commit aba1476fd49c2ea824b185ef8132b9a7ba644a6c
author Vasyl Saienko <vsaienko@mirantis.com> Wed Jan 03 15:25:57 2018 +0200
committer Vasyl Saienko <vsaienko@mirantis.com> Thu Jan 11 09:44:46 2018 +0000
tree 5be9a8400cbfdc9aaed8721cebd3179866bdc8e9
parent d93fbd8c7915026992c661949fe56ca7e2b6ba4a

Enable TLS on rabbitmq/mysql by default

In production environment having SSL is higly recommended
by default. This patch updates aio model to configure
rabbitmq and mysql services with SSL enabled.

Change-Id: I8bd21822ccf0bacb7e5d218fc068a452aaa65129
Related-Prod: PROD-16777
(cherry picked from commit 1937fb70f3ba24139905bdbc7e726cd06c051e24)

classes/cluster/virtual-mcp11-aio/openstack/init.yml

diff --git a/classes/cluster/virtual-mcp11-aio/openstack/init.yml b/classes/cluster/virtual-mcp11-aio/openstack/init.yml
index d549c80..e3fee7f 100755
--- a/classes/cluster/virtual-mcp11-aio/openstack/init.yml
+++ b/classes/cluster/virtual-mcp11-aio/openstack/init.yml
@@ -1,11 +1,15 @@
 classes:
+- system.salt.minion.cert.mysql.server
+- system.salt.minion.cert.rabbitmq_server
 - system.linux.system.lowmem
 - system.linux.system.repo.mcp.openstack
 - system.linux.system.repo.mcp.extra
 - system.linux.storage.loopback
+- service.rabbitmq.server.ssl
 - system.rabbitmq.server.vhost.openstack
 - system.keystone.server.wsgi
 - system.keystone.server.single
+- service.galera.ssl
 - service.galera.master.cluster
 - system.galera.server.database.cinder
 - system.galera.server.database.designate
@@ -139,6 +143,13 @@
           crypto_plugin: simple_crypto
           store_plugin: store_crypto
           global_default: True
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
   neutron:
     server:
       api_workers: 2
@@ -146,11 +157,21 @@
       rpc_workers: 2
       message_queue:
         members: ~
+        port: 5671
+        ssl:
+          enabled: True
+      database:
+        ssl:
+          enabled: True
     gateway:
       metadata:
         workers: 2
       agent_mode: dvr_snat
       dvr: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
   nova:
     compute:
       barbican:
@@ -162,17 +183,42 @@
         tenant: service
       cache:
         members: ~
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
     controller:
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       vncproxy_url: http://${_param:single_address}:6080
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
   cinder:
     controller:
       barbican:
         enabled: ${_param:barbican_integration_enabled}
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
     volume:
       cache:
         members: ~
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
   horizon:
     server:
       secure: False
@@ -180,9 +226,41 @@
     server:
       quota:
         zones: ${_param:designate_quota_zones}
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
     worker:
       enabled: ${_param:designate_worker_enabled}
   glance:
     server:
       barbican:
         enabled: ${_param:barbican_integration_enabled}
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
+  keystone:
+    server:
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True
+  heat:
+    server:
+      database:
+        ssl:
+          enabled: True
+      message_queue:
+        port: 5671
+        ssl:
+          enabled: True