Merge "Add ssl suport for opencontrail api service"
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
index 499e085..83147ea 100644
--- a/defaults/haproxy/init.yml
+++ b/defaults/haproxy/init.yml
@@ -1,2 +1,3 @@
classes:
- system.defaults.haproxy.elasticsearch
+- system.defaults.haproxy.opencontrail
diff --git a/defaults/haproxy/opencontrail.yml b/defaults/haproxy/opencontrail.yml
new file mode 100644
index 0000000..ee0756e
--- /dev/null
+++ b/defaults/haproxy/opencontrail.yml
@@ -0,0 +1,3 @@
+parameters:
+ _param:
+ haproxy_opencontrail_api_check_params: check inter 2000 rise 2 fall 3
diff --git a/defaults/opencontrail/init.yml b/defaults/opencontrail/init.yml
index 24cd68e..1b0bf54 100644
--- a/defaults/opencontrail/init.yml
+++ b/defaults/opencontrail/init.yml
@@ -4,3 +4,9 @@
opencontrail_identity_port: 35357
opencontrail_identity_version: '2.0'
opencontrail_admin_user: 'contrail'
+ opencontrail_api_protocol: http
+ opencontrail_api_ssl_enabled: False
+ opencontrail_api_certfile: /etc/contrail/ssl/opencontrail_api.crt
+ opencontrail_api_keyfile: /etc/contrail/ssl/opencontrail_api.key
+ opencontrail_api_cafile: /etc/contrail/ssl/ca-opencontrail_api.pem
+ opencontrail_api_all_pemfile: /etc/ssl/certs/opencontrail_api_with_chain.pem
diff --git a/haproxy/proxy/listen/opencontrail/control4_0.yml b/haproxy/proxy/listen/opencontrail/control4_0.yml
index 22623fd..c9f37c3 100644
--- a/haproxy/proxy/listen/opencontrail/control4_0.yml
+++ b/haproxy/proxy/listen/opencontrail/control4_0.yml
@@ -11,23 +11,26 @@
binds:
- address: ${_param:cluster_vip_address}
port: 8082
+ ssl:
+ enabled: ${_param:opencontrail_api_ssl_enabled}
+ pem_file: ${_param:opencontrail_api_all_pemfile}
servers:
- name: ntw01
host: ${_param:cluster_node01_address}
port: 9100
- params: check inter 2000 rise 2 fall 3
+ params: ${_param:haproxy_opencontrail_api_check_params}
port_range_length: ${_param:opencontrail_api_workers_count}
port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw02
host: ${_param:cluster_node02_address}
port: 9100
- params: check inter 2000 rise 2 fall 3
+ params: ${_param:haproxy_opencontrail_api_check_params}
port_range_length: ${_param:opencontrail_api_workers_count}
port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw03
host: ${_param:cluster_node03_address}
port: 9100
- params: check inter 2000 rise 2 fall 3
+ params: ${_param:haproxy_opencontrail_api_check_params}
port_range_length: ${_param:opencontrail_api_workers_count}
port_range_start_offset: ${_param:opencontrail_api_start_offset}
contrail_config_stats:
diff --git a/keystone/client/service/contrail.yml b/keystone/client/service/contrail.yml
index 6792156..8f2534e 100644
--- a/keystone/client/service/contrail.yml
+++ b/keystone/client/service/contrail.yml
@@ -1,8 +1,6 @@
classes:
- system.keystone.client.v3.service.contrail
parameters:
- _param:
- contrail_service_protocol: http
keystone:
client:
server:
@@ -25,11 +23,11 @@
public_address: ${_param:cluster_public_host}
public_port: 8082
public_path: ''
- internal_protocol: ${_param:contrail_service_protocol}
+ internal_protocol: ${_param:opencontrail_api_protocol}
internal_address: ${_param:opencontrail_control_address}
internal_port: 8082
internal_path: ''
- admin_protocol: ${_param:contrail_service_protocol}
+ admin_protocol: ${_param:opencontrail_api_protocol}
admin_address: ${_param:opencontrail_control_address}
admin_port: 8082
admin_path: ''
\ No newline at end of file
diff --git a/keystone/client/v3/service/contrail.yml b/keystone/client/v3/service/contrail.yml
index 930804a..f9bbd69 100644
--- a/keystone/client/v3/service/contrail.yml
+++ b/keystone/client/v3/service/contrail.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- contrail_service_protocol: http
keystone:
client:
server:
@@ -37,9 +35,9 @@
region: ${_param:openstack_region}
contrail_internal:
interface: 'internal'
- url: ${_param:contrail_service_protocol}://${_param:opencontrail_control_address}:8082
+ url: ${_param:opencontrail_api_protocol}://${_param:opencontrail_control_address}:8082
region: ${_param:openstack_region}
contrail_admin:
interface: 'admin'
- url: ${_param:contrail_service_protocol}://${_param:opencontrail_control_address}:8082
+ url: ${_param:opencontrail_api_protocol}://${_param:opencontrail_control_address}:8082
region: ${_param:openstack_region}
diff --git a/neutron/control/opencontrail/cluster.yml b/neutron/control/opencontrail/cluster.yml
index a33c273..8b09377 100644
--- a/neutron/control/opencontrail/cluster.yml
+++ b/neutron/control/opencontrail/cluster.yml
@@ -16,6 +16,7 @@
engine: contrail
host: ${_param:opencontrail_control_address}
port: 8082
+ use_ssl: ${_param:opencontrail_api_ssl_enabled}
user: ${_param:opencontrail_admin_user}
password: ${_param:opencontrail_admin_password}
tenant: admin
diff --git a/salt/minion/cert/opencontrail/api.yml b/salt/minion/cert/opencontrail/api.yml
new file mode 100644
index 0000000..717fb33
--- /dev/null
+++ b/salt/minion/cert/opencontrail/api.yml
@@ -0,0 +1,17 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ opencontrail_api:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: opencontrail_api
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn},DNS:${_param:cluster_vip_address}
+ key_file: ${_param:opencontrail_api_keyfile}
+ cert_file: ${_param:opencontrail_api_certfile}
+ ca_file: ${_param:opencontrail_api_cafile}
+ all_file: ${_param:opencontrail_api_all_pemfile}
+ user: contrail
+ enabled: true
+ engine: salt