Add SSL functionality
Also:
- fixed kitchen tests
- removed unneeded kitchen configs
Change-Id: I018cf24585b2fe1b0122621b57123226fc10bc99
Related-Prod: https://mirantis.jira.com/browse/PROD-18128
diff --git a/.kitchen.docker.yml b/.kitchen.docker.yml
deleted file mode 100644
index 8633579..0000000
--- a/.kitchen.docker.yml
+++ /dev/null
@@ -1,48 +0,0 @@
----
-driver:
- name: docker
- hostname: aodh.ci.local
- #socket: tcp://127.0.0.1:2376
- use_sudo: false
-
-
-
-provisioner:
- name: salt_solo
- salt_install: bootstrap
- salt_bootstrap_url: https://bootstrap.saltstack.com
- salt_version: latest
- require_chef: false
- formula: aodh
- log_level: info
- state_top:
- base:
- "*":
- - aodh
- pillars:
- top.sls:
- base:
- "*":
- - aodh
- grains:
- noservices: True
-
-
-platforms:
- - name: ubuntu-14.04
- - name: ubuntu-16.04
- - name: centos-7.1
-
-
-verifier:
- name: inspec
- sudo: true
-
-
-suites:
- - name: default
- # provisioner:
- # pillars-from-files:
- # aodh.sls: tests/pillar/default.sls
-
-# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.kitchen.openstack.yml b/.kitchen.openstack.yml
deleted file mode 100644
index 6dbf7b2..0000000
--- a/.kitchen.openstack.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-
-# usage: `KITCHEN_LOCAL_YAML=.kitchen.openstack.yml kitchen test`
-
-# https://docs.chef.io/config_yml_kitchen.html
-# https://github.com/test-kitchen/kitchen-openstack
-
----
-driver:
- name: openstack
- openstack_auth_url: <%= ENV['OS_AUTH_URL'] %>/tokens
- openstack_username: <%= ENV['OS_USERNAME'] || 'ci' %>
- openstack_api_key: <%= ENV['OS_PASSWORD'] || 'ci' %>
- openstack_tenant: <%= ENV['OS_TENANT_NAME'] || 'ci_jenkins' %>
-
- #floating_ip_pool: <%= ENV['OS_FLOATING_IP_POOL'] || 'nova' %>
- key_name: <%= ENV['BOOTSTRAP_SSH_KEY_NAME'] || 'bootstrap_insecure' %>
- private_key_path: <%= ENV['BOOTSTRAP_SSH_KEY_PATH'] || "#{ENV['HOME']}/.ssh/id_rsa_bootstrap_insecure" %>
-
-
-platforms:
- - name: ubuntu-14.04
- driver:
- username: <%= ENV['OS_UBUNTU_IMAGE_USER'] || 'root' %>
- image_ref: <%= ENV['OS_UBUNTU_IMAGE_REF'] || 'ubuntu-14-04-x64-1455869035' %>
- flavor_ref: m1.medium
- network_ref:
- <% if ENV['OS_NETWORK_REF'] -%>
- - <% ENV['OS_NETWORK_REF'] %>
- <% else -%>
- - ci-net
- <% end -%>
- # force update apt cache on the image
- run_list:
- - recipe[apt]
- attributes:
- apt:
- compile_time_update: true
-transport:
- username: <%= ENV['OS_UBUNTU_IMAGE_USER'] || 'root' %>
-
-# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
deleted file mode 100644
index 95a35a7..0000000
--- a/.kitchen.vagrant.yml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-driver:
- name: vagrant
- vm_hostname: aodh.ci.local
- use_sudo: false
- customize:
- memory: 512
-
-
-provisioner:
- name: salt_solo
- salt_install: bootstrap
- salt_bootstrap_url: https://bootstrap.saltstack.com
- salt_version: latest
- require_chef: false
- formula: aodh
- log_level: info
- state_top:
- base:
- "*":
- - aodh
- pillars:
- top.sls:
- base:
- "*":
- - aodh
- grains:
- noservices: True
-
-# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.kitchen.yml b/.kitchen.yml
index 4992d02..3fe2478 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -18,22 +18,36 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
- - name: keystone
- repo: git
- source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
- linux.system
- aodh
pillars:
+ release.sls:
+ aodh:
+ server:
+ version: <%= ENV['OS_VERSION'] || 'pike' %>
+ ssl.sls:
+ aodh:
+ server:
+ identity:
+ protocol: https
+ database:
+ ssl:
+ enabled: True
+ message_queue:
+ port: 5671
+ ssl:
+ enabled: True
top.sls:
base:
"*":
- linux_repo_openstack
- aodh
+ - release
pillars-from-files:
- linux_repo_openstack.sls: tests/pillar/repo_mos9.sls
+ linux_repo_openstack.sls: tests/pillar/repo_mcp_openstack_<%= ENV['OS_VERSION'] || 'pike' %>.sls
verifier:
name: inspec
@@ -56,4 +70,31 @@
provisioner:
pillars-from-files:
aodh.sls: tests/pillar/server_single.sls
+
+ - name: server_cluster_ssl
+ provisioner:
+ pillars-from-files:
+ aodh.sls: tests/pillar/server_cluster.sls
+ pillars:
+ top.sls:
+ base:
+ "*":
+ - linux_repo_openstack
+ - aodh
+ - release
+ - ssl
+
+ - name: server_single_ssl
+ provisioner:
+ pillars-from-files:
+ aodh.sls: tests/pillar/server_single.sls
+ pillars:
+ top.sls:
+ base:
+ "*":
+ - linux_repo_openstack
+ - aodh
+ - release
+ - ssl
+
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.travis.yml b/.travis.yml
index 716836a..81553b5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,10 +17,18 @@
- bundle install
env:
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 SUITE=server-cluster
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 SUITE=server-single
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=server-cluster
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=server-single
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=ocata SUITE=server_cluster
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=ocata SUITE=server_single
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=ocata SUITE=server_cluster
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=ocata SUITE=server_single
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_cluster
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_single
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_cluster
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_single
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_cluster_ssl
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_single_ssl
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_cluster_ssl
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_single_ssl
# - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-bionic-salt-2017.7 SUITE=server-cluster
# - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-bionic-salt-2017.7 SUITE=server-single
diff --git a/aodh/files/pike/aodh.conf.Debian b/aodh/files/pike/aodh.conf.Debian
index 7afacdb..f5bf9ad 100644
--- a/aodh/files/pike/aodh.conf.Debian
+++ b/aodh/files/pike/aodh.conf.Debian
@@ -335,17 +335,17 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = <None>
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
-
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
# include amqp and zmq. (string value)
# This option is deprecated for removal.
@@ -521,7 +521,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -662,10 +662,14 @@
project_name = {{ server.identity.tenant }}
username = {{ server.identity.user }}
password = {{ server.identity.password }}
-auth_uri = http://{{ server.identity.host }}:5000
-auth_url = http://{{ server.identity.host }}:35357
+auth_uri = {{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
+auth_url = {{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:35357
interface = {{ server.identity.get('endpoint_type', 'internal') }}
+{%- if server.identity.get('protocol', 'http') == 'https' %}
+cafile={{ server.identity.get('cacert_file', server.cacert_file) }}
+{%- endif %}
+
{%- if server.cache is defined %}
memcached_servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.get('port', '11211') }}{% if not loop.last %},{% endif %}{%- endfor %}
{%- else %}
@@ -1680,7 +1684,7 @@
# Authentication URL (string value)
#auth_url = <None>
-auth_url = http://{{ server.identity.host }}:5000
+auth_url = {{ server.identity.get('protocol', 'http') }}://{{ server.identity.host }}:5000
# Domain ID to scope to (string value)
#domain_id = <None>
diff --git a/aodh/map.jinja b/aodh/map.jinja
index 1bc623c..7cd656d 100644
--- a/aodh/map.jinja
+++ b/aodh/map.jinja
@@ -3,6 +3,7 @@
'Debian': {
'pkgs': ['aodh-api', 'aodh-evaluator', 'aodh-notifier', 'aodh-listener', 'python-aodhclient'],
'services': ['aodh-evaluator', 'aodh-notifier', 'aodh-listener'],
+ 'cacert_file': '/etc/ssl/certs/ca-certificates.crt',
'webserved': ['aodh-api'],
'logging': {
'log_appender': false,
@@ -16,6 +17,7 @@
'RedHat': {
'pkgs':['openstack-aodh-api', 'openstack-aodh-evaluator', 'openstack-aodh-notifier', 'openstack-aodh-listener', 'python-aodhclient'],
'services': ['openstack-aodh-evaluator', 'openstack-aodh-notifier', 'openstack-aodh-listener'],
+ 'cacert_file': '/etc/pki/tls/certs/ca-bundle.crt',
'webserved': ['openstack-aodh-api'],
'logging': {
'log_appender': false,
diff --git a/aodh/server.sls b/aodh/server.sls
index 8c1300a..3d6a024 100644
--- a/aodh/server.sls
+++ b/aodh/server.sls
@@ -130,16 +130,70 @@
service.running:
- enable: true
- name: apache2
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
- watch:
- file: /etc/aodh/aodh.conf
- file: aodh_api_apache_config
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca_aodh_server:
+{%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: aodh:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+{%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+{%- endif %}
+{%- endif %}
+
+
+{%- if server.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_aodh_server:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: aodh:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ - require_in:
+ - file: /etc/aodh/aodh.conf
+ - watch_in:
+ - aodh_server_services
+ - aodh_apache_restart
+{%- endif %}
+{%- endif %}
+
{%- endif %}
aodh_server_services:
service.running:
- names: {{ server.services }}
- enable: true
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
- watch:
- file: /etc/aodh/aodh.conf
diff --git a/tests/pillar/repo_mcp_openstack_mitaka.sls b/tests/pillar/repo_mcp_openstack_mitaka.sls
new file mode 100644
index 0000000..ea24305
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_mitaka.sls
@@ -0,0 +1,44 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }} mitaka main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }}/archive-mcpmitaka.key"
+ pin:
+ - pin: 'release a=mitaka'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_hotfix:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }} mitaka-hotfix main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }}/archive-mcpmitaka.key"
+ pin:
+ - pin: 'release a=mitaka-hotfix'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_security:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }} mitaka-security main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }}/archive-mcpmitaka.key"
+ pin:
+ - pin: 'release a=mitaka-security'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_updates:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }} mitaka-updates main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }}/archive-mcpmitaka.key"
+ pin:
+ - pin: 'release a=mitaka-uptades'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_holdback:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }} mitaka-holdback main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/mitaka/{{ grains.get('oscodename') }}/archive-mcpmitaka.key"
+ pin:
+ - pin: 'release a=mitaka-holdback'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/repo_mcp_openstack_ocata.sls b/tests/pillar/repo_mcp_openstack_ocata.sls
new file mode 100644
index 0000000..e601208
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_ocata.sls
@@ -0,0 +1,44 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_hotfix:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-hotfix main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-hotfix'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_security:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-security main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-security'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_updates:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-updates main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-uptades'
+ priority: 1050
+ package: '*'
+ mirantis_openstack_holdback:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }} ocata-holdback main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/{{ grains.get('oscodename') }}/archive-mcpocata.key"
+ pin:
+ - pin: 'release a=ocata-holdback'
+ priority: 1050
+ package: '*'
diff --git a/tests/pillar/repo_mcp_openstack_pike.sls b/tests/pillar/repo_mcp_openstack_pike.sls
new file mode 100644
index 0000000..789b907
--- /dev/null
+++ b/tests/pillar/repo_mcp_openstack_pike.sls
@@ -0,0 +1,12 @@
+linux:
+ system:
+ enabled: true
+ repo:
+ mirantis_openstack_repo:
+ source: "deb http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }} pike main"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mcp-repos/pike/{{ grains.get('oscodename') }}/archive-mcppike.key"
+ pin:
+ - pin: 'release a=pike'
+ priority: 1050
+ package: '*'
\ No newline at end of file
diff --git a/tests/pillar/repo_mos9.sls b/tests/pillar/repo_mos9.sls
deleted file mode 100644
index cd14fe8..0000000
--- a/tests/pillar/repo_mos9.sls
+++ /dev/null
@@ -1,8 +0,0 @@
-linux:
- system:
- enabled: true
- repo:
- mirantis_openstack:
- source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/ mos9.0 main restricted"
- architectures: amd64
- key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/archive-mos9.0.key"