monasca: Add SSL configuration (SOC-7423)

The change adds support for configuring Monasca APIs to use SSL.

Author: witekest

chef/cookbooks/monasca/attributes/default.rb

@@ -137,3 +137,11 @@
 default[:monasca][:api][:user] = "monasca-api"
 default[:monasca][:api][:group] = "monasca"
 default[:monasca][:api][:influxdb_user] = "mon_api"
+
+# SSL
+default[:monasca][:ssl][:certfile] = "/etc/monasca/ssl/certs/signing_cert.pem"
+default[:monasca][:ssl][:keyfile] = "/etc/monasca/ssl/private/signing_key.pem"
+default[:monasca][:ssl][:generate_certs] = false
+default[:monasca][:ssl][:insecure] = false
+default[:monasca][:ssl][:cert_required] = false
+default[:monasca][:ssl][:ca_certs] = "/etc/monasca/ssl/certs/ca.pem"

chef/cookbooks/monasca/libraries/helper.rb

@@ -30,27 +30,21 @@ def self.monasca_admin_host(node)
 
   def self.api_public_url(node)
     host = monasca_public_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
 
   def self.api_admin_url(node)
     host = monasca_admin_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
 
   def self.api_internal_url(node)
     host = get_host_for_monitoring_url(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
@@ -69,27 +63,21 @@ def self.api_network_url(node)
 
   def self.log_api_public_url(node, version = "v3.0")
     host = monasca_public_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end
 
   def self.log_api_admin_url(node, version = "v3.0")
     host = monasca_admin_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end
 
   def self.log_api_internal_url(node, version = "v3.0")
     host = get_host_for_monitoring_url(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end

chef/cookbooks/monasca/recipes/log_agent.rb

@@ -72,6 +72,7 @@
   mode 0o640
   variables(
     monasca_log_api_url: monasca_log_api_url,
+    insecure: node[:monasca][:ssl][:insecure],
     log_agent_keystone: log_agent_keystone,
     log_agent_settings: log_agent_settings,
     log_agent_dimensions: log_agent_dimensions,

chef/cookbooks/monasca/recipes/monasca_api.rb

@@ -24,6 +24,18 @@
 
 keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)
 
+if node[:monasca][:api][:protocol] == "https"
+  ssl_setup "setting up ssl for monasca-api" do
+    generate_certs node[:monasca][:ssl][:generate_certs]
+    certfile node[:monasca][:ssl][:certfile]
+    keyfile node[:monasca][:ssl][:keyfile]
+    group node[:monasca][:api][:group]
+    fqdn node[:fqdn]
+    cert_required node[:monasca][:ssl][:cert_required]
+    ca_certs node[:monasca][:ssl][:ca_certs]
+  end
+end
+
 memcached_servers = MemcachedHelper.get_memcached_servers(
   if node[:monasca][:ha][:enabled]
     CrowbarPacemakerHelper.cluster_nodes(node, "monasca-server")
@@ -168,12 +180,10 @@
   user node[:monasca][:api][:user]
   group node[:monasca][:api][:group]
   ssl_enable node[:monasca][:api][:protocol] == "https"
-  # FIXME(toabctl): the attributes do not even extist so SSL is broken!
-  ssl_certfile nil # node[:monasca][:ssl][:certfile]
-  ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
-  # if node[:monasca][:ssl][:cert_required]
-  #  ssl_cacert node[:monasca][:ssl][:ca_certs]
-  # end
+  ssl_certfile node[:monasca][:ssl][:certfile]
+  ssl_keyfile node[:monasca][:ssl][:keyfile]
+  ssl_cacert node[:monasca][:ssl][:ca_certs] if
+    node[:monasca][:ssl][:cert_required]
 end
 
 apache_site "monasca-api.conf" do

chef/cookbooks/monasca/recipes/monasca_log_api.rb

@@ -56,13 +56,11 @@
   script_alias "/usr/bin/monasca-log-api-wsgi"
   user node[:monasca][:log_api][:user]
   group node[:monasca][:log_api][:group]
-  ssl_enable node[:monasca][:log_api][:protocol] == "https"
-  # FIXME(toabctl): the attributes do not even extist so SSL is broken!
-  ssl_certfile nil # node[:monasca][:ssl][:certfile]
-  ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
-  # if node[:monasca][:ssl][:cert_required]
-  #  ssl_cacert node[:monasca][:ssl][:ca_certs]
-  # end
+  ssl_enable node[:monasca][:api][:protocol] == "https"
+  ssl_certfile node[:monasca][:ssl][:certfile]
+  ssl_keyfile node[:monasca][:ssl][:keyfile]
+  ssl_cacert node[:monasca][:ssl][:ca_certs] if
+    node[:monasca][:ssl][:cert_required]
 end
 
 apache_site "monasca-log-api.conf" do

chef/cookbooks/monasca/templates/default/log-agent.conf.erb

@@ -38,6 +38,7 @@ output {
     project_domain_name => "<%= @keystone_settings['admin_domain'] %>"
     ### monasca specific settings
     monasca_log_api_url => "<%= @monasca_log_api_url %>"
+    monasca_log_api_insecure => "<%= @insecure %>"
     num_of_logs => <%= @log_agent_settings[:num_of_logs] %>
     elapsed_time_sec => <%= @log_agent_settings[:elapsed_time_sec] %>
     delay => <%= @log_agent_settings[:delay] %>

chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb

@@ -0,0 +1,9 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  attrs["ssl"] = template_attrs["ssl"]
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  attrs.delete("ssl")
+  return attrs, deployment
+end

chef/data_bags/crowbar/template-monasca.json

@@ -73,6 +73,14 @@
           "service_role": "monasca-agent"
         }
       },
+      "ssl": {
+        "certfile": "/etc/monasca/ssl/certs/signing_cert.pem",
+        "keyfile": "/etc/monasca/ssl/private/signing_key.pem",
+        "generate_certs": false,
+        "insecure": false,
+        "cert_required": false,
+        "ca_certs": "/etc/monasca/ssl/certs/ca.pem"
+      },
       "api": {
         "url": "",
         "bind_host": "*",
@@ -167,7 +175,7 @@
     "monasca": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 315,
+      "schema-revision": 316,
       "element_states": {
         "monasca-server": [ "readying", "ready", "applying" ],
         "monasca-agent": [ "readying", "ready", "applying" ],

chef/data_bags/crowbar/template-monasca.schema

@@ -104,6 +104,16 @@
                 }
               }
             },
+            "ssl": {
+              "type": "map", "required": true, "mapping": {
+                "certfile": { "type" : "str", "required" : true },
+                "keyfile": { "type" : "str", "required" : true },
+                "generate_certs": { "type" : "bool", "required" : true },
+                "insecure": { "type" : "bool", "required" : true },
+                "cert_required": { "type" : "bool", "required" : true },
+                "ca_certs": { "type" : "str", "required" : true }
+              }
+            },
             "api": {
               "required": true,
               "type": "map",

crowbar_framework/app/helpers/barclamp/monasca_helper.rb

@@ -51,5 +51,15 @@ def tsdbs(selected)
         selected.to_s
       )
     end
+
+    def api_protocols_for_monasca(selected)
+      options_for_select(
+        [
+          ["HTTP", "http"],
+          ["HTTPS", "https"]
+        ],
+        selected.to_s
+      )
+    end
   end
 end