Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

monasca: Add SSL configuration (SOC-7423) #2136

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions chef/cookbooks/monasca/attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -137,3 +137,11 @@
default[:monasca][:api][:user] = "monasca-api"
default[:monasca][:api][:group] = "monasca"
default[:monasca][:api][:influxdb_user] = "mon_api"

# SSL
default[:monasca][:ssl][:certfile] = "/etc/monasca/ssl/certs/signing_cert.pem"
default[:monasca][:ssl][:keyfile] = "/etc/monasca/ssl/private/signing_key.pem"
default[:monasca][:ssl][:generate_certs] = false
default[:monasca][:ssl][:insecure] = false
default[:monasca][:ssl][:cert_required] = false
default[:monasca][:ssl][:ca_certs] = "/etc/monasca/ssl/certs/ca.pem"
24 changes: 6 additions & 18 deletions chef/cookbooks/monasca/libraries/helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -30,27 +30,21 @@ def self.monasca_admin_host(node)

def self.api_public_url(node)
host = monasca_public_host(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:api][:bind_port]
"#{protocol}://#{host}:#{port}/v2.0"
end

def self.api_admin_url(node)
host = monasca_admin_host(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:api][:bind_port]
"#{protocol}://#{host}:#{port}/v2.0"
end

def self.api_internal_url(node)
host = get_host_for_monitoring_url(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:api][:bind_port]
"#{protocol}://#{host}:#{port}/v2.0"
end
Expand All @@ -69,27 +63,21 @@ def self.api_network_url(node)

def self.log_api_public_url(node, version = "v3.0")
host = monasca_public_host(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:log_api][:bind_port]
"#{protocol}://#{host}:#{port}/#{version}"
end

def self.log_api_admin_url(node, version = "v3.0")
host = monasca_admin_host(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:log_api][:bind_port]
"#{protocol}://#{host}:#{port}/#{version}"
end

def self.log_api_internal_url(node, version = "v3.0")
host = get_host_for_monitoring_url(node)
# SSL is not supported at this moment
# protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
protocol = "http"
protocol = node[:monasca][:api][:protocol]
port = node[:monasca][:log_api][:bind_port]
"#{protocol}://#{host}:#{port}/#{version}"
end
Expand Down
1 change: 1 addition & 0 deletions chef/cookbooks/monasca/recipes/log_agent.rb
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@
mode 0o640
variables(
monasca_log_api_url: monasca_log_api_url,
insecure: node[:monasca][:ssl][:insecure],
log_agent_keystone: log_agent_keystone,
log_agent_settings: log_agent_settings,
log_agent_dimensions: log_agent_dimensions,
Expand Down
22 changes: 16 additions & 6 deletions chef/cookbooks/monasca/recipes/monasca_api.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,18 @@

keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)

if node[:monasca][:api][:protocol] == "https"
ssl_setup "setting up ssl for monasca-api" do
generate_certs node[:monasca][:ssl][:generate_certs]
certfile node[:monasca][:ssl][:certfile]
keyfile node[:monasca][:ssl][:keyfile]
group node[:monasca][:api][:group]
fqdn node[:fqdn]
cert_required node[:monasca][:ssl][:cert_required]
ca_certs node[:monasca][:ssl][:ca_certs]
end
end

memcached_servers = MemcachedHelper.get_memcached_servers(
if node[:monasca][:ha][:enabled]
CrowbarPacemakerHelper.cluster_nodes(node, "monasca-server")
Expand Down Expand Up @@ -168,12 +180,10 @@
user node[:monasca][:api][:user]
group node[:monasca][:api][:group]
ssl_enable node[:monasca][:api][:protocol] == "https"
# FIXME(toabctl): the attributes do not even extist so SSL is broken!
ssl_certfile nil # node[:monasca][:ssl][:certfile]
ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
# if node[:monasca][:ssl][:cert_required]
# ssl_cacert node[:monasca][:ssl][:ca_certs]
# end
ssl_certfile node[:monasca][:ssl][:certfile]
ssl_keyfile node[:monasca][:ssl][:keyfile]
ssl_cacert node[:monasca][:ssl][:ca_certs] if
node[:monasca][:ssl][:cert_required]
end

apache_site "monasca-api.conf" do
Expand Down
12 changes: 5 additions & 7 deletions chef/cookbooks/monasca/recipes/monasca_log_api.rb
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,11 @@
script_alias "/usr/bin/monasca-log-api-wsgi"
user node[:monasca][:log_api][:user]
group node[:monasca][:log_api][:group]
ssl_enable node[:monasca][:log_api][:protocol] == "https"
# FIXME(toabctl): the attributes do not even extist so SSL is broken!
ssl_certfile nil # node[:monasca][:ssl][:certfile]
ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
# if node[:monasca][:ssl][:cert_required]
# ssl_cacert node[:monasca][:ssl][:ca_certs]
# end
ssl_enable node[:monasca][:api][:protocol] == "https"
ssl_certfile node[:monasca][:ssl][:certfile]
ssl_keyfile node[:monasca][:ssl][:keyfile]
ssl_cacert node[:monasca][:ssl][:ca_certs] if
node[:monasca][:ssl][:cert_required]
end

apache_site "monasca-log-api.conf" do
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ output {
project_domain_name => "<%= @keystone_settings['admin_domain'] %>"
### monasca specific settings
monasca_log_api_url => "<%= @monasca_log_api_url %>"
monasca_log_api_insecure => "<%= @insecure %>"
num_of_logs => <%= @log_agent_settings[:num_of_logs] %>
elapsed_time_sec => <%= @log_agent_settings[:elapsed_time_sec] %>
delay => <%= @log_agent_settings[:delay] %>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
def upgrade(template_attrs, template_deployment, attrs, deployment)
attrs["ssl"] = template_attrs["ssl"]
return attrs, deployment
end

def downgrade(template_attrs, template_deployment, attrs, deployment)
attrs.delete("ssl")
return attrs, deployment
end
10 changes: 9 additions & 1 deletion chef/data_bags/crowbar/template-monasca.json
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,14 @@
"service_role": "monasca-agent"
}
},
"ssl": {
"certfile": "/etc/monasca/ssl/certs/signing_cert.pem",
"keyfile": "/etc/monasca/ssl/private/signing_key.pem",
"generate_certs": false,
"insecure": false,
"cert_required": false,
"ca_certs": "/etc/monasca/ssl/certs/ca.pem"
},
"api": {
"url": "",
"bind_host": "*",
Expand Down Expand Up @@ -167,7 +175,7 @@
"monasca": {
"crowbar-revision": 0,
"crowbar-applied": false,
"schema-revision": 315,
"schema-revision": 316,
"element_states": {
"monasca-server": [ "readying", "ready", "applying" ],
"monasca-agent": [ "readying", "ready", "applying" ],
Expand Down
10 changes: 10 additions & 0 deletions chef/data_bags/crowbar/template-monasca.schema
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,16 @@
}
}
},
"ssl": {
"type": "map", "required": true, "mapping": {
"certfile": { "type" : "str", "required" : true },
"keyfile": { "type" : "str", "required" : true },
"generate_certs": { "type" : "bool", "required" : true },
"insecure": { "type" : "bool", "required" : true },
"cert_required": { "type" : "bool", "required" : true },
"ca_certs": { "type" : "str", "required" : true }
}
},
"api": {
"required": true,
"type": "map",
Expand Down
10 changes: 10 additions & 0 deletions crowbar_framework/app/helpers/barclamp/monasca_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,15 @@ def tsdbs(selected)
selected.to_s
)
end

def api_protocols_for_monasca(selected)
options_for_select(
[
["HTTP", "http"],
["HTTPS", "https"]
],
selected.to_s
)
end
end
end
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,26 @@

= select_field %w(log_api log_level), :collection => :api_log_levels

%fieldset
%legend
= t(".ssl_header")

= select_field %w(api protocol),
:collection => :api_protocols_for_monasca,
"data-sslprefix" => "ssl",
"data-sslcert" => "/etc/monasca/ssl/certs/signing_cert.pem",
"data-sslkey" => "/etc/monasca/ssl/private/signing_key.pem"

#ssl-container
= boolean_field %w(ssl generate_certs)
= string_field %w(ssl certfile)
= string_field %w(ssl keyfile)
= boolean_field %w(ssl insecure)
= boolean_field %w(ssl cert_required),
"data-enabler" => "true",
"data-enabler-target" => "#ssl_ca_certs"
= string_field %w(ssl ca_certs)

%fieldset
%legend
= t(".master_notification_header")
Expand Down
9 changes: 9 additions & 0 deletions crowbar_framework/config/locales/monasca/en.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ en:
keystone_instance: 'Keystone'
api_header: 'API Settings'
api:
protocol: 'Protocol'
bind_host: 'Address'
log_level: 'Log level'
processes: 'Number of processes'
Expand Down Expand Up @@ -62,5 +63,13 @@ en:
group: 'Group for Monasca services'
user: 'User for Monasca services'
tsdb: 'Time series database to use'
ssl_header: 'SSL Support'
ssl:
generate_certs: 'Generate (self-signed) certificates (implies insecure)'
certfile: 'SSL Certificate File'
keyfile: 'SSL (Private) Key File'
insecure: 'SSL Certificate is insecure (for instance, self-signed)'
cert_required: 'Require Client Certificate'
ca_certs: 'SSL CA Certificates File'
validation:
invalid_network: 'Network "%{network}" configured for Monasca is not defined in the configuration of the network barclamp.'