From a68502c8c3028a44f5b10c292a15694990bf1ad1 Mon Sep 17 00:00:00 2001 From: sbartel Date: Thu, 16 Jul 2015 15:03:20 +0200 Subject: [PATCH] migrate plugins from 1.0.0 to 2.0.0 package version Change-Id: Ib7f3578a14a30c3bbd7b1bd9fa92cfd3aee7f193 --- README.md | 42 +++- deployment_scripts/puppet/manifests/site.pp | 43 ++-- .../puppet/manifests/site_compute.pp | 18 +- .../puppet/modules/tls/files/format.sh | 9 +- .../modules/tls/manifests/controller.pp | 32 ++- .../modules/tls/manifests/controller_ha.pp | 29 --- .../modules/tls/manifests/horizon/horizon.pp | 193 +++++++++++++++--- .../tls/manifests/horizon/horizon_ha.pp | 74 ------- .../tls/manifests/nova/novnc_controller.pp | 7 +- .../puppet/modules/tls/manifests/params.pp | 34 +-- .../templates/openstack-dashboard.conf.erb | 58 ------ .../modules/tls/templates/port.conf.erb | 21 -- .../puppet/modules/tls/templates/vhost.erb | 37 ---- .../puppet/modules/tls/tests/init.pp | 2 +- environment_config.yaml | 8 +- metadata.yaml | 23 +-- tasks.yaml | 6 +- 17 files changed, 285 insertions(+), 351 deletions(-) delete mode 100644 deployment_scripts/puppet/modules/tls/manifests/controller_ha.pp delete mode 100644 deployment_scripts/puppet/modules/tls/manifests/horizon/horizon_ha.pp delete mode 100644 deployment_scripts/puppet/modules/tls/templates/openstack-dashboard.conf.erb delete mode 100644 deployment_scripts/puppet/modules/tls/templates/port.conf.erb delete mode 100644 deployment_scripts/puppet/modules/tls/templates/vhost.erb diff --git a/README.md b/README.md index 93b25a7..18c8feb 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Requirements | Requirement | Version/Comment | |----------------------------------|---------------------------------------------------------| -| Mirantis Openstack compatibility | 6.0 | +| Mirantis Openstack compatibility | 6.1 | |----------------------------------|---------------------------------------------------------| | Crt & Key files | You have a crt & key files to provide before deployment | @@ -43,20 +43,20 @@ Https plugin installation ``pip install fuel-plugin-builder`` -3. Build nova-nfs Fuel plugin: +3. Build tls Fuel plugin: ``fpb --build fuel-plugin-tls/`` -4. The tls-.fp file will be created in the plugin folder (fuel-plugin-tls) +4. The tls-.rpm file will be created in the plugin folder (fuel-plugin-tls) 5. Move this file to the Fuel Master node with secure copy (scp): - ``scp tls-.fp root@::/tmp`` + ``scp tls-.rpm root@::/tmp`` ``cd /tmp`` -6. Install the nova-nfs plugin: +6. Install the tls plugin: - ``fuel plugins --install tls-.fp`` + ``fuel plugins --install tls-.rpm`` 6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI. @@ -78,7 +78,7 @@ https plugin configuration - the certificate .key content -You must pass your .crt and .key files via fuel UI (settings tab) +You must pass your .crt, .key, .ca files via fuel UI (settings tab) When you pass the content of the files in fuel ui, some "space" characters will appear, don't care about this puppet will remove it. CRT file must be in the following format : @@ -136,6 +136,30 @@ X43ceACVpWiv5DmBtEUrB8dbwxEJFaoPGqEswwdh1FDxzfsPdapyqGI5B8zRjnpa SR2QEYok/8lZeDgUOhXkGg== -----END PRIVATE KEY----- +CA file must be in the following format : + +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIJAJHydV1v41XIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTUwMTMwMTAyNDU3WhcNMTYwMTMwMTAyNDU3WjBF +MQswCQYDVQQGEwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAqwHssa1A2alSVh8ZZvKffGaix7mSFMDsFjUgPShqbAZ8xGQynvrHPel9 +A8E6ml0sGzHDwk8gobpu7k1wuMhcs7Np88xu5GtR1DhZWQ8MUGWHfflyjguMjtzF +pZg4j0M14SE2INwwsRRtvC0/aeV1/q7HqfTk7+y01g/N4OKvYwndNp2lbSjBZZF4 +qbL9QD5iesOptxRryJ8tcm47i6hC4LTunz9pgVI13rtlOoqtXjf07ytMydBbzpeR +4joaPAjbPf5ywf+I/n8XFxy6QPC9qAm2H3Gpo/5bb7+9S8AOhYqvWEKNotvyX1E8 +aiDLV+LHkL45Xpx47YBty6L8qNuejwIDAQABo1AwTjAdBgNVHQ4EFgQUVQNmpJDO +w5eVB3yjU80NUZSKZlcwHwYDVR0jBBgwFoAUVQNmpJDOw5eVB3yjU80NUZSKZlcw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAqadjZT7kMXRf5bp14nfI +20m6G/i5aHBo+0v+6lRtmk5wD/D6VsOh+R/HjjDDo68y/WEWXxQbuOYX+HZCABpf +VTA4oLvY4t3gtzt9Q21VtK/l5e3yyxo2JBnsPqc5wmWDlNO8aImF+QrvovkuyTV5 +mX6suZgby4eTllmVzBNK/+FMuPlsSPwB8SxEbu04aOIcwbn4LCCZJZEG6INVGSS8 +SRg1iER8mu2Jf45JKkMFDqUhCUp/ejM2t686O7olqKtmF53rDSBnzhtabdgTIx3F +RjCb281gwvwSgyFfUgt5TIIq1o/kci2N33zuxaifFVz6DtDxKegoZg73bUMg/OA2 +bg== +-----END CERTIFICATE----- + Here is a screenshot of the fields ![tls fields](./figures/tls-plugin.png "tls-fields") @@ -159,6 +183,10 @@ None. Release Notes ------------- +**2.0.0** + +* migrate plugins from 1.0.0 to 2.0.0 package version + **1.0.0** * Initial release of the plugin diff --git a/deployment_scripts/puppet/manifests/site.pp b/deployment_scripts/puppet/manifests/site.pp index c443696..8eb2b57 100644 --- a/deployment_scripts/puppet/manifests/site.pp +++ b/deployment_scripts/puppet/manifests/site.pp @@ -1,30 +1,19 @@ -$fuel_settings = parseyaml(file('/etc/astute.yaml')) -$tls_hash = $::fuel_settings['tls'] -$horizon_crt = $tls_hash['horizon_crt'] -$horizon_key = $tls_hash['horizon_key'] -$nodes_hash = $::fuel_settings['nodes'] -if ($::fuel_settings['deployment_mode'] == 'multinode') { - $controller = filter_nodes($nodes_hash,'role','controller') - $controller_node_public = $controller[0]['public_address'] - class { 'tls::controller': - horizon_crt => $horizon_crt, - horizon_key => $horizon_key, - external_ip => $controller_node_public, - bind_address => $controller_node_public - } -} -else { - $controllers = concat(filter_nodes($nodes_hash,'role','primary-controller'), filter_nodes($nodes_hash,'role','controller')) - $public_virtual_ip = $::fuel_settings['public_vip'] - $internal_virtual_ip = $::fuel_settings['management_vip'] - class { 'tls::controller_ha': - controllers => $controllers, - public_virtual_ip => $public_virtual_ip, - internal_virtual_ip => $internal_virtual_ip, - horizon_crt => $horizon_crt, - horizon_key => $horizon_key, - external_ip => $public_virtual_ip - } +$tls_hash = hiera('tls') +$horizon_crt = $tls_hash['horizon_crt'] +$horizon_key = $tls_hash['horizon_key'] +$horizon_ca = $tls_hash['horizon_ca'] +$nodes_hash = hiera('nodes') +$controllers = hiera('controllers') +$public_virtual_ip = hiera('public_vip') +$internal_virtual_ip = hiera('management_vip') +class { 'tls::controller': + controllers => $controllers, + public_virtual_ip => $public_virtual_ip, + internal_virtual_ip => $internal_virtual_ip, + horizon_crt => $horizon_crt, + horizon_key => $horizon_key, + horizon_ca => $horizon_ca, + external_ip => $public_virtual_ip } diff --git a/deployment_scripts/puppet/manifests/site_compute.pp b/deployment_scripts/puppet/manifests/site_compute.pp index 30db18c..18bdf88 100644 --- a/deployment_scripts/puppet/manifests/site_compute.pp +++ b/deployment_scripts/puppet/manifests/site_compute.pp @@ -1,18 +1,10 @@ -$fuel_settings = parseyaml(file('/etc/astute.yaml')) -$tls_hash = $::fuel_settings['tls'] +$tls_hash = hiera('tls') $horizon_crt = $tls_hash['horizon_crt'] $horizon_key = $tls_hash['horizon_key'] -$nodes_hash = $::fuel_settings['nodes'] - -if ($::fuel_settings['deployment_mode'] == 'multinode') { - $controller = filter_nodes($nodes_hash,'role','controller') - $internal_ip = $controller[0]['internal_address'] - $public_ip = $controller[0]['public_address'] -} -else { - $public_ip = $::fuel_settings['public_vip'] - $internal_ip = $::fuel_settings['management_vip'] -} +$nodes_hash = hiera('nodes') +$public_ip = hiera('public_vip') +$internal_ip = hiera('management_vip') + class { 'tls::compute': public_virtual_ip => $public_ip, internal_virtual_ip => $internal_ip, diff --git a/deployment_scripts/puppet/modules/tls/files/format.sh b/deployment_scripts/puppet/modules/tls/files/format.sh index a0d8ec1..c5666d6 100644 --- a/deployment_scripts/puppet/modules/tls/files/format.sh +++ b/deployment_scripts/puppet/modules/tls/files/format.sh @@ -2,7 +2,8 @@ CRT=$1 KEY=$2 -SSL_PATH=$3 +CA=$3 +SSL_PATH=$4 ############################################################################################################################ # Horizon part ############################################################################################################################ @@ -14,6 +15,12 @@ echo "-----BEGIN PRIVATE KEY-----" > $SSL_PATH/horizon.key echo $KEY | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.key echo "-----END PRIVATE KEY-----" >> $SSL_PATH/horizon.key +echo "-----BEGIN CERTIFICATE-----" > $SSL_PATH/horizon.ca +echo $CA | awk -F "-----" '{ print $3}' | sed 's/ /\n/g' | sed '/^$/d' >> $SSL_PATH/horizon.ca +echo "-----END CERTIFICATE-----" >> $SSL_PATH/horizon.ca + + + ############################################################################################################################ # Nova part ############################################################################################################################ diff --git a/deployment_scripts/puppet/modules/tls/manifests/controller.pp b/deployment_scripts/puppet/modules/tls/manifests/controller.pp index 85090e6..e7cfbd1 100644 --- a/deployment_scripts/puppet/modules/tls/manifests/controller.pp +++ b/deployment_scripts/puppet/modules/tls/manifests/controller.pp @@ -1,9 +1,16 @@ class tls::controller( + $controllers, + $public_virtual_ip, + $internal_virtual_ip, $horizon_crt, $horizon_key, - $external_ip, - $bind_address + $horizon_ca, + $external_ip ) { + $nodes_hash = hiera('nodes') + $node = filter_nodes($nodes_hash,'name',$::hostname) + $internal_address = $node[0]['internal_address'] + $bind_address = $internal_address $server_hostname = $external_ip include tls::params $apache_tls_path = $tls::params::apache_tls_path @@ -33,20 +40,23 @@ class tls::controller( require => File["$apache_tls_path"] } exec {'format.sh': - command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\' \'${apache_tls_path}\'\"", + command => "bash -c \"format.sh \'${horizon_crt}\' \'${horizon_key}\' \'${horizon_ca}\' \'${apache_tls_path}\'\"", path => '/usr/sbin:/usr/bin:/sbin:/bin', require => File['format.sh'], - before => File['openstack-dashboard.conf'], } - class { 'tls::horizon::horizon': - horizon_crt => $horizon_crt, - horizon_key => $horizon_key, - bind_address => $bind_address - } class { 'tls::nova::novnc_controller': server_hostname => $server_hostname, novnc_service => $tls::params::nova_novnc_service, - httpd_service => $tls::params::httpd_service_name - } + httpd_service => $tls::params::httpd_service_name + }-> + class { 'tls::horizon::horizon': + bind_address => $bind_address, + controllers => $controllers, + public_virtual_ip => $public_virtual_ip, + internal_virtual_ip => $internal_virtual_ip, + }-> + exec { "ha_proxy_restart": + command => "/usr/sbin/crm resource restart p_haproxy", + } } diff --git a/deployment_scripts/puppet/modules/tls/manifests/controller_ha.pp b/deployment_scripts/puppet/modules/tls/manifests/controller_ha.pp deleted file mode 100644 index 0828f78..0000000 --- a/deployment_scripts/puppet/modules/tls/manifests/controller_ha.pp +++ /dev/null @@ -1,29 +0,0 @@ -class tls::controller_ha( - $controllers, - $public_virtual_ip, - $internal_virtual_ip, - $horizon_crt, - $horizon_key, - $external_ip -) { - $nodes_hash = $::fuel_settings['nodes'] - $node = filter_nodes($nodes_hash,'name',$::hostname) - $internal_address = $node[0]['internal_address'] - $bind_address = $internal_address - class { 'tls::controller': - horizon_crt => $horizon_crt, - horizon_key => $horizon_key, - external_ip => $external_ip, - bind_address => $bind_address - } - class { 'tls::horizon::horizon_ha': - controllers => $controllers, - public_virtual_ip => $public_virtual_ip, - internal_virtual_ip => $internal_virtual_ip, - } - exec { "ha_proxy_restart": - command => "/usr/sbin/crm resource restart p_haproxy", - require => Class['tls::horizon::horizon_ha'], - } -} - diff --git a/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp b/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp index 3e72dd7..378dfc4 100644 --- a/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp +++ b/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon.pp @@ -1,13 +1,39 @@ class tls::horizon::horizon( - $horizon_crt, - $horizon_key, - $bind_address, + $bind_address = '*', + $controllers, + $public_virtual_ip, + $internal_virtual_ip, ) { include tls::params - - $root_url = $tls::params::root_url - $ssl_cert_file = $tls::params::tls_cert_file - $ssl_key_file = $tls::params::tls_key_file + $ssl_port = 443 + $horizon_hash = hiera_hash('horizon',{}) + $root_url = $tls::params::root_url + $horizon_cert = $tls::params::tls_cert_file + $horizon_key = $tls::params::tls_key_file + $horizon_ca = $tls::params::tls_ca_file + $controller_internal_addresses = nodes_to_hash($controllers,'name','internal_address') + $controller_nodes = ipsort(values($controller_internal_addresses)) + $cache_server_ip = hiera('memcache_servers', $controller_nodes) + $cache_server_port = hiera('memcache_server_port', '11211') + $swift = false + $neutron = hiera('use_neutron') + $horizon_app_links = undef + $keystone_host = hiera('management_vip') + $keystone_scheme = 'http' + $keystone_default_role = '_member_' + $verbose = hiera('verbose', true) + $debug = hiera('debug') + $api_result_limit = 1000 + $package_ensure = hiera('horizon_package_ensure', 'installed') + $use_ssl = true + $use_syslog = hiera('use_syslog', true) + $log_level = 'WARNING' + $nova_quota = hiera('nova_quota') + $local_settings_template = 'openstack/horizon/local_settings.py.erb' + $django_session_engine = 'django.contrib.sessions.backends.cache' + $servername = hiera('public_vip') + $cache_backend = 'horizon.backends.memcached.HorizonMemcached' + $cache_options = ["'SOCKET_TIMEOUT': 1","'SERVER_RETRIES': 1","'DEAD_RETRY': 1"] #update horizon config file exec { "USE_SSL": @@ -51,35 +77,138 @@ class tls::horizon::horizon( } } - #update apache config file - file { 'openstack-dashboard.conf' : - ensure => present, - path => $tls::params::apache_conf_file, - owner => 'root', - group => 'root', - mode => '0755', - content => template('tls/openstack-dashboard.conf.erb'), - notify => Service[$tls::params::httpd_service_name], + if $horizon_hash['secret_key'] { + $secret_key = $horizon_hash['secret_key'] + } else { + $secret_key = 'dummy_secret_key' } - file { 'port.conf' : - ensure => present, - path => $tls::params::apache_port_file, - owner => 'root', - group => 'root', - mode => '0755', - content => template('tls/port.conf.erb'), - notify => Service[$tls::params::httpd_service_name], + if $debug { #syslog and nondebug case + #We don't realy want django debug, it is too verbose. + $django_debug = false + $django_verbose = false + $log_level_real = 'DEBUG' + } elsif $verbose { + $django_verbose = true + $django_debug = false + $log_level_real = 'INFO' + } else { + $django_verbose = false + $django_debug = false + $log_level_real = $log_level } - file { 'vhost.conf' : - ensure => present, - path => $tls::params::apache_vhost_file, - owner => 'root', - group => 'root', - mode => '0755', - content => template('tls/vhost.erb'), - notify => Service[$tls::params::httpd_service_name], + apache::listen{ $ssl_port:} + apache::namevirtualhost{ "*:$ssl_port":} + + class { '::horizon': + bind_address => $bind_address, + cache_server_ip => $cache_server_ip, + cache_server_port => $cache_server_port, + cache_backend => $cache_backend, + cache_options => $cache_options, + secret_key => $secret_key, + swift => $swift, + package_ensure => $package_ensure, + horizon_app_links => $horizon_app_links, + keystone_host => $keystone_host, + keystone_scheme => $keystone_scheme, + keystone_default_role => $keystone_default_role, + django_debug => $django_debug, + api_result_limit => $api_result_limit, + listen_ssl => $use_ssl, + log_level => $log_level_real, + local_settings_template => $local_settings_template, + configure_apache => false, + django_session_engine => $django_session_engine, + allowed_hosts => '*', + secure_cookies => false, + horizon_cert => $horizon_cert , + horizon_key => $horizon_key, + horizon_ca => $horizon_ca + } + + class { '::horizon::wsgi::apache': + priority => false, + servername => $public_virtual_ip, + bind_address => $bind_address, + wsgi_processes => $wsgi_processes, + wsgi_threads => $wsgi_threads, + horizon_cert => $horizon_cert , + horizon_key => $horizon_key, + horizon_ca => $horizon_ca, + listen_ssl => $use_ssl, + extra_params => { + default_vhost => true, + add_listen => false, + ssl_protocol => '+TLSv1', + ssl_cipher => 'HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM', + custom_fragment => template("openstack/horizon/wsgi_vhost_custom.erb"), + }, + } ~> + Service[$::apache::params::service_name] + + Haproxy::Service { use_include => true } + Haproxy::Balancermember { use_include => true } + + $haproxy_config_options = { + 'option' => ['ssl-hello-chk', 'tcpka'], + 'stick-table' => 'type ip size 200k expire 30m', + 'stick' => 'on src', + 'balance' => 'source', + 'timeout' => ['client 3h', 'server 3h'], + 'mode' => 'tcp', + } + + haproxy::listen { 'horizon-ssl': + order => '017', + ipaddress => $public_virtual_ip, + ports => '443', + options => $haproxy_config_options, + mode => 'tcp', + } + + haproxy::balancermember { 'horizon-ssl': + order => '017', + listening_service => 'horizon-tls', + server_names => filter_hash($controllers, 'name'), + ipaddresses => filter_hash($controllers, 'internal_address'), + ports => '443', + options => 'weight 1 check', + define_cookies => false, + define_backups => false, + } + + ################################################################################## + + $haproxy_config_options_nova = { + 'option' => ['ssl-hello-chk', 'tcpka'], + 'mode' => 'tcp', + } + + haproxy::listen { 'nova-novncproxy': + order => '170', + ipaddress => $public_virtual_ip, + ports => '6080', + options => $haproxy_config_options_nova, + mode => 'tcp', + } + + haproxy::balancermember { 'nova-novncproxy': + order => '170', + listening_service => 'horizon-tls', + server_names => filter_hash($controllers, 'name'), + ipaddresses => filter_hash($controllers, 'internal_address'), + ports => '6080', + options => 'check', + define_cookies => false, + define_backups => false, + } + ###################################################################################### + + service { 'haproxy': + enable => true, + ensure => running, } } diff --git a/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon_ha.pp b/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon_ha.pp deleted file mode 100644 index cf44f70..0000000 --- a/deployment_scripts/puppet/modules/tls/manifests/horizon/horizon_ha.pp +++ /dev/null @@ -1,74 +0,0 @@ -class tls::horizon::horizon_ha ( - $controllers, - $public_virtual_ip, - $internal_virtual_ip, -) { - - require tls::horizon::horizon - include tls::params - - Haproxy::Service { use_include => true } - Haproxy::Balancermember { use_include => true } - - $haproxy_config_options = { - 'option' => ['ssl-hello-chk', 'tcpka'], - 'stick-table' => 'type ip size 200k expire 30m', - 'stick' => 'on src', - 'balance' => 'source', - 'timeout' => ['client 3h', 'server 3h'], - 'mode' => 'tcp', - } - - haproxy::listen { 'horizon-ssl': - order => '017', - ipaddress => $public_virtual_ip, - ports => '443', - options => $haproxy_config_options, - mode => 'tcp', - } - - haproxy::balancermember { 'horizon-ssl': - order => '017', - listening_service => 'horizon-tls', - server_names => filter_hash($controllers, 'name'), - ipaddresses => filter_hash($controllers, 'internal_address'), - ports => '443', - options => 'weight 1 check', - define_cookies => false, - define_backups => false, - } - - ################################################################################## - - $haproxy_config_options_nova = { - 'option' => ['ssl-hello-chk', 'tcpka'], - 'mode' => 'tcp', - } - - haproxy::listen { 'nova-novncproxy': - order => '170', - ipaddress => $public_virtual_ip, - ports => '6080', - options => $haproxy_config_options_nova, - mode => 'tcp', - } - - haproxy::balancermember { 'nova-novncproxy': - order => '170', - listening_service => 'horizon-tls', - server_names => filter_hash($controllers, 'name'), - ipaddresses => filter_hash($controllers, 'internal_address'), - ports => '6080', - options => 'check', - define_cookies => false, - define_backups => false, - } - ###################################################################################### - - - service { 'haproxy': - enable => true, - ensure => running, - } - -} \ No newline at end of file diff --git a/deployment_scripts/puppet/modules/tls/manifests/nova/novnc_controller.pp b/deployment_scripts/puppet/modules/tls/manifests/nova/novnc_controller.pp index be5b51e..5bc6689 100644 --- a/deployment_scripts/puppet/modules/tls/manifests/nova/novnc_controller.pp +++ b/deployment_scripts/puppet/modules/tls/manifests/nova/novnc_controller.pp @@ -16,9 +16,4 @@ class tls::nova::novnc_controller ( enable => true, ensure => running, } - - service { $httpd_service: - enable => true, - ensure => running, - } -} \ No newline at end of file +} diff --git a/deployment_scripts/puppet/modules/tls/manifests/params.pp b/deployment_scripts/puppet/modules/tls/manifests/params.pp index cf7a69d..18d17b0 100644 --- a/deployment_scripts/puppet/modules/tls/manifests/params.pp +++ b/deployment_scripts/puppet/modules/tls/manifests/params.pp @@ -1,30 +1,32 @@ class tls::params { if $::osfamily == 'Debian' { - $httpd_service_name = 'apache2' + $httpd_service_name = 'apache2' $horizon_settings_file = '/etc/openstack-dashboard/local_settings.py' - $usergroup = 'nogroup' + $usergroup = 'nogroup' $nova_compute_service = 'nova-compute' - $nova_novnc_service = 'nova-novncproxy' - $apache_tls_path = '/etc/apache2/TLS' - $tls_cert_file = '/etc/apache2/TLS/horizon.crt' - $tls_key_file = '/etc/apache2/TLS/horizon.key' + $nova_novnc_service = 'nova-novncproxy' + $apache_tls_path = '/etc/apache2/TLS' + $tls_cert_file = '/etc/apache2/TLS/horizon.crt' + $tls_key_file = '/etc/apache2/TLS/horizon.key' + $tls_ca_file = '/etc/apache2/TLS/horizon.ca' $root_url = '/horizon' - $apache_conf_file = '/etc/apache2/conf-available/openstack-dashboard.conf' + $apache_conf_file = '/etc/apache2/conf-available/openstack-dashboard.conf' $apache_vhost_file = '/etc/apache2/sites-available/openstack-dashboard.conf' - $apache_port_file = '/etc/apache2/ports.conf' + $apache_port_file = '/etc/apache2/ports.conf' } elsif($::osfamily == 'RedHat') { - $httpd_service_name = 'httpd' + $httpd_service_name = 'httpd' $horizon_settings_file = '/etc/openstack-dashboard/local_settings' - $usergroup = 'nobody' + $usergroup = 'nobody' $nova_compute_service = 'openstack-nova-compute' - $nova_novnc_service = 'openstack-nova-novncproxy' - $apache_tls_path = '/etc/httpd/TLS' - $tls_cert_file = '/etc/httpd/TLS/horizon.crt' - $tls_key_file = '/etc/httpd/TLS/horizon.key' + $nova_novnc_service = 'openstack-nova-novncproxy' + $apache_tls_path = '/etc/httpd/TLS' + $tls_cert_file = '/etc/httpd/TLS/horizon.crt' + $tls_key_file = '/etc/httpd/TLS/horizon.key' + $tls_ca_file = '/etc/httpd/TLS/horizon.ca' $root_url = '/dashboard' - $apache_conf_file = '/etc/httpd/conf.d/openstack-dashboard.conf' + $apache_conf_file = '/etc/httpd/conf.d/openstack-dashboard.conf' $apache_vhost_file = '/etc/httpd/conf.d/ssl.conf' - $apache_port_file = '/etc/httpd/conf.d/ports.conf' + $apache_port_file = '/etc/httpd/conf.d/ports.conf' } else { fail("unsupported family ${::osfamily}") } diff --git a/deployment_scripts/puppet/modules/tls/templates/openstack-dashboard.conf.erb b/deployment_scripts/puppet/modules/tls/templates/openstack-dashboard.conf.erb deleted file mode 100644 index fbf0296..0000000 --- a/deployment_scripts/puppet/modules/tls/templates/openstack-dashboard.conf.erb +++ /dev/null @@ -1,58 +0,0 @@ -# -# This file autogenerated by Puppet -# Do not edit, changes will be overwritten -# -<% -if @memorysize_mb.to_i < 1200 or @processorcount.to_i <= 3 - wsgi_daemon_processes = 3 - wsgi_daemon_threads = 10 -else - wsgi_daemon_processes = @processorcount - wsgi_daemon_threads = 15 -end - -if @osfamily == 'RedHat' %> -WSGIDaemonProcess dashboard processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %> -WSGIProcessGroup dashboard -WSGISocketPrefix run/wsgi - -WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi -Alias /static /usr/share/openstack-dashboard/static - - - - SetOutputFilter DEFLATE - - # Make sure proxies don’t deliver the wrong content - Header append Vary User-Agent env=!dont-vary - - - - Order allow,deny - Allow from all - - - - - ExpiresActive On - ExpiresDefault "access 6 month" - - - SetOutputFilter DEFLATE - - - Order allow,deny - Allow from all - -<% -end -if @osfamily == 'Debian' %> -WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi -WSGIDaemonProcess horizon user=horizon group=horizon processes=<%= wsgi_daemon_processes %> threads=<%= wsgi_daemon_threads %> -WSGIProcessGroup horizon -Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/ - - Order allow,deny - Allow from all - -<% end %> diff --git a/deployment_scripts/puppet/modules/tls/templates/port.conf.erb b/deployment_scripts/puppet/modules/tls/templates/port.conf.erb deleted file mode 100644 index 60e0b9b..0000000 --- a/deployment_scripts/puppet/modules/tls/templates/port.conf.erb +++ /dev/null @@ -1,21 +0,0 @@ -# If you just change the port or add more ports here, you will likely also -# have to change the VirtualHost statement - -NameVirtualHost *:80 -Listen <%= @bind_address %>:80 - -<% if @osfamily == 'RedHat' -%> -NameVirtualHost *:443 -Listen <%= @bind_address %>:443 -<% else %> - - # Server Name Indication for SSL named virtual hosts is currently not - # supported by MSIE on Windows XP. - NameVirtualHost *:443 - Listen <%= @bind_address %>:443 - - - - Listen <%= @bind_address %>:443 - -<% end %> diff --git a/deployment_scripts/puppet/modules/tls/templates/vhost.erb b/deployment_scripts/puppet/modules/tls/templates/vhost.erb deleted file mode 100644 index 4730e7e..0000000 --- a/deployment_scripts/puppet/modules/tls/templates/vhost.erb +++ /dev/null @@ -1,37 +0,0 @@ -# -# This file autogenerated by Puppet -# Do not edit, changes will be overwritten -# - -# SSL support -<% if @osfamily == 'RedHat' -%> -LoadModule ssl_module modules/mod_ssl.so -<% end -%> - -SSLPassPhraseDialog builtin -SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 -SSLMutex default -SSLRandomSeed startup file:/dev/urandom 256 -SSLRandomSeed connect builtin -SSLCryptoDevice builtin - -<% if @use_syslog -%> -ErrorLog syslog:local1 -<% end -%> - - - RedirectMatch permanent ^/$ <%= @root_url %>/ - RewriteEngine On - RewriteCond %{HTTPS} off - RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R] - - - - RedirectMatch permanent ^/$ <%= @root_url %>/ - SSLEngine on - SSLProtocol +TLSv1 - SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM - SSLCertificateFile <%= @ssl_cert_file %> - SSLCertificateKeyFile <%= @ssl_key_file %> - \ No newline at end of file diff --git a/deployment_scripts/puppet/modules/tls/tests/init.pp b/deployment_scripts/puppet/modules/tls/tests/init.pp index 604525b..875f9ae 100644 --- a/deployment_scripts/puppet/modules/tls/tests/init.pp +++ b/deployment_scripts/puppet/modules/tls/tests/init.pp @@ -9,5 +9,5 @@ # Learn more about module testing here: # http://docs.puppetlabs.com/guides/tests_smoke.html # -include tls::controller_ha +include tls::controller include tls::compute diff --git a/environment_config.yaml b/environment_config.yaml index b17ae91..afa8655 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -9,5 +9,11 @@ attributes: value: "" label: "Key" description: "Certificate .key content" - weight: 10 + weight: 11 + type: "password" + horizon_ca: + value: "" + label: "CA" + description: "Certificate .ca content" + weight: 12 type: "password" \ No newline at end of file diff --git a/metadata.yaml b/metadata.yaml index d3658c7..79b50d5 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -6,29 +6,24 @@ version: 1.0.0 # Description description: Enables the Transport Layer Security (TLS) protocol to secure openstack # Required fuel version -fuel_version: ['6.0'] +fuel_version: ['6.1'] + +authors: [Orange] +licenses: [Apache License Version 2.0] +homepage: https://github.com/stackforge/fuel-plugin-tls +groups: [] # The plugin is compatible with releases in the list releases: - os: ubuntu - version: 2014.2-6.0 + version: 2014.2-6.1 mode: ['ha', 'multinode'] deployment_scripts_path: deployment_scripts/ repository_path: repositories/ubuntu - os: centos - version: 2014.2-6.0 - mode: ['ha', 'multinode'] - deployment_scripts_path: deployment_scripts/ - repository_path: repositories/centos - - os: ubuntu - version: 2014.2-6.0.1 - mode: ['ha', 'multinode'] - deployment_scripts_path: deployment_scripts/ - repository_path: repositories/ubuntu - - os: centos - version: 2014.2-6.0.1 + version: 2014.2-6.1 mode: ['ha', 'multinode'] deployment_scripts_path: deployment_scripts/ repository_path: repositories/centos # Version of plugin package -package_version: '1.0.0' +package_version: '2.0.0' diff --git a/tasks.yaml b/tasks.yaml index ae11711..3b0739b 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,13 +1,13 @@ # Deployment is required for controllers -- role: ['controller'] - stage: post_deployment +- role: ['primary-controller','controller'] + stage: post_deployment/6003 type: puppet parameters: puppet_manifest: puppet/manifests/site.pp puppet_modules: "puppet/modules/:/etc/puppet/modules/" timeout: 360 - role: ['compute'] - stage: post_deployment + stage: post_deployment/6004 type: puppet parameters: puppet_manifest: puppet/manifests/site_compute.pp