Skip to content

Commit

Permalink
Partial-Bug: #1522597
Browse files Browse the repository at this point in the history 
    Puppet side changes to provide authenticated XMPP commuication between
    agent and control nodes using certificates.

Change-Id: Ie4c16b462f702319025f5f4ae7d8dd8ea8977bb9
  • Loading branch information
@ajoshi9
ajoshi9 committed Dec 17, 2015
1 parent 8796e50 commit 050e6b1
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 3 deletions.
9 changes: 9 additions & 0 deletions contrail/environment/modules/contrail/manifests/compute/config.pp
View file
Expand Up @@ -36,6 +36,7 @@
$contrail_logoutput = $::contrail::params::contrail_logoutput,
$contrail_host_roles = $::contrail::params::host_roles,
$enable_lbass = $::contrail::params::enable_lbass,
$xmpp_auth_enable = $::contrail::params::xmpp_auth_enable,
) {
$config_ip_to_use = $::contrail::params::config_ip_to_use
$keystone_ip_to_use = $::contrail::params::keystone_ip_to_use
Expand Down Expand Up @@ -229,6 +230,10 @@
# Ensure ctrl-details file is present with right content.
include ::contrail::ctrl_details

if ($xmpp_auth_enable == true) {
include ::contrail::xmpp_cert_files
}

if ! defined(File['/opt/contrail/bin/set_rabbit_tcp_params.py']) {
# check_wsrep
file { '/opt/contrail/bin/set_rabbit_tcp_params.py' :
Expand Down Expand Up @@ -278,6 +283,10 @@
}

contrail_vrouter_agent_config {
'DEFAULT/xmpp_auth_enable' : value => "$xmpp_auth_enable";
'DEFAULT/xmpp_server_cert' : value => "/etc/contrail/ssl/certs/server.pem";
'DEFAULT/xmpp_server_key' : value => "/etc/contrail/ssl/private/server-privkey.pem";
'DEFAULT/xmpp_ca_cert' : value => "/etc/contrail/ssl/certs/ca-cert.pem";
'DISCOVERY/server' : value => "$discovery_ip";
'DISCOVERY/max_control_nodes' : value => "$number_control_nodes";
'HYPERVISOR/type' : value => "$hypervisor_type";
Expand Down
11 changes: 10 additions & 1 deletion contrail/environment/modules/contrail/manifests/control/config.pp
View file
Expand Up @@ -6,7 +6,8 @@
$use_certs = $::contrail::params::use_certs,
$puppet_server = $::contrail::params::puppet_server,
$contrail_logoutput = $::contrail::params::contrail_logoutput,
$config_ip_to_use = $::contrail::params::config_ip_to_use
$config_ip_to_use = $::contrail::params::config_ip_to_use,
$xmpp_auth_enable = $::contrail::params::xmpp_auth_enable,
) {
# Main class code begins here
case $::operatingsystem {
Expand Down Expand Up @@ -43,6 +44,10 @@
}

contrail_control_config {
'DEFAULT/xmpp_auth_enable' : value => "$xmpp_auth_enable";
'DEFAULT/xmpp_server_cert' : value => "/etc/contrail/ssl/certs/server.pem";
'DEFAULT/xmpp_server_key' : value => "/etc/contrail/ssl/private/server-privkey.pem";
'DEFAULT/xmpp_ca_cert' : value => "/etc/contrail/ssl/certs/ca-cert.pem";
'DEFAULT/hostip' : value => $host_control_ip;
'DEFAULT/log_file' : value => '/var/log/contrail/contrail-control.log';
'DEFAULT/log_level' : value => 'SYS_NOTICE';
Expand All @@ -57,4 +62,8 @@
'DISCOVERY/server' : value => $config_ip_to_use;
'DISCOVERY/port' : value => '5998';
}

if ($xmpp_auth_enable == true) {
include ::contrail::xmpp_cert_files
}
}
8 changes: 7 additions & 1 deletion contrail/environment/modules/contrail/manifests/init.pp
View file
Expand Up @@ -526,6 +526,10 @@
# Flag to include or exclude ceilometer service as part of openstack module dynamically.
# (optional) - Defaults to false.
#
# [*xmpp_auth_enable*]
# Flag for enabling xmpp autherization via cert exchange between agent and control.
# (optional) - Defaults to false.
#
class contrail (
$host_ip = undef,
$uuid = undef,
Expand Down Expand Up @@ -660,7 +664,8 @@
$enable_storage_master = true,
$enable_ceilometer = false,
$tor_ha_config = "",
$contrail_version = ''
$contrail_version = '',
$xmpp_auth_enable = false,
) {
class { '::contrail::params':
# Common Parameters
Expand Down Expand Up @@ -697,6 +702,7 @@
contrail_upgrade => hiera(contrail::contrail_upgrade, hiera(contrail::params::contrail_upgrade, $contrail_upgrade)),
contrail_version => hiera(contrail::contrail_version, hiera(contrail::params::contrail_version, $contrail_version)),
enable_lbass => hiera(contrail::enable_lbass, hiera(contrail::params::enable_lbass, $enable_lbass)),
xmpp_auth_enable => hiera(contrail::xmpp_auth_enable, hiera(contrail::params::xmpp_auth_enable, $xmpp_auth_enable)),
# HA Parameters
haproxy_flag => hiera(contrail::ha::haproxy_flag, hiera(contrail::params::haproxy_flag, $haproxy_flag)),
internal_vip => hiera(contrail::ha::internal_vip, hiera(contrail::params::internal_vip, $internal_vip)),
Expand Down
7 changes: 6 additions & 1 deletion contrail/environment/modules/contrail/manifests/params.pp
View file
Expand Up @@ -525,6 +525,10 @@
# Flag to include or exclude ceilometer service as part of openstack module dynamically.
# (optional) - Defaults to false.
#
# [*xmpp_auth_enable*]
# Flag for enabling xmpp autherization via cert exchange between agent and control.
# (optional) - Defaults to false.
#
class contrail::params (
$host_ip,
$uuid,
Expand Down Expand Up @@ -659,7 +663,8 @@
$enable_storage_master,
$enable_ceilometer,
$tor_ha_config,
$contrail_version
$contrail_version,
$xmpp_auth_enable,
) {
if (($contrail_internal_vip != '') or
($internal_vip != '') or
Expand Down
20 changes: 20 additions & 0 deletions contrail/environment/modules/contrail/manifests/xmpp_cert_files.pp
View file
@@ -0,0 +1,20 @@
class contrail::xmpp_cert_files(
) {
file { ["/etc/contrail/ssl",
"/etc/contrail/ssl/certs",
"/etc/contrail/ssl/private" ] :
ensure => directory
}
file { '/etc/contrail/ssl/certs/server.pem' :
require => File['/etc/contrail/ssl/certs'],
source => "puppet:///ssl_certs/$hostname.pem"
}
file { '/etc/contrail/ssl/private/server-privkey.pem' :
require => File['/etc/contrail/ssl/private'],
source => "puppet:///ssl_certs/$hostname-privkey.pem"
}
file { '/etc/contrail/ssl/certs/ca-cert.pem' :
require => File['/etc/contrail/ssl/certs'],
source => "puppet:///ssl_certs/ca-cert.pem"
}
}

0 comments on commit 050e6b1

Please sign in to comment.