237

Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not
implemented in this patch.
Note #2: we don't enable SSL for Neutron because of
https://bugs.launchpad.net/neutron/+bug/1514424

Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014
2016-03-14 16:34:29 -04:00

121 lines
4.3 KiB
Puppet
Raw Blame History

# Configure the Glance service
#
# [*backend*]
# (optional) Glance backend to use.
# Can be 'file', 'swift' or 'rbd'.
# Defaults to 'file'.
#
class openstack_integration::glance (
$backend = 'file',
) {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'glance':
notify => [Service['glance-api'], Service['glance-registry']],
}
Package<| tag == 'glance-package' |> -> File['/etc/glance/ssl']
$key_file = "/etc/glance/ssl/private/${::fqdn}.pem"
$crt_file = $::openstack_integration::params::cert_path
Exec['update-ca-certificates'] ~> Service['glance-api']
Exec['update-ca-certificates'] ~> Service['glance-registry']
} else {
$key_file = undef
$crt_file = undef
}
rabbitmq_user { 'glance':
admin => true,
password => 'an_even_bigger_secret',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
rabbitmq_user_permissions { 'glance@/':
configure_permission => '.*',
write_permission => '.*',
read_permission => '.*',
provider => 'rabbitmqctl',
require => Class['::rabbitmq'],
}
class { '::glance::db::mysql':
password => 'glance',
}
include ::glance
include ::glance::client
class { '::glance::keystone::auth':
public_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
internal_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
admin_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
password => 'a_big_secret',
}
case $backend {
'file': {
include ::glance::backend::file
$backend_store = ['file']
}
'rbd': {
class { '::glance::backend::rbd':
rbd_store_user => 'openstack',
rbd_store_pool => 'glance',
}
$backend_store = ['rbd']
# make sure ceph pool exists before running Glance API
Exec['create-glance'] -> Service['glance-api']
}
'swift': {
Service<| tag == 'swift-service' |> -> Service['glance-api']
$backend_store = ['swift']
class { '::glance::backend::swift':
swift_store_user => 'services:glance',
swift_store_key => 'a_big_secret',
swift_store_create_container_on_put => 'True',
swift_store_auth_address => "${::openstack_integration::config::proto}://127.0.0.1:5000/v2.0",
}
}
default: {
fail("Unsupported backend (${backend})")
}
}
$http_store = ['http']
$glance_stores = concat($http_store, $backend_store)
class { '::glance::api':
debug => true,
verbose => true,
database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
keystone_password => 'a_big_secret',
workers => 2,
stores => $glance_stores,
default_store => $backend,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
registry_client_protocol => $::openstack_integration::config::proto,
registry_client_cert_file => $crt_file,
registry_client_key_file => $key_file,
cert_file => $crt_file,
key_file => $key_file,
}
class { '::glance::registry':
debug => true,
verbose => true,
database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
keystone_password => 'a_big_secret',
workers => 2,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
cert_file => $crt_file,
key_file => $key_file,
}
class { '::glance::notify::rabbitmq':
rabbit_userid => 'glance',
rabbit_password => 'an_even_bigger_secret',
rabbit_host => $::openstack_integration::config::rabbit_host,
rabbit_port => $::openstack_integration::config::rabbit_port,
notification_driver => 'messagingv2',
rabbit_use_ssl => $::openstack_integration::config::ssl,
}
}
View Git Blame Copy Permalink