Enable TLS in the internal network for horizon

This enables the usage of TLS by the apache vhost that hosts horizon.

bp tls-via-certmonger

Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e

diff --git a/manifests/profile/base/horizon.pp b/manifests/profile/base/horizon.pp
index 3f01d01..9441329 100644 (file)
--- a/manifests/profile/base/horizon.pp
+++ b/manifests/profile/base/horizon.pp
@@ -27,6 +27,27 @@
 #   (Optional) The hostname of the node responsible for bootstrapping tasks
 #   Defaults to hiera('bootstrap_nodeid')
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*horizon_network*]
+#   (Optional) The network name where the horizon endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('horizon_network', undef)
+#
 # [*neutron_options*]
 #   (Optional) A hash of parameters to enable features specific to Neutron
 #   Defaults to hiera('horizon::neutron_options', {})
@@ -36,10 +57,13 @@
 #   Defaults to hiera('memcached_node_ips')
 #
 class tripleo::profile::base::horizon (
-  $step            = Integer(hiera('step')),
-  $bootstrap_node  = hiera('bootstrap_nodeid', undef),
-  $neutron_options = hiera('horizon::neutron_options', {}),
-  $memcached_ips   = hiera('memcached_node_ips')
+  $step                = Integer(hiera('step')),
+  $bootstrap_node      = hiera('bootstrap_nodeid', undef),
+  $certificates_specs  = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $horizon_network     = hiera('horizon_network', undef),
+  $neutron_options     = hiera('horizon::neutron_options', {}),
+  $memcached_ips       = hiera('memcached_node_ips')
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $is_bootstrap = true
@@ -47,6 +71,17 @@ class tripleo::profile::base::horizon (
     $is_bootstrap = false
   }
 
+  if $enable_internal_tls {
+    if !$horizon_network {
+      fail('horizon_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${horizon_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${horizon_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
   if $step >= 4 or ( $step >= 3 and $is_bootstrap ) {
     # Horizon
     include ::apache::mod::remoteip
@@ -68,6 +103,8 @@ class tripleo::profile::base::horizon (
     class { '::horizon':
       cache_server_ip => $horizon_memcached_servers,
       neutron_options => $neutron_options_real,
+      horizon_cert    => $tls_certfile,
+      horizon_key     => $tls_keyfile,
     }
   }
 }