add next level changes to support https keystone.

Partial-Bug: #1695584 changes: 1. add os_cacert to openstackrc, openrc files 2. add https identity to all config files 3. add insecure option to all config files. Change-Id: I2b7c4042a1ef6c7f9320fe173316e0258283b27c
Juniper · Jun 22, 2017 · 6995fe2 · 6995fe2
1 parent 6e02946
commit 6995fe2
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 1 deletion.
diff --git a/contrail/environment/modules/contrail/manifests/profile/openstack/glance.pp b/contrail/environment/modules/contrail/manifests/profile/openstack/glance.pp
@@ -82,6 +82,7 @@
         database_idle_timeout => '180',
         bind_port         => $bind_port,
         auth_uri          => $auth_uri,
+        identity_uri      => $identity_uri,
         os_region_name    => $keystone_region_name,
         database_min_pool_size => "100",
         database_max_pool_size => "700",
@@ -126,6 +127,7 @@
         database_idle_timeout => '180',
         bind_port         => $bind_port,
         auth_uri          => $auth_uri,
+        identity_uri      => $identity_uri,
         os_region_name    => $keystone_region_name,
         database_min_pool_size => "100",
         database_max_pool_size => "700",
@@ -142,11 +144,13 @@
         'database/db_retry_interval':        value => "1";
         'database/connection_debug':         value => "10";
         'database/pool_timeout':             value => "120";
+        'keystone_authtoken/insecure':       value => $insecure;
       }
       glance_registry_config {
         'database/db_retry_interval':        value => "1";
         'database/connection_debug':         value => "10";
         'database/pool_timeout':             value => "120";
+        'keystone_authtoken/insecure':       value => $insecure;
       }
       class { '::glance::registry':
         keystone_password     => $glance_password,
@@ -162,6 +166,8 @@
         database_max_overflow  => "1080",
         database_retry_interval => "-1",
         database_max_retries   => "-1",
+        auth_uri          => $auth_uri,
+        identity_uri      => $identity_uri,
       }
       class { '::glance::backend::file':
         multi_store => $multi_store

diff --git a/contrail/environment/modules/contrail/manifests/profile/openstack/keystone.pp b/contrail/environment/modules/contrail/manifests/profile/openstack/keystone.pp
@@ -159,6 +159,22 @@
     }
 
     /13\.0/: {
+      file { "/etc/keystone/ssl/certs/keystone.pem":
+        owner  => keystone,
+        group  => keystone,
+        source => "puppet:///ssl_certs/$hostname.pem"
+      }
+      file { "/etc/keystone/ssl/private/keystonekey.pem":
+        owner  => keystone,
+        group  => keystone,
+        source => "puppet:///ssl_certs/$hostname-privkey.pem"
+      }
+      file { "/etc/keystone/ssl/certs/ca.pem":
+        owner  => keystone,
+        group  => keystone,
+        source => "puppet:///ssl_certs/ca-cert.pem"
+      }
+
       class { '::keystone':
         database_connection => $keystone_db_conn,
         admin_token     => $admin_token,
@@ -178,7 +194,11 @@
         kombu_ssl_ca_certs => $kombu_ssl_ca_certs,
         kombu_ssl_certfile => $kombu_ssl_certfile,
         kombu_ssl_keyfile  => $kombu_ssl_keyfile,
-        enable_bootstrap   => $bootstrap_keystone
+        enable_bootstrap   => $bootstrap_keystone,
+        enable_ssl         => $enable_keystone_ssl,
+        ssl_cert_subject   => "/C=US/ST=Unset/L=Unset/O=Unset/CN=$::fqdn",
+        public_endpoint    => "$keystone_auth_protocol://$keystone_ip_to_use:$keystone_public_port/",
+        admin_endpoint     => "$keystone_auth_protocol://$keystone_ip_to_use:$keystone_admin_port/",
       }
 
       if ($keystone_version == "v3") {

diff --git a/contrail/environment/modules/contrail/manifests/profile/openstack/neutron.pp b/contrail/environment/modules/contrail/manifests/profile/openstack/neutron.pp
@@ -37,6 +37,12 @@
   $database_credentials = join([$service_password, "@", $host_control_ip],'')
   $keystone_db_conn = join(["mysql://neutron:",$database_credentials,"/neutron"],'')
 
+  if ($keystone_auth_protocol == "https") {
+    $insecure = true
+  } else {
+    $insecure = false
+  }
+
   if ($manage_neutron == false) {
     package { [ 'neutron-plugin-contrail', 'python-neutron-lbaas' ] :
       ensure => present
@@ -173,6 +179,7 @@
           'keystone_authtoken/auth_host'    : value => "$keystone_ip_to_use";
           'keystone_authtoken/auth_port'    : value => "35357";
           'keystone_authtoken/auth_protocol': value => "${keystone_auth_protocol}";
+          'keystone_authtoken/insecure'     : value => "$insecure";
         }
         contrail_plugin_ini {
           'APISERVER/api_server_ip'   : value => "$config_ip";

diff --git a/contrail/environment/modules/contrail/manifests/profile/openstack/nova.pp b/contrail/environment/modules/contrail/manifests/profile/openstack/nova.pp
@@ -37,6 +37,7 @@
 ) {
 
   $auth_uri = "${keystone_auth_protocol}://${keystone_ip_to_use}:5000/"
+  $identity_uri = "${keystone_auth_protocol}://${keystone_ip_to_use}:35357/"
 
   class {'::nova::db::mysql':
     password      => $service_password,
@@ -182,6 +183,7 @@
         metadata_listen_port                 => $metadata_port,
         admin_password                       => $nova_password,
         auth_uri                             => $auth_uri,
+        identity_uri                         => $identity_uri,
         enabled                              => 'true',
         neutron_metadata_proxy_shared_secret => $neutron_shared_secret,
         sync_db                              => $sync_db,
@@ -217,6 +219,7 @@
         'compute/compute_driver'    : value => "libvirt.LibvirtDriver";
         'DEFAULT/rabbit_hosts'      : value => "${nova_compute_rabbit_hosts}";
         'DEFAULT/novncproxy_base_url' : value => "http://${host_control_ip}:5999/vnc_auto.html";
+        'keystone_authtoken/insecure' : value => "True";
       }
     }
 

diff --git a/contrail/environment/modules/contrail/templates/openrc.erb b/contrail/environment/modules/contrail/templates/openrc.erb
@@ -9,6 +9,7 @@ export OS_USERNAME='<%= @admin_user %>'
 export OS_PASSWORD='<%= @admin_password.gsub(/'/){ %q(\') } %>'
 export OS_AUTH_URL='<%= @keystone_auth_protocol %>://<%= @controller_node %>:5000/<%= @keystone_version %>/'
 export OS_AUTH_STRATEGY='keystone'
+export OS_CACERT=/etc/keystone/ssl/certs/ca.pem
 export OS_REGION_NAME='<%= @region_name %>'
 export CINDER_ENDPOINT_TYPE='<%= @cinder_endpoint_type %>'
 export GLANCE_ENDPOINT_TYPE='<%= @glance_endpoint_type %>'

diff --git a/contrail/environment/modules/contrail/templates/openstackrc.erb b/contrail/environment/modules/contrail/templates/openstackrc.erb
@@ -5,3 +5,4 @@ export OS_AUTH_URL=<%= @keystone_auth_protocol %>://<%= @keystone_ip_to_use %>:5
 export OS_REGION_NAME=<%= @keystone_region_name %>
 export OS_NO_CACHE=1
 export OS_VOLUME_API_VERSION=2
+export OS_CACERT=/etc/keystone/ssl/certs/ca.pem