openstack/puppet-openstack-integration
Code Issues Proposed changes

scenario002: switch Keystone/Glance/Ironic/Nova to SSL

Browse Source 
* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments.
* Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again
  later in a next iteration.
* Deploy Ironic API under WSGI instead of eventlet.
* Switch Glance API, Ironic API and Keystone to SSL.
* Configure Tempest with SSL endpoints when needed.
* Reduce the Ironic tests because of [1].

[1] https://bugs.launchpad.net/ironic/+bug/1554237

Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not
implemented in this patch.
Note #2: we don't enable SSL for Neutron because of
https://bugs.launchpad.net/neutron/+bug/1514424

Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014
This commit is contained in:
Emilien Macchi 2016-03-01 18:50:40 -05:00
parent 26b6cf114e
commit 3874255b9f
21 changed files with 253 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
files/ipv4.crt Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJALVl9IhMkdcmMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
BAMMCTEyNy4wLjAuMTAeFw0xNjAzMTExNTE2MTRaFw0yNjAzMDkxNTE2MTRaMBQx
EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJv5aTwsONF3PdTWoikEzndOxKqrS1RbgvBGjmqgDC/0JtVtJN1jmhBG0FyK
PJeLIFa8JAktgai0OPShBEwRadiZry35tvw4cNX3EQeLhd7n/YC4qhyobDwgCOCb
4r/WPGMAU/tsizymkcTwSw7h7u4vyGcmFj5aPW8Fd8zBk/V8CShpxjNby+teJnce
APzW+pPvXibKaCzdP6o9enRxjVCAAsqj1LkVhP40+GBWcoXGlTJivgQfUZeGQaZC
ggOOAf9D1lHV3u3OAdfz7gaoeCwzpi+AmRcg3TWmgbA6myoQJe0EGUoveRlY9n51
px/nXjzdgHxEmGoLGkAHNqrhNj8CAwEAAaNQME4wHQYDVR0OBBYEFHTKFpvR+QEl
hqOTw9pQcJUqtM4EMB8GA1UdIwQYMBaAFHTKFpvR+QElhqOTw9pQcJUqtM4EMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADyUrEaBXwH9GNaUKoGI+N6Y
Hv975u1PyefaawF23S3PcvS6lnKqEMr5zVXG/aGdF+Lfy2u7Mz8c+OBso2qbKZTO
MToLQ8o3WEezcadRRbQmHEoAR57eXGaSW1kiUah2TiqMvrMj24bYYaTZgGPVgVZq
NcPvQYnZKTV1DiBJNxPAO4H8CEo4T46cZS37QxOZITCKjKLnfeFfNQHmfTqe8RG+
8xQcv4NChPj09ITUaGzLKOAEo+fS7irTWtDv7WRyQoPAMkJ1ZLS1q6ED4iAX6/ec
mRv1TT+aaQq14xYGVadALQS1ge9d9+pKWl3QG/zxnzcFCVYvdUg27gAxUpJTzb0=
-----END CERTIFICATE-----

27
files/ipv4.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAm/lpPCw40Xc91NaiKQTOd07EqqtLVFuC8EaOaqAML/Qm1W0k
3WOaEEbQXIo8l4sgVrwkCS2BqLQ49KEETBFp2JmvLfm2/Dhw1fcRB4uF3uf9gLiq
HKhsPCAI4Jviv9Y8YwBT+2yLPKaRxPBLDuHu7i/IZyYWPlo9bwV3zMGT9XwJKGnG
M1vL614mdx4A/Nb6k+9eJspoLN0/qj16dHGNUIACyqPUuRWE/jT4YFZyhcaVMmK+
BB9Rl4ZBpkKCA44B/0PWUdXe7c4B1/PuBqh4LDOmL4CZFyDdNaaBsDqbKhAl7QQZ
Si95GVj2fnWnH+dePN2AfESYagsaQAc2quE2PwIDAQABAoIBADhK8u0xtKv80kcP
0+TkBDRRLG/AdOaURJS9kkbvTpa8Eovy4Vw5x2/abvcHOUkkgF5tdsANOX+O1AOO
XYOqwT3Ycb4xIxaytB61FeNYOs+xgO/FNjgznSSyFyIhgNvl0VOV2bmjejlAkNm4
NA7CAj7a5gQ8XcjRPtzj51HyB5mQQ2TEAhVTEhaj3qqWCPJYwXZrMV0qxnT3C5ML
ZFigxapPRbvznGhzZ6qzoZxOkXc2pdvpyzwuGNkbKI03GXJ6Jv9NSoXOzGs+qXy0
mXd7PGNF+fpqvdRYnM1aGSuBlAokpgpE2Gp4gwBRUD1zLO7/rDNGMBRklWn9hfCc
4Xg68MkCgYEAzAFQo9OYtCn/wz7Vi31qCRYhoLqf9HqCrobA0ueBq7IsoniJ/Zae
FaPeYHLS1ob1rK1HBtQ/FuG17UncaxbFR6zV2vayD9r7n9j9BrMHVDWDoBoSdEbv
z8uE95WWUHRROCMra0Gp0iAQdt9XJJhw09N7LIvFVGG5FEOIxVcDx5UCgYEAw7o8
DSg3S+eIFfsdI5K8vpaXqLP/YT77/83rYcYBmHxMYk9LRAweZwdamwCSXSBE6Pfs
i/LlCNW99J2Dv6bRFsd9XQtyDsy9s+FDyhesI2JtmW/I8ocm9q+0C/x1bri5vhpA
ueciKSVJZtFE6AFQeTbYurW1nGLxfhFUlrLggYMCgYABQFjQSHH9WOyas/33VxOZ
bqtSIxLsGvxGOclhAc6H0RX5AShHh+78Tv8ENHAapMVJA98VqaOhbk0BYZyag48+
O08sgqrg8gTtHBWhPuPinllqV/6Y+/5oleUA58f+QlhlMcIIbGSwR0YSlJgiP1Uh
14A/67OQKvFJsIhcPYZmaQKBgQCdFoCR8sAGvKndMnDdlyzDLmxEK0sBSqLIWQXc
sCWhs8k+cfOvhqZz/FP86YWPFpIYBLumSukFoT7W8ADIteNEjBGSttfxBuQOVfKp
ZTx0HdBnAG/gLxbXkIdJw3KgzcPNzpY6XkZtjY6O5dCPAFcNIjbqC2LaRBMcIl6o
oKJNbwKBgHrwN/ugJvM4xacKza8/L1boRAjSoTlgB0gONH8oY3wylipsFA0lIC5+
wa5MjKtAYBdgpRI95sx3A4ejDI668ixLlzclNZv2JkrhqpF0SrLhmXVio/Co2of2
40BmtGjoZL4juSrOlugi4rZd5jfLuiaVSe6qmMOMoJjEvqlihVyb
-----END RSA PRIVATE KEY-----

18
files/ipv6.crt Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC7zCCAdegAwIBAgIJAJnJp20/d69bMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV
BAMMAzo6MTAeFw0xNjAzMTExNTE3MDNaFw0yNjAzMDkxNTE3MDNaMA4xDDAKBgNV
BAMMAzo6MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB7u7Apm69h
t/pDFi3sRnMg0g/bmLS0lxOjb76TQd/XC77zZSfujvaxbhuxwb3BjxrT8ZxL9R34
GkkTrDEk51sMOXppDJqUcPhcCCOqqlXRPeGg5e71g2mod0pozLxQus8sDMWFvdJ5
j8v/LUGKZMaOZpIVbpZ7O7dHlMVf/RG+mX8zY3vZgqLmPx3FaVriFwWQdE0h5Q2u
iuL9ewU/UDCfZMbK3Z/budkUd5K6QhTtGWhQLr+sLOWLJtWiPQ/g6RMBTd5mEy2F
gH4zLrHpmSpCHo1KaX3ZlRtPcW99ggN6J/7tlcXfVaE9gv/zWrc9aNVNC/GH83LH
OODODTMTuwMCAwEAAaNQME4wHQYDVR0OBBYEFMnKFXEhjiEZsgp2T5qzBXXFRpQ+
MB8GA1UdIwQYMBaAFMnKFXEhjiEZsgp2T5qzBXXFRpQ+MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBAAXkgS/NZQffVNiL9hfBQwbSJY+vPgJ4rj1SCt7g
nNwxw9WUk98zyYRQj/VQDv4Q0rKY9RRIf3/gqsDiTyYbVK665cbz61PDac57kzB6
pYmHPyAJyfgi2TtoDCejxVIk7HEfxIctrvN/QOxM+xB8FpP9roKsmcdivWlsIhAP
JCR5beVBEjBeXXRfJxr87kTx4REXUcvMyrJ45Uign/TuHmtfgfkelLTYiVIElB0a
n/L6M/06et73zZg+A+xlXDRlWbN+38JR+6KKwWztUnjaErhgqkm7mDYlWFwlcE9S
JoUeAYL1R0LWdGwV2l/iDC8iLPVfV9GgNOvn9Op9CmzP5Os=
-----END CERTIFICATE-----

27
files/ipv6.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsHu7sCmbr2G3+kMWLexGcyDSD9uYtLSXE6NvvpNB39cLvvNl
J+6O9rFuG7HBvcGPGtPxnEv1HfgaSROsMSTnWww5emkMmpRw+FwII6qqVdE94aDl
7vWDaah3SmjMvFC6zywMxYW90nmPy/8tQYpkxo5mkhVulns7t0eUxV/9Eb6ZfzNj
e9mCouY/HcVpWuIXBZB0TSHlDa6K4v17BT9QMJ9kxsrdn9u52RR3krpCFO0ZaFAu
v6ws5Ysm1aI9D+DpEwFN3mYTLYWAfjMusemZKkIejUppfdmVG09xb32CA3on/u2V
xd9VoT2C//Natz1o1U0L8Yfzcsc44M4NMxO7AwIDAQABAoIBAFGzBiE4MdVP9H6L
fgIGZlq3r+cdbqUBEQtLVtivjQhVoh9kx8hjnJVBcEqr0JfKujfeM/R6CWA1Ud3Q
mJ8riVrR3u33IZmR7HZdDHuOb0pJEk+YT7l+uLY6AfdVaqom6UQtDUCHeGeuVM5I
NCgqLBrrIzqvZ0GMjQl8vrdch2glwWJizNGcOn+NYIG7oBT/PoWOCxJy5/NfWxfJ
p8qlW5mLEBN7HNLEEHPdLL1OBYrrF6ZlrlZe36+BhoOai06VmTOQe3Ig3wTZNhsI
eGwWkHQrwi4nGB/5nAailUhz1T0yIYtWHiiEgaGo2LUOeOEnG43oyrIEQGo+q6d4
hOjbwYECgYEA6o0fh37GbFWcnV/ZNoxoSOn+S/bok7/qiR5OC8yGe8HaFUnH6jot
UFqtvxlZAQK4yyvfBxgpmM7urb2PslP/EhzzdlcDJzN9fX9qFcpWsgOJoIONdr6Z
wiCKTYONcAde7c2EWc3J18YyRVaYx1jhTDNA/bg9FSwFxWvYkboCQkMCgYEAwJ87
XT8gb2Iwhz7laE56LjFWDpR2cGDmgYJ9zkgG+M9HYHYBo+u8izq7VOS4tOzV57O3
86rgAwTwt7pkuF+3AqKA+mXcEI7GLc658n+kr4WYd5vqV504njtOnNZv0u1wIevi
iwCXnvcDBOiR1iiNB4EPYiqehvkKhlkr0dlw+EECgYB86xxXtZVILXB0AJBXFQCV
lMny+1VzG0t2K8W1UwBs+RmFLP5kKQfpO+I9XOqiNyjkTEFELgI5eDx2G/dkKog2
xWSFKmJrhmjXZfzCDjmOJYQvEOFO1MRfN6VxExdJCyPr0wEiMw/E87Hia/SCdzvG
saVze6RMml2Yf4+gTUjWsQKBgQCdiZ2jxd1hO401D9vQU17aKL+ZbRLxFk9v3KnH
7GDHXb+ixODSkBrERGSyKd5nGsxXlET+pOJRldjKa0e1A5NKNF4IbQZvBFZRYKH0
EzE93KW2LW6b+Zo0z4yb+UW73TW4iJPf27wl5yAxA4VDAidV29gZEYJWIZjaCFQu
bQhYAQKBgF8TutgmCecVc7HUGD4926rLGZRWpOHK+7z4OxVdHPaTBPGt/Z9YriBj
TkNUUUf7DpG1AtCK8q94XnAGuEjJIh4jMPoDm+MrFYPzzdsjvoRW3shnZ274kr5h
fLfx9ecAuRtnniDMgnR6qMYfQ7GShes+UU3Imol0k5txXJQIRTbq
-----END RSA PRIVATE KEY-----

49
files/puppet_openstack.pem
View File

@ -1,49 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw
EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2
NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi
ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN
BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p
3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ
45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF
ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6
IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6
B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm
8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a
Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi
PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT
xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I
epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb
JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD
uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP
/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go
XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd
uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB
QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e
XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN
ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb
UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN
3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3
IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9
i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5
UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU
LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq
l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh
EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz
ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0
50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY
6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9
lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t
jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO
ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ
knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9
I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU
v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6
LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj
NvVFs8W/3TAiZXoZVqKttZuE9g==
-----END PRIVATE KEY-----

3
fixtures/scenario002.pp
View File

@ -34,8 +34,7 @@ case $::osfamily {
include ::openstack_integration
class { '::openstack_integration::config':
ssl => true,
ipv6 => true,
ssl => true,
}
include ::openstack_integration::cacert
include ::openstack_integration::rabbitmq

3
manifests/cacert.pp
View File

@ -1,13 +1,14 @@
class openstack_integration::cacert {
include ::openstack_integration::params
include ::openstack_integration::config
file { $::openstack_integration::params::cert_path:
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
source => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.crt",
selinux_ignore_defaults => true,
replace => true,
}

5
manifests/cinder.pp
View File

@ -43,7 +43,8 @@ class openstack_integration::cinder (
}
class { '::cinder::api':
keystone_password => 'a_big_secret',
identity_uri => 'http://127.0.0.1:35357/',
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
default_volume_type => 'BACKEND_1',
service_workers => 2,
}
@ -55,7 +56,7 @@ class openstack_integration::cinder (
}
class { '::cinder::cron::db_purge': }
class { '::cinder::glance':
glance_api_servers => 'localhost:9292',
glance_api_servers => "${::openstack_integration::config::proto}://127.0.0.1:9292",
}
case $backend {
'iscsi': {

11
manifests/config.pp
View File

@ -15,19 +15,26 @@ class openstack_integration::config (
if $ssl {
$rabbit_port = '5671'
$proto = 'https'
} else {
$rabbit_port = '5672'
$proto = 'http'
}
if $ipv6 {
$rabbit_host = '[::1]'
$rabbit_env = {
$rabbit_env = {
'RABBITMQ_NODE_IP_ADDRESS' => '::1',
'RABBITMQ_SERVER_START_ARGS' => '"-proto_dist inet6_tcp"',
}
$ip_version = '6'
} else {
$rabbit_host = '127.0.0.1'
$rabbit_env = {}
$rabbit_env = {}
$ip_version = '4'
}
$keystone_auth_uri = "${proto}://127.0.0.1:5000"
$keystone_admin_uri = "${proto}://127.0.0.1:35357"
}

46
manifests/glance.pp
View File

@ -10,6 +10,21 @@ class openstack_integration::glance (
) {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'glance':
notify => [Service['glance-api'], Service['glance-registry']],
}
Package<| tag == 'glance-package' |> -> File['/etc/glance/ssl']
$key_file = "/etc/glance/ssl/private/${::fqdn}.pem"
$crt_file = $::openstack_integration::params::cert_path
Exec['update-ca-certificates'] ~> Service['glance-api']
Exec['update-ca-certificates'] ~> Service['glance-registry']
} else {
$key_file = undef
$crt_file = undef
}
rabbitmq_user { 'glance':
admin => true,
@ -31,7 +46,10 @@ class openstack_integration::glance (
include ::glance
include ::glance::client
class { '::glance::keystone::auth':
password => 'a_big_secret',
public_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
internal_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
admin_url => "${::openstack_integration::config::proto}://127.0.0.1:9292",
password => 'a_big_secret',
}
case $backend {
'file': {
@ -54,6 +72,7 @@ class openstack_integration::glance (
swift_store_user => 'services:glance',
swift_store_key => 'a_big_secret',
swift_store_create_container_on_put => 'True',
swift_store_auth_address => "${::openstack_integration::config::proto}://127.0.0.1:5000/v2.0",
}
}
default: {
@ -63,13 +82,20 @@ class openstack_integration::glance (
$http_store = ['http']
$glance_stores = concat($http_store, $backend_store)
class { '::glance::api':
debug => true,
verbose => true,
database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
keystone_password => 'a_big_secret',
workers => 2,
stores => $glance_stores,
default_store => $backend,
debug => true,
verbose => true,
database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
keystone_password => 'a_big_secret',
workers => 2,
stores => $glance_stores,
default_store => $backend,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
registry_client_protocol => $::openstack_integration::config::proto,
registry_client_cert_file => $crt_file,
registry_client_key_file => $key_file,
cert_file => $crt_file,
key_file => $key_file,
}
class { '::glance::registry':
debug => true,
@ -77,6 +103,10 @@ class openstack_integration::glance (
database_connection => 'mysql+pymysql://glance:glance@127.0.0.1/glance?charset=utf8',
keystone_password => 'a_big_secret',
workers => 2,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
cert_file => $crt_file,
key_file => $key_file,
}
class { '::glance::notify::rabbitmq':
rabbit_userid => 'glance',

26
manifests/ironic.pp
View File

@ -1,6 +1,15 @@
class openstack_integration::ironic {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'ironic':
notify => Service['httpd'],
require => Package['ironic-common'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
rabbitmq_user { 'ironic':
admin => true,
@ -31,12 +40,25 @@ class openstack_integration::ironic {
password => 'ironic',
}
class { '::ironic::keystone::auth':
password => 'a_big_secret',
public_url => "${::openstack_integration::config::proto}://127.0.0.1:6385",
internal_url => "${::openstack_integration::config::proto}://127.0.0.1:6385",
admin_url => "${::openstack_integration::config::proto}://127.0.0.1:6385",
password => 'a_big_secret',
}
class { '::ironic::client': }
class { '::ironic::api':
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
neutron_url => 'http://127.0.0.1:9696',
admin_password => 'a_big_secret',
workers => '2',
service_name => 'httpd',
}
include ::apache
class { '::ironic::wsgi::apache':
ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/ironic/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
}
class { '::ironic::conductor': }
Rabbitmq_user_permissions['ironic@/'] -> Service<| tag == 'ironic-service' |>

21
manifests/keystone.pp
View File

@ -16,6 +16,17 @@ class openstack_integration::keystone (
$using_domain_config = false,
) {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'keystone':
notify => Service['httpd'],
require => Package['keystone'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
class { '::keystone::client': }
class { '::keystone::cron::token_flush': }
class { '::keystone::db::mysql':
@ -30,11 +41,14 @@ class openstack_integration::keystone (
service_name => 'httpd',
default_domain => $default_domain,
using_domain_config => $using_domain_config,
enable_ssl => $::openstack_integration::config::ssl,
}
include ::apache
class { '::keystone::wsgi::apache':
ssl => false,
workers => 2,
ssl => $::openstack_integration::config::ssl,
ssl_key => "/etc/keystone/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
workers => 2,
}
class { '::keystone::roles::admin':
email => 'test@example.tld',
@ -42,6 +56,8 @@ class openstack_integration::keystone (
}
class { '::keystone::endpoint':
default_domain => $default_domain,
public_url => $::openstack_integration::config::keystone_auth_uri,
admin_url => $::openstack_integration::config::keystone_admin_uri,
}
class { '::keystone::disable_admin_token_auth': }
@ -49,5 +65,6 @@ class openstack_integration::keystone (
password => 'a_big_secret',
project_domain => 'default',
user_domain => 'default',
auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3/",
}
}

6
manifests/neutron.pp
View File

@ -41,6 +41,8 @@ class openstack_integration::neutron {
sync_db => true,
api_workers => 2,
rpc_workers => 2,
auth_uri => $::openstack_integration::config::keystone_auth_uri,
auth_url => $::openstack_integration::config::keystone_admin_uri,
}
class { '::neutron::plugins::ml2':
type_drivers => ['vxlan'],
@ -54,9 +56,10 @@ class openstack_integration::neutron {
}
class { '::neutron::agents::metadata':
debug => true,
auth_password => 'a_big_secret',
shared_secret => 'a_big_secret',
metadata_workers => 2,
auth_url => "${::openstack_integration::config::keystone_admin_uri}/v2.0",
auth_password => 'a_big_secret',
}
class { '::neutron::agents::lbaas':
debug => true,
@ -71,6 +74,7 @@ class openstack_integration::neutron {
debug => true,
}
class { '::neutron::server::notifications':
auth_url => $::openstack_integration::config::keystone_admin_uri,
password => 'a_big_secret',
}
class { '::neutron::services::fwaas':

29
manifests/nova.pp
View File

@ -10,6 +10,15 @@ class openstack_integration::nova (
) {
include ::openstack_integration::config
include ::openstack_integration::params
if $::openstack_integration::config::ssl {
openstack_integration::ssl_key { 'nova':
notify => Service['httpd'],
require => Package['nova-common'],
}
Exec['update-ca-certificates'] ~> Service['httpd']
}
rabbitmq_user { 'nova':
admin => true,
@ -32,7 +41,13 @@ class openstack_integration::nova (
password => 'nova',
}
class { '::nova::keystone::auth':
password => 'a_big_secret',
public_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
public_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
internal_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
internal_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
admin_url => "${::openstack_integration::config::proto}://127.0.0.1:8774/v2/%(tenant_id)s",
admin_url_v3 => "${::openstack_integration::config::proto}://127.0.0.1:8774/v3/%(tenant_id)s",
password => 'a_big_secret',
}
class { '::nova':
database_connection => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8',
@ -42,7 +57,7 @@ class openstack_integration::nova (
rabbit_userid => 'nova',
rabbit_password => 'an_even_bigger_secret',
rabbit_use_ssl => $::openstack_integration::config::ssl,
glance_api_servers => 'http://127.0.0.1:9292',
glance_api_servers => "${::openstack_integration::config::proto}://127.0.0.1:9292",
verbose => true,
debug => true,
notification_driver => 'messagingv2',
@ -50,7 +65,8 @@ class openstack_integration::nova (
}
class { '::nova::api':
admin_password => 'a_big_secret',
identity_uri => 'http://127.0.0.1:35357/',
auth_uri => $::openstack_integration::config::keystone_auth_uri,
identity_uri => $::openstack_integration::config::keystone_admin_uri,
osapi_v3 => true,
neutron_metadata_proxy_shared_secret => 'a_big_secret',
metadata_workers => 2,
@ -60,8 +76,10 @@ class openstack_integration::nova (
}
include ::apache
class { '::nova::wsgi::apache':
ssl => false,
workers => '2',
ssl_key => "/etc/nova/ssl/private/${::fqdn}.pem",
ssl_cert => $::openstack_integration::params::cert_path,
ssl => $::openstack_integration::config::ssl,
workers => '2',
}
class { '::nova::client': }
class { '::nova::conductor': }
@ -95,6 +113,7 @@ class openstack_integration::nova (
class { '::nova::vncproxy': }
class { '::nova::network::neutron':
neutron_auth_url => "${::openstack_integration::config::keystone_admin_uri}/v3",
neutron_password => 'a_big_secret',
}

8
manifests/params.pp
View File

@ -2,14 +2,14 @@ class openstack_integration::params {
case $::osfamily {
'RedHat': {
$cacert_path = '/etc/ssl/certs/ca-bundle.crt'
$cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt'
$ca_bundle_cert_path = '/etc/ssl/certs/ca-bundle.crt'
$cert_path = '/etc/pki/ca-trust/source/anchors/puppet_openstack.pem'
$update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract'
}
'Debian': {
$cacert_path = '/etc/ssl/certs/puppet_openstack.pem'
$ca_bundle_cert_path = '/etc/ssl/certs/puppet_openstack.pem'
$cert_path = '/usr/local/share/ca-certificates/puppet_openstack.crt'
$update_ca_certs_cmd = '/usr/sbin/update-ca-certificates'
$update_ca_certs_cmd = '/usr/sbin/update-ca-certificates -f'
}
default: {
fail("Unsupported osfamily: ${::osfamily} operatingsystem")

4
manifests/provision.pp
View File

@ -2,7 +2,9 @@
class openstack_integration::provision {
$os_auth_options = '--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url http://127.0.0.1:5000/v2.0'
include ::openstack_integration::config
$os_auth_options = "--os-username admin --os-password a_big_secret --os-tenant-name openstack --os-auth-url ${::openstack_integration::config::keystone_auth_uri}/v2.0"
exec { 'manage_m1.nano_nova_flavor':
path => '/usr/bin:/bin:/usr/sbin:/sbin',

4
manifests/rabbitmq.pp
View File

@ -25,7 +25,7 @@ class openstack_integration::rabbitmq {
}
openstack_integration::ssl_key { 'rabbitmq':
key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
require => File['/etc/rabbitmq/ssl'],
require => File['/etc/rabbitmq/ssl/private'],
notify => Service['rabbitmq-server'],
}
class { '::rabbitmq':
@ -33,7 +33,7 @@ class openstack_integration::rabbitmq {
package_provider => $package_provider,
ssl => true,
ssl_only => true,
ssl_cacert => $::openstack_integration::params::cacert_path,
ssl_cacert => $::openstack_integration::params::ca_bundle_cert_path,
ssl_cert => $::openstack_integration::params::cert_path,
ssl_key => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
environment_variables => $::openstack_integration::config::rabbit_env,

5
manifests/ssl_key.pp
View File

@ -7,6 +7,9 @@
define openstack_integration::ssl_key(
$key_path = undef,
) {
include ::openstack_integration::config
if $key_path == undef {
$_key_path = "/etc/${name}/ssl/private/${::fqdn}.pem"
} else {
@ -35,7 +38,7 @@ define openstack_integration::ssl_key(
file { $_key_path:
ensure => present,
owner => $name,
source => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
source => "puppet:///modules/openstack_integration/ipv${openstack_integration::config::ip_version}.key",
selinux_ignore_defaults => true,
mode => '0600',
}

6
manifests/swift.pp
View File

@ -1,5 +1,7 @@
class openstack_integration::swift {
include ::openstack_integration::config
include ::memcached
class { '::swift':
swift_hash_suffix => 'secrete',
@ -20,8 +22,8 @@ class openstack_integration::swift {
include ::swift::proxy::tempurl
include ::swift::proxy::ratelimit
class { '::swift::proxy::authtoken':
auth_uri => 'http://127.0.0.1:5000/v2.0',
identity_uri => 'http://127.0.0.1:35357/',
auth_uri => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
identity_uri => "${::openstack_integration::config::keystone_admin_uri}/",
admin_password => 'a_big_secret',
}
class { '::swift::proxy::keystone':

8
manifests/tempest.pp
View File

@ -63,6 +63,9 @@ class openstack_integration::tempest (
$trove = false,
) {
include ::openstack_integration::config
include ::openstack_integration::params
class { '::tempest':
debug => true,
use_stderr => false,
@ -74,8 +77,8 @@ class openstack_integration::tempest (
tempest_config_file => '/tmp/openstack/tempest/etc/tempest.conf',
configure_images => true,
configure_networks => true,
identity_uri => 'http://127.0.0.1:5000/v2.0',
identity_uri_v3 => 'http://127.0.0.1:5000/v3',
identity_uri => "${::openstack_integration::config::keystone_auth_uri}/v2.0",
identity_uri_v3 => "${::openstack_integration::config::keystone_auth_uri}/v3",
admin_username => 'admin',
admin_tenant_name => 'openstack',
admin_password => 'a_big_secret',
@ -103,6 +106,7 @@ class openstack_integration::tempest (
image_alt_ssh_user => 'cirros',
img_file => 'cirros-0.3.4-x86_64-disk.img',
compute_build_interval => 10,
ca_certificates_file => $::openstack_integration::params::ca_bundle_cert_path,
# TODO(emilien) optimization by 1/ using Hiera to configure Glance image source
# and 2/ if running in the gate, use /home/jenkins/cache/files/ cirros image.
# img_dir => '/home/jenkins/cache/files',

20
run_tests.sh
View File

@ -115,11 +115,21 @@ wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img -P /tmp
set +e
# Select what to test:
# - smoke suite
# - dashboard (horizon)
# - TelemetryAlarming (Aodh)
# - api.baremetal (Ironic)
cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 smoke dashboard TelemetryAlarming api.baremetal
# Smoke suite
TESTS="smoke"
# Horizon
TESTS="${TESTS} dashbboard"
# Aodh
TESTS="${TESTS} TelemetryAlarming"
# Ironic
# Note: running all Ironic tests under SSL is not working
# https://bugs.launchpad.net/ironic/+bug/1554237
TESTS="${TESTS} api.baremetal.admin.test_drivers"
cd /tmp/openstack/tempest; tox -eall -- --concurrency=2 $TESTS
RESULT=$?
set -e
/tmp/openstack/tempest/.tox/all/bin/testr last --subunit > /tmp/openstack/tempest/testrepository.subunit