Use ssl lookups for ironic endpoints

The endpoints used by ironic should lookup the procol and hostname from the ssl hash. This change switches the endpoint lookups to query the ssl hash for tls configuration support. Change-Id: I79a50493211b1973d285d5f2b19f5330c003768e Closes-Bug: #1568059
2016-06-13 10:44:48 -06:00 · 2016-06-13 10:44:48 -06:00 · af4241d86f
parent bedd29639a
commit af4241d86f
7 changed files with 68 additions and 32 deletions
--- a/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
+++ b/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
@ -11,7 +11,6 @@ class openstack_tasks::ironic::ironic {

  $database_vip               = hiera('database_vip')
  $keystone_endpoint          = hiera('service_endpoint')
-  $neutron_endpoint           = hiera('neutron_endpoint', $management_vip)
  $glance_api_servers         = hiera('glance_api_servers', "${management_vip}:9292")
  $debug                      = hiera('debug', false)
  $verbose                    = hiera('verbose', true)
@ -60,6 +59,11 @@ class openstack_tasks::ironic::ironic {
  $admin_identity_uri         = "${admin_identity_protocol}://${admin_identity_address}:35357"
  $public_protocol            = get_ssl_property($ssl_hash, $public_ssl_hash, 'ironic', 'public', 'protocol', 'http')
  $public_address             = get_ssl_property($ssl_hash, $public_ssl_hash, 'ironic', 'public', 'hostname', $public_vip)
+  $neutron_endpoint_default   = hiera('neutron_endpoint', $management_vip)
+  $neutron_protocol           = get_ssl_property($ssl_hash, {}, 'neutron', 'internal', 'protocol', 'http')
+  $neutron_endpoint           = get_ssl_property($ssl_hash, {}, 'neutron', 'internal', 'hostname', $neutron_endpoint_default)
+
+

  prepare_network_config(hiera_hash('network_scheme', {}))

@ -91,7 +95,7 @@ class openstack_tasks::ironic::ironic {
    admin_tenant_name => $ironic_tenant,
    admin_user        => $ironic_user,
    admin_password    => $ironic_user_password,
-    neutron_url       => "http://${neutron_endpoint}:9696",
+    neutron_url       => "${neutron_protocol}://${neutron_endpoint}:9696",
    public_endpoint   => "${public_protocol}://${public_address}:6385",
  }

--- a/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
+++ b/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
@ -5,6 +5,7 @@ class openstack_tasks::ironic::keystone {
  $ironic_hash                = hiera_hash('ironic', {})
  $public_vip                 = hiera('public_vip')
  $management_vip             = hiera('management_vip')
+  $ssl_hash                   = hiera_hash('use_ssl', {})
  $public_ssl_hash            = hiera_hash('public_ssl')
  $ironic_tenant              = pick($ironic_hash['tenant'],'services')
  $ironic_user                = pick($ironic_hash['auth_name'],'ironic')
@ -16,20 +17,20 @@ class openstack_tasks::ironic::keystone {

  Class['::osnailyfacter::wait_for_keystone_backends'] -> Class['::ironic::keystone::auth']

-  $public_address = $public_ssl_hash['services'] ? {
-    true    => $public_ssl_hash['hostname'],
-    default => $public_vip,
-  }
-  $public_protocol = $public_ssl_hash['services'] ? {
-    true    => 'https',
-    default => 'http',
-  }
-
  $region                     = hiera('region', 'RegionOne')
  $tenant                     = pick($ironic_hash['tenant'], 'services')
-  $public_url                 = "${public_protocol}://${public_address}:6385"
-  $admin_url                  = "http://${management_vip}:6385"
-  $internal_url               = "http://${management_vip}:6385"
+
+  $public_protocol     = get_ssl_property($ssl_hash, $public_ssl_hash, 'ironic', 'public', 'protocol', 'http')
+  $public_address      = get_ssl_property($ssl_hash, $public_ssl_hash, 'ironic', 'public', 'hostname', [$public_vip])
+  $internal_protocol   = get_ssl_property($ssl_hash, {}, 'ironic', 'internal', 'protocol', 'http')
+  $internal_address    = get_ssl_property($ssl_hash, {}, 'ironic', 'internal', 'hostname', [$management_vip])
+  $admin_protocol      = get_ssl_property($ssl_hash, {}, 'ironic', 'admin', 'protocol', 'http')
+  $admin_address       = get_ssl_property($ssl_hash, {}, 'ironic', 'admin', 'hostname', [$management_vip])
+
+  $public_url          = "${public_protocol}://${public_address}:6385"
+  $admin_url           = "${admin_protocol}://${admin_address}:6385"
+  $internal_url        = "${internal_protocol}://${internal_address}:6385"
+

  class { '::osnailyfacter::wait_for_keystone_backends':}
  class { '::ironic::keystone::auth':
--- a/deployment/puppet/openstack_tasks/manifests/roles/ironic_conductor.pp
+++ b/deployment/puppet/openstack_tasks/manifests/roles/ironic_conductor.pp
@ -14,7 +14,6 @@ class openstack_tasks::roles::ironic_conductor {

  $database_vip               = hiera('database_vip')
  $service_endpoint           = hiera('service_endpoint')
-  $neutron_endpoint           = hiera('neutron_endpoint', $management_vip)
  $glance_api_servers         = hiera('glance_api_servers', "${management_vip}:9292")
  $amqp_hosts                 = hiera('amqp_hosts')
  $rabbit_hosts               = split($amqp_hosts, ',')
@ -31,6 +30,18 @@ class openstack_tasks::roles::ironic_conductor {
  $ironic_user_password       = pick($ironic_hash['user_password'],'ironic')
  $ironic_swift_tempurl_key   = pick($ironic_hash['swift_tempurl_key'],'ironic')

+  $ssl_hash                   = hiera('use_ssl', {})
+  $neutron_endpoint_default   = hiera('neutron_endpoint', $management_vip)
+  $neutron_protocol           = get_ssl_property($ssl_hash, {}, 'neutron', 'internal', 'protocol', 'http')
+  $neutron_endpoint           = get_ssl_property($ssl_hash, {}, 'neutron', 'internal', 'hostname', $neutron_endpoint_default)
+  $neutron_uri                = "${neutron_protocol}://${neutron_endpoint}:9696"
+  $internal_auth_protocol     = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'protocol', 'http')
+  $internal_auth_address      = get_ssl_property($ssl_hash, {}, 'keystone', 'internal', 'hostname', [$service_endpoint, $management_vip])
+  $internal_auth_uri          = "${internal_auth_protocol}://${internal_auth_address}:5000"
+  $admin_identity_protocol    = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'protocol', 'http')
+  $admin_identity_address     = get_ssl_property($ssl_hash, {}, 'keystone', 'admin', 'hostname', [$service_endpoint, $management_vip])
+  $admin_identity_uri         = "${admin_identity_protocol}://${admin_identity_address}:35357"
+
  $db_type                    = 'mysql'
  $db_host                    = pick($ironic_hash['db_host'], $database_vip)
  $db_user                    = pick($ironic_hash['db_user'], 'ironic')
@ -88,9 +99,9 @@ class openstack_tasks::roles::ironic_conductor {
  }

  ironic_config {
-    'neutron/url':                          value => "http://${neutron_endpoint}:9696";
-    'keystone_authtoken/auth_uri':          value => "http://${service_endpoint}:5000/";
-    'keystone_authtoken/auth_host':         value => $service_endpoint;
+    'neutron/url':                          value => $neutron_uri;
+    'keystone_authtoken/auth_uri':          value => $internal_auth_uri;
+    'keystone_authtoken/identity_uri':      value => $admin_identity_uri;
    'keystone_authtoken/admin_tenant_name': value => $ironic_tenant;
    'keystone_authtoken/admin_user':        value => $ironic_user;
    'keystone_authtoken/admin_password':    value => $ironic_user_password, secret => true;
--- a/tests/noop/spec/hosts/ironic/ironic-compute_spec.rb
+++ b/tests/noop/spec/hosts/ironic/ironic-compute_spec.rb
@ -55,7 +55,6 @@ describe manifest do
      end
    end

-    public_ssl_hash = Noop.hiera_hash('public_ssl')
    let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
    let(:admin_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone', 'admin','protocol','http' }
    let(:admin_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','admin', 'hostname', [Noop.hiera('service_endpoint', Noop.hiera('management_vip'))]}
--- a/tests/noop/spec/hosts/ironic/ironic_spec.rb
+++ b/tests/noop/spec/hosts/ironic/ironic_spec.rb
@ -43,6 +43,10 @@ if ironic_enabled
      end
      let(:public_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,public_ssl_hash,'ironic','admin','protocol','http' }
      let(:public_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,public_ssl_hash,'ironic','admin','hostname', public_vip }
+      let(:neutron_endpoint_default) {Noop.hiera 'neutron_endpoint', management_vip }
+      let(:neutron_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'neutron','internal','protocol','http' }
+      let(:neutron_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'neutron','internal','hostname', neutron_endpoint_default }
+

      it 'should configure default_log_levels' do
        should contain_ironic_config('DEFAULT/default_log_levels').with_value(default_log_levels.sort.join(','))
@ -66,6 +70,7 @@ if ironic_enabled
          'admin_tenant_name'    => admin_tenant,
          'admin_user'           => admin_user,
          'admin_password'       => admin_password,
+          'neutron_url'          => "#{neutron_protocol}://#{neutron_address}:9696",
          'public_endpoint'      => "#{public_protocol}://#{public_address}:6385"
        )
      end
--- a/tests/noop/spec/hosts/ironic/keystone_spec.rb
+++ b/tests/noop/spec/hosts/ironic/keystone_spec.rb
@ -11,15 +11,17 @@ describe manifest do
    if ironic_enabled
      public_vip    = Noop.hiera('public_vip')
      admin_address = Noop.hiera('management_vip')
-      public_ssl    = Noop.hiera_structure('public_ssl/services')
-
-      if public_ssl
-        public_address  = Noop.hiera_structure('public_ssl/hostname')
-        public_protocol = 'https'
-      else
-        public_address  = public_vip
-        public_protocol = 'http'
-      end
+      let(:public_ssl_hash) { Noop.hiera_hash('public_ssl') }
+      let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
+      let(:public_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,public_ssl_hash,'ironic','public','protocol','http' }
+      let(:public_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,public_ssl_hash,'ironic','public','hostname', public_vip }
+      let(:internal_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'ironic','internal','protocol','http' }
+      let(:internal_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'ironic','internal','hostname', admin_address }
+      let(:admin_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'ironic','admin','protocol','http' }
+      let(:admin_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'ironic','admin','hostname', admin_address }
+      let(:public_url) { "#{public_protocol}://#{public_address}:6385" }
+      let(:admin_url) { "#{admin_protocol}://#{admin_address}:6385" }
+      let(:internal_url) { "#{internal_protocol}://#{internal_address}:6385" }

      auth_name           = Noop.hiera_structure('ironic/auth_name', 'ironic')
      password            = Noop.hiera_structure('ironic/user_password')
@ -29,8 +31,6 @@ describe manifest do
      region              = Noop.hiera_structure('ironic/region', 'RegionOne')
      tenant              = Noop.hiera_structure('ironic/tenant', 'services')
      service_name        = Noop.hiera_structure('ironic/service_name', 'ironic')
-      public_url          = "#{public_protocol}://#{public_address}:6385"
-      admin_url           = "http://#{admin_address}:6385"

      it 'should have explicit ordering between LB classes and particular actions' do
        expect(graph).to ensure_transitive_dependency("Haproxy_backend_status[keystone-public]",
@ -49,7 +49,7 @@ describe manifest do
          'service_name'        => service_name,
          'public_url'          => public_url,
          'admin_url'           => admin_url,
-          'internal_url'        => admin_url,
+          'internal_url'        => internal_url,
          'region'              => region,
          'tenant'              => tenant,
        )
--- a/tests/noop/spec/hosts/roles/ironic-conductor_spec.rb
+++ b/tests/noop/spec/hosts/roles/ironic-conductor_spec.rb
@ -47,12 +47,28 @@ describe manifest do
      management_vip = Noop.hiera 'management_vip'
      service_endpoint = Noop.hiera 'service_endpoint', management_vip
      neutron_endpoint = Noop.hiera 'neutron_endpoint', service_endpoint
-      neutron_url = "http://#{neutron_endpoint}:9696"
      ironic_user = Noop.hiera_structure 'ironic/user', 'ironic'
      temp_url_endpoint_type = (storage_config['images_ceph']) ? 'radosgw' : 'swift'
+
+      let(:public_ssl_hash) { Noop.hiera_hash('public_ssl') }
+      let(:ssl_hash) { Noop.hiera_hash 'use_ssl', {} }
+      let(:service_endpoint) { Noop.hiera 'service_endpoint' }
+      let(:neutron_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'neutron','internal','protocol','http' }
+      let(:neutron_endpoint) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'neutron','internal','hostname', management_vip }
+      let(:neutron_url) { "#{neutron_protocol}://#{neutron_endpoint}:9696" }
+      let(:internal_auth_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','protocol','http' }
+      let(:internal_auth_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','hostname', [ service_endpoint, management_vip ] }
+      let(:internal_auth_uri) { "#{internal_auth_protocol}://#{internal_auth_address}:5000" }
+      let(:admin_identity_protocol) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','protocol','http' }
+      let(:admin_identity_address) { Noop.puppet_function 'get_ssl_property',ssl_hash,{},'keystone','internal','hostname', [ service_endpoint, management_vip ] }
+      let(:admin_identity_uri) { "#{internal_auth_protocol}://#{internal_auth_address}:35357" }
+
+
      it 'ironic config should have propper config options' do
        should contain_ironic_config('pxe/tftp_root').with('value' => '/var/lib/ironic/tftpboot')
        should contain_ironic_config('neutron/url').with('value' => neutron_url)
+        should contain_ironic_config('keystone_authtoken/auth_uri').with('value' => internal_auth_uri)
+        should contain_ironic_config('keystone_authtoken/identity_uri').with('value' => admin_identity_uri)
        should contain_ironic_config('keystone_authtoken/admin_user').with('value' => ironic_user)
        should contain_ironic_config('glance/temp_url_endpoint_type').with('value' => temp_url_endpoint_type)
      end