[SSL] Sync new options for apache and nginx
Set the same options via apache[nginx]/files/_ssl.conf template for sites as
they were set by apache[nginx]/files/_ssl_secure.conf (deprecated) earlier.
By default the same set of ciphers was set in nginx and apache in _ssl_secure.conf
Now the same list of ciphers is set through pillar.
Change-Id: I64b6bfe0cbb23d204a50c6bde8d9de6ed6fac306
Related-Prod: https://mirantis.jira.com/browse/PROD-20921
diff --git a/classes/cluster/virtual-offline-ssl/openstack/control.yml b/classes/cluster/virtual-offline-ssl/openstack/control.yml
index c085eab..eb47619 100644
--- a/classes/cluster/virtual-offline-ssl/openstack/control.yml
+++ b/classes/cluster/virtual-offline-ssl/openstack/control.yml
@@ -51,6 +51,8 @@
- system.haproxy.proxy.listen.openstack.placement
- system.haproxy.proxy.listen.openstack.manila
- system.manila.control.cluster
+- system.apache.server.ssl
+- system.nginx.server.proxy.ssl
- cluster.virtual-offline-ssl.openstack.dns
- cluster.virtual-offline-ssl
parameters:
@@ -59,8 +61,11 @@
salt_minion_ca_authority: salt_master_ca
### nginx ssl sites settings
nginx_proxy_ssl:
- enabled: true
- engine: salt
+ authority: "${_param:salt_minion_ca_authority}"
+ key_file: "/etc/ssl/private/internal_proxy.key"
+ cert_file: "/etc/ssl/certs/internal_proxy.crt"
+ chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
+ apache_ssl:
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
@@ -73,18 +78,13 @@
nginx_proxy_openstack_heat_host: 127.0.0.1
nginx_proxy_openstack_designate_host: 127.0.0.1
apache_manila_api_address: ${_param:single_address}
- apache_manila_ssl: ${_param:nginx_proxy_ssl}
apache_keystone_api_host: ${_param:single_address}
- apache_keystone_ssl: ${_param:nginx_proxy_ssl}
apache_barbican_api_address: ${_param:cluster_local_address}
apache_barbican_api_host: ${_param:single_address}
- apache_barbican_ssl: ${_param:nginx_proxy_ssl}
apache_nova_placement_api_address: ${_param:cluster_local_address}
- apache_nova_placement_ssl: ${_param:nginx_proxy_ssl}
barbican_dogtag_nss_password: workshop
barbican_dogtag_host: ${_param:cluster_vip_address}
apache_cinder_api_address: ${_param:cluster_local_address}
- apache_cinder_ssl: ${_param:nginx_proxy_ssl}
# dogtag listens on 8443 but there is no way to bind it to
# Specific IP, as on this setup dogtag installed on ctl nodes
# Change port on haproxy side to avoid binding conflict.
diff --git a/classes/cluster/virtual-offline-ssl/openstack/init.yml b/classes/cluster/virtual-offline-ssl/openstack/init.yml
index 5f8421f..13bbb5d 100644
--- a/classes/cluster/virtual-offline-ssl/openstack/init.yml
+++ b/classes/cluster/virtual-offline-ssl/openstack/init.yml
@@ -218,6 +218,8 @@
ceilometer_agent_default_polling_meters:
- "*"
barbican_integration_enabled: true
+ nginx_proxy_ssl_enabled: true
+ apache_ssl_enabled: true
linux:
network:
purge_hosts: true
diff --git a/classes/cluster/virtual-offline-ssl/openstack/proxy.yml b/classes/cluster/virtual-offline-ssl/openstack/proxy.yml
index ffa74f3..497eb0e 100644
--- a/classes/cluster/virtual-offline-ssl/openstack/proxy.yml
+++ b/classes/cluster/virtual-offline-ssl/openstack/proxy.yml
@@ -3,6 +3,7 @@
- system.nginx.server.proxy.openstack_api
- system.nginx.server.proxy.openstack_vnc
- system.nginx.server.proxy.openstack_web
+- system.nginx.server.proxy.ssl
- system.salt.minion.cert.proxy
- cluster.virtual-offline-ssl
parameters:
@@ -11,8 +12,6 @@
nginx_proxy_ssl:
enabled: true
authority: ${_param:salt_minion_ca_authority}
- engine: salt
- mode: secure
salt_minion_ca_host: cfg01.${linux:system:domain}
nginx:
server:
diff --git a/classes/cluster/virtual-offline-ssl/openstack/telemetry.yml b/classes/cluster/virtual-offline-ssl/openstack/telemetry.yml
index e2b5d3a..a59b9a7 100644
--- a/classes/cluster/virtual-offline-ssl/openstack/telemetry.yml
+++ b/classes/cluster/virtual-offline-ssl/openstack/telemetry.yml
@@ -16,6 +16,8 @@
- service.redis.server.single
- system.nginx.server.single
- system.nginx.server.proxy.openstack.aodh
+- system.apache.server.ssl
+- system.nginx.server.proxy.ssl
- system.gnocchi.server.cluster
- system.gnocchi.common.storage.incoming.redis
- system.gnocchi.common.storage.file
@@ -39,16 +41,17 @@
nginx_proxy_openstack_api_address: ${_param:cluster_local_address}
nginx_proxy_openstack_aodh_host: 127.0.0.1
nginx_proxy_ssl:
- enabled: true
- engine: salt
+ authority: "${_param:salt_minion_ca_authority}"
+ key_file: "/etc/ssl/private/internal_proxy.key"
+ cert_file: "/etc/ssl/certs/internal_proxy.crt"
+ chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
+ apache_ssl:
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
apache_gnocchi_api_address: ${_param:single_address}
apache_panko_api_address: ${_param:single_address}
- apache_gnocchi_ssl: ${_param:nginx_proxy_ssl}
- apache_panko_ssl: ${_param:nginx_proxy_ssl}
cluster_node01_hostname: ${_param:openstack_telemetry_node01_hostname}
cluster_node01_address: ${_param:openstack_telemetry_node01_address}
cluster_node02_hostname: ${_param:openstack_telemetry_node02_hostname}