Enable TLS in the internal network for ceilometer

This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the ceilometer
service will use certmonger to request its certificate.

This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).

bp tls-via-certmonger

Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 3ad10eb..932b016 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -880,6 +880,7 @@ class tripleo::haproxy (
       server_names      => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
       public_ssl_port   => $ports[ceilometer_api_ssl_port],
       service_network   => $ceilometer_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 

diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index da94da2..6ef4748 100644 (file)
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -18,18 +18,69 @@
 #
 # === Parameters
 #
+# [*ceilometer_network*]
+#   (Optional) The network name where the ceilometer endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('ceilometer_api_network', undef)
+#
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   HAProxy. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Note that this doesn't configure the certificates in haproxy, it merely
+#   creates the certificates.
+#   Defaults to hiera('generate_service_certificate', false).
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::ceilometer::api (
-  $step = hiera('step'),
+  $ceilometer_network            = hiera('ceilometer_api_network', undef),
+  $certificates_specs            = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls           = hiera('enable_internal_tls', false),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $step                          = hiera('step'),
 ) {
   include ::tripleo::profile::base::ceilometer
 
+  if $enable_internal_tls {
+    if $generate_service_certificates {
+      ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+    }
+
+    if !$ceilometer_network {
+      fail('ceilometer_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${ceilometer_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${ceilometer_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
   if $step >= 4 {
     include ::ceilometer::api
-    include ::ceilometer::wsgi::apache
+    class { '::ceilometer::wsgi::apache':
+      ssl_cert => $tls_certfile,
+      ssl_key  => $tls_keyfile,
+    }
   }
 }