[SSL] Sync new options for apache and nginx
Set the same options via apache[nginx]/files/_ssl.conf template for sites as
they were set by apache[nginx]/files/_ssl_secure.conf (deprecated) earlier.
By default the same set of ciphers was set in nginx and apache in _ssl_secure.conf
Now the same list of ciphers is set through pillar.
Change-Id: I64b6bfe0cbb23d204a50c6bde8d9de6ed6fac306
Related-Prod: https://mirantis.jira.com/browse/PROD-20921
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
index 077e701..71b96e2 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
@@ -34,6 +34,8 @@
- system.designate.server.cluster
- system.galera.server.cluster
- service.galera.ssl
+- system.apache.server.ssl
+- system.nginx.server.proxy.ssl
- system.galera.server.database.cinder
- system.galera.server.database.glance
- system.galera.server.database.heat
@@ -56,10 +58,12 @@
_param:
keepalived_vip_interface: ens4
salt_minion_ca_authority: salt_master_ca
- ### nginx ssl sites settings
nginx_proxy_ssl:
- enabled: true
- engine: salt
+ authority: "${_param:salt_minion_ca_authority}"
+ key_file: "/etc/ssl/private/internal_proxy.key"
+ cert_file: "/etc/ssl/certs/internal_proxy.crt"
+ chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
+ apache_ssl:
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
@@ -72,13 +76,10 @@
nginx_proxy_openstack_heat_host: 127.0.0.1
nginx_proxy_openstack_designate_host: 127.0.0.1
apache_manila_api_address: ${_param:single_address}
- apache_manila_ssl: ${_param:nginx_proxy_ssl}
apache_keystone_api_host: ${_param:single_address}
- apache_keystone_ssl: ${_param:nginx_proxy_ssl}
apache_nova_placement_api_address: ${_param:cluster_local_address}
- apache_nova_placement_ssl: ${_param:nginx_proxy_ssl}
apache_cinder_api_address: ${_param:cluster_local_address}
- apache_cinder_ssl: ${_param:nginx_proxy_ssl}
+
rabbitmq:
server:
ssl:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
index 4b904f0..dc0111d 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
@@ -217,6 +217,8 @@
- "*"
galera_ssl_enabled: true
rabbitmq_ssl_enabled: true
+ nginx_proxy_ssl_enabled: true
+ apache_ssl_enabled: true
rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
linux:
network:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/proxy.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/proxy.yml
index 9344fee..4b7b29d 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/proxy.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/proxy.yml
@@ -3,6 +3,7 @@
- system.nginx.server.proxy.openstack_api
- system.nginx.server.proxy.openstack_vnc
- system.nginx.server.proxy.openstack_web
+- system.nginx.server.proxy.ssl
- system.salt.minion.cert.proxy
- cluster.virtual-mcp-pike-dvr-ssl
parameters:
@@ -11,8 +12,6 @@
nginx_proxy_ssl:
enabled: true
authority: ${_param:salt_minion_ca_authority}
- engine: salt
- mode: secure
salt_minion_ca_host: cfg01.${linux:system:domain}
nginx:
server:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
index 6279073..8ad711d 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
@@ -14,6 +14,8 @@
- service.redis.server.single
- system.nginx.server.single
- system.nginx.server.proxy.openstack.aodh
+- system.apache.server.ssl
+- system.nginx.server.proxy.ssl
- system.gnocchi.server.cluster
- system.gnocchi.common.storage.incoming.redis
- system.gnocchi.common.storage.file
@@ -37,16 +39,17 @@
nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
nginx_proxy_openstack_aodh_host: 127.0.0.1
nginx_proxy_ssl:
- enabled: true
- engine: salt
+ authority: "${_param:salt_minion_ca_authority}"
+ key_file: "/etc/ssl/private/internal_proxy.key"
+ cert_file: "/etc/ssl/certs/internal_proxy.crt"
+ chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
+ apache_ssl:
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
apache_gnocchi_api_address: ${_param:single_address}
apache_panko_api_address: ${_param:single_address}
- apache_gnocchi_ssl: ${_param:nginx_proxy_ssl}
- apache_panko_ssl: ${_param:nginx_proxy_ssl}
cluster_node01_hostname: ${_param:openstack_telemetry_node01_hostname}
cluster_node01_address: ${_param:openstack_telemetry_node01_address}
cluster_node02_hostname: ${_param:openstack_telemetry_node02_hostname}