From 3874255b9f9f8a4a79898386f6a9b892896acdca Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Tue, 1 Mar 2016 18:50:40 -0500 Subject: [PATCH] scenario002: switch Keystone/Glance/Ironic/Nova to SSL * Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments. * Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again later in a next iteration. * Deploy Ironic API under WSGI instead of eventlet. * Switch Glance API, Ironic API and Keystone to SSL. * Configure Tempest with SSL endpoints when needed. * Reduce the Ironic tests because of [1]. [1] https://bugs.launchpad.net/ironic/+bug/1554237 Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not implemented in this patch. Note #2: we don't enable SSL for Neutron because of https://bugs.launchpad.net/neutron/+bug/1514424 Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014 --- files/ipv4.crt | 18 ++++++++++++++ files/ipv4.key | 27 +++++++++++++++++++++ files/ipv6.crt | 18 ++++++++++++++ files/ipv6.key | 27 +++++++++++++++++++++ files/puppet_openstack.pem | 49 -------------------------------------- fixtures/scenario002.pp | 3 +-- manifests/cacert.pp | 3 ++- manifests/cinder.pp | 5 ++-- manifests/config.pp | 11 +++++++-- manifests/glance.pp | 46 ++++++++++++++++++++++++++++------- manifests/ironic.pp | 26 ++++++++++++++++++-- manifests/keystone.pp | 21 ++++++++++++++-- manifests/neutron.pp | 6 ++++- manifests/nova.pp | 29 ++++++++++++++++++---- manifests/params.pp | 8 +++---- manifests/provision.pp | 4 +++- manifests/rabbitmq.pp | 4 ++-- manifests/ssl_key.pp | 5 +++- manifests/swift.pp | 6 +++-- manifests/tempest.pp | 8 +++++-- run_tests.sh | 20 ++++++++++++---- 21 files changed, 253 insertions(+), 91 deletions(-) create mode 100644 files/ipv4.crt create mode 100644 files/ipv4.key create mode 100644 files/ipv6.crt create mode 100644 files/ipv6.key delete mode 100644 files/puppet_openstack.pem diff --git a/files/ipv4.crt b/files/ipv4.crt new file mode 100644 index 000000000..0c53f63a0 --- /dev/null +++ b/files/ipv4.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAeOgAwIBAgIJALVl9IhMkdcmMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV +BAMMCTEyNy4wLjAuMTAeFw0xNjAzMTExNTE2MTRaFw0yNjAzMDkxNTE2MTRaMBQx +EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAJv5aTwsONF3PdTWoikEzndOxKqrS1RbgvBGjmqgDC/0JtVtJN1jmhBG0FyK +PJeLIFa8JAktgai0OPShBEwRadiZry35tvw4cNX3EQeLhd7n/YC4qhyobDwgCOCb +4r/WPGMAU/tsizymkcTwSw7h7u4vyGcmFj5aPW8Fd8zBk/V8CShpxjNby+teJnce +APzW+pPvXibKaCzdP6o9enRxjVCAAsqj1LkVhP40+GBWcoXGlTJivgQfUZeGQaZC +ggOOAf9D1lHV3u3OAdfz7gaoeCwzpi+AmRcg3TWmgbA6myoQJe0EGUoveRlY9n51 +px/nXjzdgHxEmGoLGkAHNqrhNj8CAwEAAaNQME4wHQYDVR0OBBYEFHTKFpvR+QEl +hqOTw9pQcJUqtM4EMB8GA1UdIwQYMBaAFHTKFpvR+QElhqOTw9pQcJUqtM4EMAwG +A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADyUrEaBXwH9GNaUKoGI+N6Y +Hv975u1PyefaawF23S3PcvS6lnKqEMr5zVXG/aGdF+Lfy2u7Mz8c+OBso2qbKZTO +MToLQ8o3WEezcadRRbQmHEoAR57eXGaSW1kiUah2TiqMvrMj24bYYaTZgGPVgVZq +NcPvQYnZKTV1DiBJNxPAO4H8CEo4T46cZS37QxOZITCKjKLnfeFfNQHmfTqe8RG+ +8xQcv4NChPj09ITUaGzLKOAEo+fS7irTWtDv7WRyQoPAMkJ1ZLS1q6ED4iAX6/ec +mRv1TT+aaQq14xYGVadALQS1ge9d9+pKWl3QG/zxnzcFCVYvdUg27gAxUpJTzb0= +-----END CERTIFICATE----- diff --git a/files/ipv4.key b/files/ipv4.key new file mode 100644 index 000000000..1abb862b2 --- /dev/null +++ b/files/ipv4.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAm/lpPCw40Xc91NaiKQTOd07EqqtLVFuC8EaOaqAML/Qm1W0k +3WOaEEbQXIo8l4sgVrwkCS2BqLQ49KEETBFp2JmvLfm2/Dhw1fcRB4uF3uf9gLiq +HKhsPCAI4Jviv9Y8YwBT+2yLPKaRxPBLDuHu7i/IZyYWPlo9bwV3zMGT9XwJKGnG +M1vL614mdx4A/Nb6k+9eJspoLN0/qj16dHGNUIACyqPUuRWE/jT4YFZyhcaVMmK+ +BB9Rl4ZBpkKCA44B/0PWUdXe7c4B1/PuBqh4LDOmL4CZFyDdNaaBsDqbKhAl7QQZ +Si95GVj2fnWnH+dePN2AfESYagsaQAc2quE2PwIDAQABAoIBADhK8u0xtKv80kcP +0+TkBDRRLG/AdOaURJS9kkbvTpa8Eovy4Vw5x2/abvcHOUkkgF5tdsANOX+O1AOO +XYOqwT3Ycb4xIxaytB61FeNYOs+xgO/FNjgznSSyFyIhgNvl0VOV2bmjejlAkNm4 +NA7CAj7a5gQ8XcjRPtzj51HyB5mQQ2TEAhVTEhaj3qqWCPJYwXZrMV0qxnT3C5ML +ZFigxapPRbvznGhzZ6qzoZxOkXc2pdvpyzwuGNkbKI03GXJ6Jv9NSoXOzGs+qXy0 +mXd7PGNF+fpqvdRYnM1aGSuBlAokpgpE2Gp4gwBRUD1zLO7/rDNGMBRklWn9hfCc +4Xg68MkCgYEAzAFQo9OYtCn/wz7Vi31qCRYhoLqf9HqCrobA0ueBq7IsoniJ/Zae +FaPeYHLS1ob1rK1HBtQ/FuG17UncaxbFR6zV2vayD9r7n9j9BrMHVDWDoBoSdEbv +z8uE95WWUHRROCMra0Gp0iAQdt9XJJhw09N7LIvFVGG5FEOIxVcDx5UCgYEAw7o8 +DSg3S+eIFfsdI5K8vpaXqLP/YT77/83rYcYBmHxMYk9LRAweZwdamwCSXSBE6Pfs +i/LlCNW99J2Dv6bRFsd9XQtyDsy9s+FDyhesI2JtmW/I8ocm9q+0C/x1bri5vhpA +ueciKSVJZtFE6AFQeTbYurW1nGLxfhFUlrLggYMCgYABQFjQSHH9WOyas/33VxOZ +bqtSIxLsGvxGOclhAc6H0RX5AShHh+78Tv8ENHAapMVJA98VqaOhbk0BYZyag48+ +O08sgqrg8gTtHBWhPuPinllqV/6Y+/5oleUA58f+QlhlMcIIbGSwR0YSlJgiP1Uh +14A/67OQKvFJsIhcPYZmaQKBgQCdFoCR8sAGvKndMnDdlyzDLmxEK0sBSqLIWQXc +sCWhs8k+cfOvhqZz/FP86YWPFpIYBLumSukFoT7W8ADIteNEjBGSttfxBuQOVfKp +ZTx0HdBnAG/gLxbXkIdJw3KgzcPNzpY6XkZtjY6O5dCPAFcNIjbqC2LaRBMcIl6o +oKJNbwKBgHrwN/ugJvM4xacKza8/L1boRAjSoTlgB0gONH8oY3wylipsFA0lIC5+ +wa5MjKtAYBdgpRI95sx3A4ejDI668ixLlzclNZv2JkrhqpF0SrLhmXVio/Co2of2 +40BmtGjoZL4juSrOlugi4rZd5jfLuiaVSe6qmMOMoJjEvqlihVyb +-----END RSA PRIVATE KEY----- diff --git a/files/ipv6.crt b/files/ipv6.crt new file mode 100644 index 000000000..68e57e746 --- /dev/null +++ b/files/ipv6.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIJAJnJp20/d69bMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV +BAMMAzo6MTAeFw0xNjAzMTExNTE3MDNaFw0yNjAzMDkxNTE3MDNaMA4xDDAKBgNV +BAMMAzo6MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB7u7Apm69h +t/pDFi3sRnMg0g/bmLS0lxOjb76TQd/XC77zZSfujvaxbhuxwb3BjxrT8ZxL9R34 +GkkTrDEk51sMOXppDJqUcPhcCCOqqlXRPeGg5e71g2mod0pozLxQus8sDMWFvdJ5 +j8v/LUGKZMaOZpIVbpZ7O7dHlMVf/RG+mX8zY3vZgqLmPx3FaVriFwWQdE0h5Q2u +iuL9ewU/UDCfZMbK3Z/budkUd5K6QhTtGWhQLr+sLOWLJtWiPQ/g6RMBTd5mEy2F +gH4zLrHpmSpCHo1KaX3ZlRtPcW99ggN6J/7tlcXfVaE9gv/zWrc9aNVNC/GH83LH +OODODTMTuwMCAwEAAaNQME4wHQYDVR0OBBYEFMnKFXEhjiEZsgp2T5qzBXXFRpQ+ +MB8GA1UdIwQYMBaAFMnKFXEhjiEZsgp2T5qzBXXFRpQ+MAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQEFBQADggEBAAXkgS/NZQffVNiL9hfBQwbSJY+vPgJ4rj1SCt7g +nNwxw9WUk98zyYRQj/VQDv4Q0rKY9RRIf3/gqsDiTyYbVK665cbz61PDac57kzB6 +pYmHPyAJyfgi2TtoDCejxVIk7HEfxIctrvN/QOxM+xB8FpP9roKsmcdivWlsIhAP +JCR5beVBEjBeXXRfJxr87kTx4REXUcvMyrJ45Uign/TuHmtfgfkelLTYiVIElB0a +n/L6M/06et73zZg+A+xlXDRlWbN+38JR+6KKwWztUnjaErhgqkm7mDYlWFwlcE9S +JoUeAYL1R0LWdGwV2l/iDC8iLPVfV9GgNOvn9Op9CmzP5Os= +-----END CERTIFICATE----- diff --git a/files/ipv6.key b/files/ipv6.key new file mode 100644 index 000000000..1c8ae8e19 --- /dev/null +++ b/files/ipv6.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAsHu7sCmbr2G3+kMWLexGcyDSD9uYtLSXE6NvvpNB39cLvvNl +J+6O9rFuG7HBvcGPGtPxnEv1HfgaSROsMSTnWww5emkMmpRw+FwII6qqVdE94aDl +7vWDaah3SmjMvFC6zywMxYW90nmPy/8tQYpkxo5mkhVulns7t0eUxV/9Eb6ZfzNj +e9mCouY/HcVpWuIXBZB0TSHlDa6K4v17BT9QMJ9kxsrdn9u52RR3krpCFO0ZaFAu +v6ws5Ysm1aI9D+DpEwFN3mYTLYWAfjMusemZKkIejUppfdmVG09xb32CA3on/u2V +xd9VoT2C//Natz1o1U0L8Yfzcsc44M4NMxO7AwIDAQABAoIBAFGzBiE4MdVP9H6L +fgIGZlq3r+cdbqUBEQtLVtivjQhVoh9kx8hjnJVBcEqr0JfKujfeM/R6CWA1Ud3Q +mJ8riVrR3u33IZmR7HZdDHuOb0pJEk+YT7l+uLY6AfdVaqom6UQtDUCHeGeuVM5I +NCgqLBrrIzqvZ0GMjQl8vrdch2glwWJizNGcOn+NYIG7oBT/PoWOCxJy5/NfWxfJ +p8qlW5mLEBN7HNLEEHPdLL1OBYrrF6ZlrlZe36+BhoOai06VmTOQe3Ig3wTZNhsI +eGwWkHQrwi4nGB/5nAailUhz1T0yIYtWHiiEgaGo2LUOeOEnG43oyrIEQGo+q6d4 +hOjbwYECgYEA6o0fh37GbFWcnV/ZNoxoSOn+S/bok7/qiR5OC8yGe8HaFUnH6jot +UFqtvxlZAQK4yyvfBxgpmM7urb2PslP/EhzzdlcDJzN9fX9qFcpWsgOJoIONdr6Z +wiCKTYONcAde7c2EWc3J18YyRVaYx1jhTDNA/bg9FSwFxWvYkboCQkMCgYEAwJ87 +XT8gb2Iwhz7laE56LjFWDpR2cGDmgYJ9zkgG+M9HYHYBo+u8izq7VOS4tOzV57O3 +86rgAwTwt7pkuF+3AqKA+mXcEI7GLc658n+kr4WYd5vqV504njtOnNZv0u1wIevi +iwCXnvcDBOiR1iiNB4EPYiqehvkKhlkr0dlw+EECgYB86xxXtZVILXB0AJBXFQCV +lMny+1VzG0t2K8W1UwBs+RmFLP5kKQfpO+I9XOqiNyjkTEFELgI5eDx2G/dkKog2 +xWSFKmJrhmjXZfzCDjmOJYQvEOFO1MRfN6VxExdJCyPr0wEiMw/E87Hia/SCdzvG +saVze6RMml2Yf4+gTUjWsQKBgQCdiZ2jxd1hO401D9vQU17aKL+ZbRLxFk9v3KnH +7GDHXb+ixODSkBrERGSyKd5nGsxXlET+pOJRldjKa0e1A5NKNF4IbQZvBFZRYKH0 +EzE93KW2LW6b+Zo0z4yb+UW73TW4iJPf27wl5yAxA4VDAidV29gZEYJWIZjaCFQu +bQhYAQKBgF8TutgmCecVc7HUGD4926rLGZRWpOHK+7z4OxVdHPaTBPGt/Z9YriBj +TkNUUUf7DpG1AtCK8q94XnAGuEjJIh4jMPoDm+MrFYPzzdsjvoRW3shnZ274kr5h +fLfx9ecAuRtnniDMgnR6qMYfQ7GShes+UU3Imol0k5txXJQIRTbq +-----END RSA PRIVATE KEY----- diff --git a/files/puppet_openstack.pem b/files/puppet_openstack.pem deleted file mode 100644 index 50c01ad01..000000000 --- a/files/puppet_openstack.pem +++ /dev/null @@ -1,49 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV -BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw -EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2 -NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi -ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN -BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p -3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ -45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF -ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6 -IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6 -B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm -8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a -Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi -PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT -xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I -epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb -JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD -uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts= ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP -/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go -XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd -uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB -QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e -XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN -ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb -UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN -3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3 -IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9 -i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5 -UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU -LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq -l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh -EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz -ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0 -50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY -6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9 -lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t -jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO -ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ -knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9 -I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU -v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6 -LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj -NvVFs8W/3TAiZXoZVqKttZuE9g== ------END PRIVATE KEY----- diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index 2352eae2d..19009ecf5 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -34,8 +34,7 @@ case $::osfamily { include ::openstack_integration class { '::openstack_integration::config': - ssl => true, - ipv6 => true, + ssl => true, } include ::openstack_integration::cacert include ::openstack_integration::rabbitmq diff --git a/manifests/cacert.pp b/manifests/cacert.pp index 07539e2b5..788e66971 100644 --- a/manifests/cacert.pp +++ b/manifests/cacert.pp @@ -1,13 +1,14 @@ class openstack_integration::cacert { include ::openstack_integration::params + include ::openstack_integration::config file { $::openstack_integration::params::cert_path: ensure => present, owner => 'root', group => 'root', mode => '0444', - source => 'puppet:///modules/openstack_integration/puppet_openstack.pem', + source => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.crt", selinux_ignore_defaults => true, replace => true, } diff --git a/manifests/cinder.pp b/manifests/cinder.pp index 2d26c3dad..85aa34631 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -43,7 +43,8 @@ class openstack_integration::cinder ( } class { '::cinder::api': keystone_password => 'a_big_secret', - identity_uri => 'http://127.0.0.1:35357/', + auth_uri => $::openstack_integration::config::keystone_auth_uri, + identity_uri => $::openstack_integration::config::keystone_admin_uri, default_volume_type => 'BACKEND_1', service_workers => 2, } @@ -55,7 +56,7 @@ class openstack_integration::cinder ( } class { '::cinder::cron::db_purge': } class { '::cinder::glance': - glance_api_servers => 'localhost:9292', + glance_api_servers => "${::openstack_integration::config::proto}://127.0.0.1:9292", } case $backend { 'iscsi': { diff --git a/manifests/config.pp b/manifests/config.pp index 16c85d69d..b7ec589e9 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -15,19 +15,26 @@ class openstack_integration::config ( if $ssl { $rabbit_port = '5671' + $proto = 'https' } else { $rabbit_port = '5672' + $proto = 'http' } if $ipv6 { $rabbit_host = '[::1]' - $rabbit_env = { + $rabbit_env = { 'RABBITMQ_NODE_IP_ADDRESS' => '::1', 'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"', } + $ip_version = '6' } else { $rabbit_host = '127.0.0.1' - $rabbit_env = {} + $rabbit_env = {} + $ip_version = '4' } + $keystone_auth_uri = "${proto}://127.0.0.1:5000" + $keystone_admin_uri = "${proto}://127.0.0.1:35357" + } diff --git a/manifests/glance.pp b/manifests/glance.pp index 3d471ca9b..fcbd7a814 100644 --- a/manifests/glance.pp +++ b/manifests/glance.pp @@ -10,6 +10,21 @@ class openstack_integration::glance ( ) { include ::openstack_integration::config + include ::openstack_integration::params + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'glance': + notify => [Service['glance-api'], Service['glance-registry']], + } + Package<| tag == 'glance-package' |> -> File['/etc/glance/ssl'] + $key_file = "/etc/glance/ssl/private/${::fqdn}.pem" + $crt_file = $::openstack_integration::params::cert_path + Exec['update-ca-certificates'] ~> Service['glance-api'] + Exec['update-ca-certificates'] ~> Service['glance-registry'] + } else { + $key_file = undef + $crt_file = undef + } rabbitmq_user { 'glance': admin => true, @@ -31,7 +46,10 @@ class openstack_integration::glance ( include ::glance include ::glance::client class { '::glance::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::proto}://127.0.0.1:9292", + internal_url => "${::openstack_integration::config::proto}://127.0.0.1:9292", + admin_url => "${::openstack_integration::config::proto}://127.0.0.1:9292", + password => 'a_big_secret', } case $backend { 'file': { @@ -54,6 +72,7 @@ class openstack_integration::glance ( swift_store_user => 'services:glance', swift_store_key => 'a_big_secret', swift_store_create_container_on_put => 'True', + swift_store_auth_address => "${::openstack_integration::config::proto}://127.0.0.1:5000/v2.0", } } default: { @@ -63,13 +82,20 @@ class openstack_integration::glance ( $http_store = ['http'] $glance_stores = concat($http_store, $backend_store) class { '::glance::api': - debug => true, - verbose => true, - database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8', - keystone_password => 'a_big_secret', - workers => 2, - stores => $glance_stores, - default_store => $backend, + debug => true, + verbose => true, + database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8', + keystone_password => 'a_big_secret', + workers => 2, + stores => $glance_stores, + default_store => $backend, + auth_uri => $::openstack_integration::config::keystone_auth_uri, + identity_uri => $::openstack_integration::config::keystone_admin_uri, + registry_client_protocol => $::openstack_integration::config::proto, + registry_client_cert_file => $crt_file, + registry_client_key_file => $key_file, + cert_file => $crt_file, + key_file => $key_file, } class { '::glance::registry': debug => true, @@ -77,6 +103,10 @@ class openstack_integration::glance ( database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8', keystone_password => 'a_big_secret', workers => 2, + auth_uri => $::openstack_integration::config::keystone_auth_uri, + identity_uri => $::openstack_integration::config::keystone_admin_uri, + cert_file => $crt_file, + key_file => $key_file, } class { '::glance::notify::rabbitmq': rabbit_userid => 'glance', diff --git a/manifests/ironic.pp b/manifests/ironic.pp index 85038d5bc..31bb10515 100644 --- a/manifests/ironic.pp +++ b/manifests/ironic.pp @@ -1,6 +1,15 @@ class openstack_integration::ironic { include ::openstack_integration::config + include ::openstack_integration::params + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'ironic': + notify => Service['httpd'], + require => Package['ironic-common'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } rabbitmq_user { 'ironic': admin => true, @@ -31,12 +40,25 @@ class openstack_integration::ironic { password => 'ironic', } class { '::ironic::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::proto}://127.0.0.1:6385", + internal_url => "${::openstack_integration::config::proto}://127.0.0.1:6385", + admin_url => "${::openstack_integration::config::proto}://127.0.0.1:6385", + password => 'a_big_secret', } class { '::ironic::client': } class { '::ironic::api': + auth_uri => $::openstack_integration::config::keystone_auth_uri, + identity_uri => $::openstack_integration::config::keystone_admin_uri, + neutron_url => 'http://127.0.0.1:9696', admin_password => 'a_big_secret', - workers => '2', + service_name => 'httpd', + } + include ::apache + class { '::ironic::wsgi::apache': + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/ironic/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, } class { '::ironic::conductor': } Rabbitmq_user_permissions['ironic@/'] -> Service<| tag == 'ironic-service' |> diff --git a/manifests/keystone.pp b/manifests/keystone.pp index 6b8a632e7..aec807f6a 100644 --- a/manifests/keystone.pp +++ b/manifests/keystone.pp @@ -16,6 +16,17 @@ class openstack_integration::keystone ( $using_domain_config = false, ) { + include ::openstack_integration::config + include ::openstack_integration::params + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'keystone': + notify => Service['httpd'], + require => Package['keystone'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } + class { '::keystone::client': } class { '::keystone::cron::token_flush': } class { '::keystone::db::mysql': @@ -30,11 +41,14 @@ class openstack_integration::keystone ( service_name => 'httpd', default_domain => $default_domain, using_domain_config => $using_domain_config, + enable_ssl => $::openstack_integration::config::ssl, } include ::apache class { '::keystone::wsgi::apache': - ssl => false, - workers => 2, + ssl => $::openstack_integration::config::ssl, + ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + workers => 2, } class { '::keystone::roles::admin': email => 'test@example.tld', @@ -42,6 +56,8 @@ class openstack_integration::keystone ( } class { '::keystone::endpoint': default_domain => $default_domain, + public_url => $::openstack_integration::config::keystone_auth_uri, + admin_url => $::openstack_integration::config::keystone_admin_uri, } class { '::keystone::disable_admin_token_auth': } @@ -49,5 +65,6 @@ class openstack_integration::keystone ( password => 'a_big_secret', project_domain => 'default', user_domain => 'default', + auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/", } } diff --git a/manifests/neutron.pp b/manifests/neutron.pp index cbde0f187..4a1278059 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -41,6 +41,8 @@ class openstack_integration::neutron { sync_db => true, api_workers => 2, rpc_workers => 2, + auth_uri => $::openstack_integration::config::keystone_auth_uri, + auth_url => $::openstack_integration::config::keystone_admin_uri, } class { '::neutron::plugins::ml2': type_drivers => ['vxlan'], @@ -54,9 +56,10 @@ class openstack_integration::neutron { } class { '::neutron::agents::metadata': debug => true, - auth_password => 'a_big_secret', shared_secret => 'a_big_secret', metadata_workers => 2, + auth_url => "${::openstack_integration::config::keystone_admin_uri}/v2.0", + auth_password => 'a_big_secret', } class { '::neutron::agents::lbaas': debug => true, @@ -71,6 +74,7 @@ class openstack_integration::neutron { debug => true, } class { '::neutron::server::notifications': + auth_url => $::openstack_integration::config::keystone_admin_uri, password => 'a_big_secret', } class { '::neutron::services::fwaas': diff --git a/manifests/nova.pp b/manifests/nova.pp index f34a11522..a65ff06f7 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -10,6 +10,15 @@ class openstack_integration::nova ( ) { include ::openstack_integration::config + include ::openstack_integration::params + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'nova': + notify => Service['httpd'], + require => Package['nova-common'], + } + Exec['update-ca-certificates'] ~> Service['httpd'] + } rabbitmq_user { 'nova': admin => true, @@ -32,7 +41,13 @@ class openstack_integration::nova ( password => 'nova', } class { '::nova::keystone::auth': - password => 'a_big_secret', + public_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s", + public_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s", + internal_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s", + internal_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s", + admin_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s", + admin_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s", + password => 'a_big_secret', } class { '::nova': database_connection => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8', @@ -42,7 +57,7 @@ class openstack_integration::nova ( rabbit_userid => 'nova', rabbit_password => 'an_even_bigger_secret', rabbit_use_ssl => $::openstack_integration::config::ssl, - glance_api_servers => 'http://127.0.0.1:9292', + glance_api_servers => "${::openstack_integration::config::proto}://127.0.0.1:9292", verbose => true, debug => true, notification_driver => 'messagingv2', @@ -50,7 +65,8 @@ class openstack_integration::nova ( } class { '::nova::api': admin_password => 'a_big_secret', - identity_uri => 'http://127.0.0.1:35357/', + auth_uri => $::openstack_integration::config::keystone_auth_uri, + identity_uri => $::openstack_integration::config::keystone_admin_uri, osapi_v3 => true, neutron_metadata_proxy_shared_secret => 'a_big_secret', metadata_workers => 2, @@ -60,8 +76,10 @@ class openstack_integration::nova ( } include ::apache class { '::nova::wsgi::apache': - ssl => false, - workers => '2', + ssl_key => "/etc/nova/ssl/private/${::fqdn}.pem", + ssl_cert => $::openstack_integration::params::cert_path, + ssl => $::openstack_integration::config::ssl, + workers => '2', } class { '::nova::client': } class { '::nova::conductor': } @@ -95,6 +113,7 @@ class openstack_integration::nova ( class { '::nova::vncproxy': } class { '::nova::network::neutron': + neutron_auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3", neutron_password => 'a_big_secret', } diff --git a/manifests/params.pp b/manifests/params.pp index 4c1ac98ce..d0ec4c42d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -2,14 +2,14 @@ class openstack_integration::params { case $::osfamily { 'RedHat': { - $cacert_path = '/etc/ssl/certs/ca-bundle.crt' - $cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt' + $ca_bundle_cert_path = '/etc/ssl/certs/ca-bundle.crt' + $cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.pem' $update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract' } 'Debian': { - $cacert_path = '/etc/ssl/certs/puppet_openstack.pem' + $ca_bundle_cert_path = '/etc/ssl/certs/puppet_openstack.pem' $cert_path = '/usr/local/share/ca-certificates/puppet_openstack.crt' - $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates' + $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates -f' } default: { fail("Unsupported osfamily: ${::osfamily} operatingsystem") diff --git a/manifests/provision.pp b/manifests/provision.pp index 2d15c3dbc..3bb0ae672 100644 --- a/manifests/provision.pp +++ b/manifests/provision.pp @@ -2,7 +2,9 @@ class openstack_integration::provision { - $os_auth_options = '--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url http://127.0.0.1:5000/v2.0' + include ::openstack_integration::config + + $os_auth_options = "--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url ${::openstack_integration::config::keystone_auth_uri}/v2.0" exec { 'manage_m1.nano_nova_flavor': path => '/usr/bin:/bin:/usr/sbin:/sbin', diff --git a/manifests/rabbitmq.pp b/manifests/rabbitmq.pp index d13817c9d..f17ec75dc 100644 --- a/manifests/rabbitmq.pp +++ b/manifests/rabbitmq.pp @@ -25,7 +25,7 @@ class openstack_integration::rabbitmq { } openstack_integration::ssl_key { 'rabbitmq': key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem", - require => File['/etc/rabbitmq/ssl'], + require => File['/etc/rabbitmq/ssl/private'], notify => Service['rabbitmq-server'], } class { '::rabbitmq': @@ -33,7 +33,7 @@ class openstack_integration::rabbitmq { package_provider => $package_provider, ssl => true, ssl_only => true, - ssl_cacert => $::openstack_integration::params::cacert_path, + ssl_cacert => $::openstack_integration::params::ca_bundle_cert_path, ssl_cert => $::openstack_integration::params::cert_path, ssl_key => "/etc/rabbitmq/ssl/private/${::fqdn}.pem", environment_variables => $::openstack_integration::config::rabbit_env, diff --git a/manifests/ssl_key.pp b/manifests/ssl_key.pp index 87d281f6f..a5abb86e6 100644 --- a/manifests/ssl_key.pp +++ b/manifests/ssl_key.pp @@ -7,6 +7,9 @@ define openstack_integration::ssl_key( $key_path = undef, ) { + + include ::openstack_integration::config + if $key_path == undef { $_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem" } else { @@ -35,7 +38,7 @@ define openstack_integration::ssl_key( file { $_key_path: ensure => present, owner => $name, - source => 'puppet:///modules/openstack_integration/puppet_openstack.pem', + source => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.key", selinux_ignore_defaults => true, mode => '0600', } diff --git a/manifests/swift.pp b/manifests/swift.pp index d51a19176..a2c95b502 100644 --- a/manifests/swift.pp +++ b/manifests/swift.pp @@ -1,5 +1,7 @@ class openstack_integration::swift { + include ::openstack_integration::config + include ::memcached class { '::swift': swift_hash_suffix => 'secrete', @@ -20,8 +22,8 @@ class openstack_integration::swift { include ::swift::proxy::tempurl include ::swift::proxy::ratelimit class { '::swift::proxy::authtoken': - auth_uri => 'http://127.0.0.1:5000/v2.0', - identity_uri => 'http://127.0.0.1:35357/', + auth_uri => "${::openstack_integration::config::keystone_auth_uri}/v2.0", + identity_uri => "${::openstack_integration::config::keystone_admin_uri}/", admin_password => 'a_big_secret', } class { '::swift::proxy::keystone': diff --git a/manifests/tempest.pp b/manifests/tempest.pp index 5ca8c497a..7c3fd0ac7 100644 --- a/manifests/tempest.pp +++ b/manifests/tempest.pp @@ -63,6 +63,9 @@ class openstack_integration::tempest ( $trove = false, ) { + include ::openstack_integration::config + include ::openstack_integration::params + class { '::tempest': debug => true, use_stderr => false, @@ -74,8 +77,8 @@ class openstack_integration::tempest ( tempest_config_file => '/tmp/openstack/tempest/etc/tempest.conf', configure_images => true, configure_networks => true, - identity_uri => 'http://127.0.0.1:5000/v2.0', - identity_uri_v3 => 'http://127.0.0.1:5000/v3', + identity_uri => "${::openstack_integration::config::keystone_auth_uri}/v2.0", + identity_uri_v3 => "${::openstack_integration::config::keystone_auth_uri}/v3", admin_username => 'admin', admin_tenant_name => 'openstack', admin_password => 'a_big_secret', @@ -103,6 +106,7 @@ class openstack_integration::tempest ( image_alt_ssh_user => 'cirros', img_file => 'cirros-0.3.4-x86_64-disk.img', compute_build_interval => 10, + ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path, # TODO(emilien) optimization by 1/ using Hiera to configure Glance image source # and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image. # img_dir => '/home/jenkins/cache/files', diff --git a/run_tests.sh b/run_tests.sh index b224aedb0..65e3e3e13 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -115,11 +115,21 @@ wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img -P /tmp set +e # Select what to test: -# - smoke suite -# - dashboard (horizon) -# - TelemetryAlarming (Aodh) -# - api.baremetal (Ironic) -cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 smoke dashboard TelemetryAlarming api.baremetal +# Smoke suite +TESTS="smoke" + +# Horizon +TESTS="${TESTS} dashbboard" + +# Aodh +TESTS="${TESTS} TelemetryAlarming" + +# Ironic +# Note: running all Ironic tests under SSL is not working +# https://bugs.launchpad.net/ironic/+bug/1554237 +TESTS="${TESTS} api.baremetal.admin.test_drivers" + +cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 $TESTS RESULT=$? set -e /tmp/openstack/tempest/.tox/all/bin/testr last --subunit > /tmp/openstack/tempest/testrepository.subunit