Add options to configure some services with SSL #23
Conversation
This is the first step to being able to apply SSL or Kerberos to an installation as both require a FQDN.
If ssl and freeipa are true then certificates are obtained using certmonger. If ssl is true and freeipa is false then the the mysql and qpid certificates and keys need to be passed in as arguments.
| @@ -49,6 +57,35 @@ | |||
| # hostlist => $ipmi_host_list, | |||
| #} | |||
|
|
|||
| if str2bool($ssl) == true { | |||
There was a problem hiding this comment.
Just to mention this, as I have now seen it in a couple places (here and some existing code). This is for cleanup on a future rev, not needed for this patch, but str2bool('true') evaluates to the actual boolean value true, meaning that the '== true' part of the comparison is not needed. This check will return true or false:
if str2bool($ssl)
There was a problem hiding this comment.
Figures, that is the form I was originally using. I switched to the == true format to maintain consistency.
|
So, @rohara and I were discussing this yesterday, and we are both concerned about the impact of this approach of replacing the *_ip variables, for a couple reasons (Ryan, correct me if I misrepresent any of this please):
What we would like to propose is that instead of removing the *_ip variables, you introduce a new variable(s) for *_fdqn, allowing the user to choose whether they want to use ip, fqdn, or some combination (say, fqdn for public api endpoints, but ups for internal service to service communications). |
|
So in foreman_server.sh I'd need to test for both, decide which one is set, and replace variables based on that, and enforce mutual exclusivity (you can't set IP and FQDN on the same interface)? What would we call the variable in puppet? Leave it with the _ip name or rename it to something generic? |
|
The idea to check that at least, for example public_controller_floating_ip or public_controller_fqdn, in the installer seems reasonable. I was thinking that you would still be able to add the variables you have in this patch in the puppet manifests, just not in place of the current ones. In other words, if I am not using fqdn, keep using the IP/range I specified, otherwise, use the fqdn I set. I am not sure how we are going to get that working with the virtual IPs and clustering/proxying, but I am hoping we can do this in a way that the single controller and compute setup works with ssl for now, and does not break HA, and then start figuring out what needs to be done to make it work with HA as well. Is that any clearer? I am not trying to be difficult, so I hope it doesn't come across that way, but we are really concerned about the impact as is. |
|
I don't see a way to mix and match this way in puppet. It is far easier to decide when we sed and use a consistent set of variables in puppet. Consider things like mysql_host, which gets set from the private interface. If we carry both sets of variables, and both are set, what does that get set to? No, I'd rather let the user pick up front, and once it gets to puppet it is one or the other. I'm going to revert the name back to _ip. It won't be descriptive for the fqdn case but it will still work. |
|
I feel like I didn't get my point across very well, but if you want to stick with one variable (for the time being at least), how about a middle ground? W could use your 'generic' idea, something like 'private_network_addr' or some such? If you want to just leave the names (the revert to *_ip that you mentioned) for now, that is fine too, as I expect we will have some rework when we get to applying this stuff to openstack api services and VIPs/HA scenarios. |
This adds two new environment variables to foreman_server.sh where the user can decide if they want a FQDN for the public and private interfaces. If they want to use SSL, particularly with FreeIPA integration, they'll need to use FQDNs. If both are set then the IP wins. If neither is set it complains. This also fixes a bug I introduced in the original IP to FQDN patch where auto_assign_floating_ip was changed to auto_assign_fqdn.
Support to configure Cisco Nexus Plugin
Open port for mysql to accept incoming connections.
Added ovswitch flag for creating br-ex using $configuration_ovswitch parameter as condition This is a squashed version of: #33 Signed-off-by: Jason Guiditta <[email protected]>
This is the first step to being able to apply SSL or Kerberos to an installation as both require a FQDN.
If ssl and freeipa are true then certificates are obtained using certmonger. If ssl is true and freeipa is false then the the mysql and qpid certificates and keys need to be passed in as arguments.
This adds two new environment variables to foreman_server.sh where the user can decide if they want a FQDN for the public and private interfaces. If they want to use SSL, particularly with FreeIPA integration, they'll need to use FQDNs. If both are set then the IP wins. If neither is set it complains. This also fixes a bug I introduced in the original IP to FQDN patch where auto_assign_floating_ip was changed to auto_assign_fqdn.
Conflicts: bin/seeds.rb puppet/modules/quickstack/manifests/nova_network/compute.pp puppet/modules/quickstack/manifests/nova_network/controller.pp
|
Going to close this pull request and open a new one with a squashed patch. My local repo is hosed. |
Adds options to configure qpid and mysql with SSL on a basic nova controller and compute node.
It is generally recommended to use FQDNs with SSL so I've switched from IP addresses to FQDNs.
This relies on some upstream work in the puppet-qpid and mysql modules and requires puppet-certmonger and puppet-nssdb on github.