monasca: Add SSL configuration (SOC-7423)

The change adds support for configuring Monasca APIs to use SSL.

chef/cookbooks/monasca/attributes/default.rb

@@ -137,3 +137,11 @@
 default[:monasca][:api][:user] = "monasca-api"
 default[:monasca][:api][:group] = "monasca"
 default[:monasca][:api][:influxdb_user] = "mon_api"
+
+#SSL
+default[:monasca][:ssl][:certfile] = "/etc/monasca/ssl/certs/signing_cert.pem"
+default[:monasca][:ssl][:keyfile] = "/etc/monasca/ssl/private/signing_key.pem"
+default[:monasca][:ssl][:generate_certs] = false
+default[:monasca][:ssl][:insecure] = false
+default[:monasca][:ssl][:cert_required] = false
+default[:monasca][:ssl][:ca_certs] = "/etc/monasca/ssl/certs/ca.pem"

chef/cookbooks/monasca/libraries/helper.rb

@@ -30,27 +30,21 @@ def self.monasca_admin_host(node)
 
   def self.api_public_url(node)
     host = monasca_public_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
 
   def self.api_admin_url(node)
     host = monasca_admin_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
 
   def self.api_internal_url(node)
     host = get_host_for_monitoring_url(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:api][:bind_port]
     "#{protocol}://#{host}:#{port}/v2.0"
   end
@@ -69,27 +63,21 @@ def self.api_network_url(node)
 
   def self.log_api_public_url(node, version = "v3.0")
     host = monasca_public_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end
 
   def self.log_api_admin_url(node, version = "v3.0")
     host = monasca_admin_host(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end
 
   def self.log_api_internal_url(node, version = "v3.0")
     host = get_host_for_monitoring_url(node)
-    # SSL is not supported at this moment
-    # protocol = node[:monasca][:log_api][:ssl] ? "https" : "http"
-    protocol = "http"
+    protocol = node[:monasca][:api][:protocol]
     port = node[:monasca][:log_api][:bind_port]
     "#{protocol}://#{host}:#{port}/#{version}"
   end

chef/cookbooks/monasca/recipes/log_agent.rb

@@ -72,6 +72,7 @@
   mode 0o640
   variables(
     monasca_log_api_url: monasca_log_api_url,
+    insecure: node[:monasca][:ssl][:insecure],
     log_agent_keystone: log_agent_keystone,
     log_agent_settings: log_agent_settings,
     log_agent_dimensions: log_agent_dimensions,

chef/cookbooks/monasca/recipes/monasca_api.rb

@@ -24,6 +24,18 @@
 
 keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)
 
+if node[:monasca][:api][:protocol] == "https"
+  ssl_setup "setting up ssl for monasca-api" do
+    generate_certs node[:monasca][:ssl][:generate_certs]
+    certfile node[:monasca][:ssl][:certfile]
+    keyfile node[:monasca][:ssl][:keyfile]
+    group node[:monasca][:api][:group]
+    fqdn node[:fqdn]
+    cert_required node[:monasca][:ssl][:cert_required]
+    ca_certs node[:monasca][:ssl][:ca_certs]
+  end
+end
+
 memcached_servers = MemcachedHelper.get_memcached_servers(
   if node[:monasca][:ha][:enabled]
     CrowbarPacemakerHelper.cluster_nodes(node, "monasca-server")
@@ -168,12 +180,11 @@
   user node[:monasca][:api][:user]
   group node[:monasca][:api][:group]
   ssl_enable node[:monasca][:api][:protocol] == "https"
-  # FIXME(toabctl): the attributes do not even extist so SSL is broken!
-  ssl_certfile nil # node[:monasca][:ssl][:certfile]
-  ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
-  # if node[:monasca][:ssl][:cert_required]
-  #  ssl_cacert node[:monasca][:ssl][:ca_certs]
-  # end
+  ssl_certfile node[:monasca][:ssl][:certfile]
+  ssl_keyfile node[:monasca][:ssl][:keyfile]
+  if node[:monasca][:ssl][:cert_required]
+    ssl_cacert node[:monasca][:ssl][:ca_certs]
+  end
 end
 
 apache_site "monasca-api.conf" do

chef/cookbooks/monasca/recipes/monasca_log_api.rb

@@ -56,13 +56,12 @@
   script_alias "/usr/bin/monasca-log-api-wsgi"
   user node[:monasca][:log_api][:user]
   group node[:monasca][:log_api][:group]
-  ssl_enable node[:monasca][:log_api][:protocol] == "https"
-  # FIXME(toabctl): the attributes do not even extist so SSL is broken!
-  ssl_certfile nil # node[:monasca][:ssl][:certfile]
-  ssl_keyfile nil # node[:monasca][:ssl][:keyfile]
-  # if node[:monasca][:ssl][:cert_required]
-  #  ssl_cacert node[:monasca][:ssl][:ca_certs]
-  # end
+  ssl_enable node[:monasca][:api][:protocol] == "https"
+  ssl_certfile node[:monasca][:ssl][:certfile]
+  ssl_keyfile node[:monasca][:ssl][:keyfile]
+  if node[:monasca][:ssl][:cert_required]
+    ssl_cacert node[:monasca][:ssl][:ca_certs]
+  end
 end
 
 apache_site "monasca-log-api.conf" do

chef/cookbooks/monasca/templates/default/log-agent.conf.erb

@@ -38,6 +38,7 @@ output {
     project_domain_name => "<%= @keystone_settings['admin_domain'] %>"
     ### monasca specific settings
     monasca_log_api_url => "<%= @monasca_log_api_url %>"
+    monasca_log_api_insecure => "<%= @insecure %>"
     num_of_logs => <%= @log_agent_settings[:num_of_logs] %>
     elapsed_time_sec => <%= @log_agent_settings[:elapsed_time_sec] %>
     delay => <%= @log_agent_settings[:delay] %>

chef/data_bags/crowbar/migrate/monasca/316_add_ssl_attributes.rb

@@ -0,0 +1,9 @@
+def upgrade(ta, td, a, d)
+  a["ssl"] = ta["ssl"]
+  return a, d
+end
+
+def downgrade(ta, td, a, d)
+  a.delete("ssl")
+  return a, d
+end

chef/data_bags/crowbar/template-monasca.json

@@ -73,6 +73,14 @@
           "service_role": "monasca-agent"
         }
       },
+      "ssl": {
+        "certfile": "/etc/monasca/ssl/certs/signing_cert.pem",
+        "keyfile": "/etc/monasca/ssl/private/signing_key.pem",
+        "generate_certs": false,
+        "insecure": false,
+        "cert_required": false,
+        "ca_certs": "/etc/monasca/ssl/certs/ca.pem"
+      },
       "api": {
         "url": "",
         "bind_host": "*",
@@ -167,7 +175,7 @@
     "monasca": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 315,
+      "schema-revision": 316,
       "element_states": {
         "monasca-server": [ "readying", "ready", "applying" ],
         "monasca-agent": [ "readying", "ready", "applying" ],

chef/data_bags/crowbar/template-monasca.schema

@@ -104,6 +104,16 @@
                 }
               }
             },
+            "ssl": {
+              "type": "map", "required": true, "mapping": {
+                "certfile": { "type" : "str", "required" : true },
+                "keyfile": { "type" : "str", "required" : true },
+                "generate_certs": { "type" : "bool", "required" : true },
+                "insecure": { "type" : "bool", "required" : true },
+                "cert_required": { "type" : "bool", "required" : true },
+                "ca_certs": { "type" : "str", "required" : true }
+              }
+            },
             "api": {
               "required": true,
               "type": "map",

crowbar_framework/app/helpers/barclamp/monasca_helper.rb

@@ -51,5 +51,15 @@ def tsdbs(selected)
         selected.to_s
       )
     end
+
+    def api_protocols_for_monasca(selected)
+      options_for_select(
+        [
+          ["HTTP", "http"],
+          ["HTTPS", "https"]
+        ],
+        selected.to_s
+      )
+    end
   end
 end

crowbar_framework/app/views/barclamp/monasca/_edit_attributes.html.haml

@@ -33,6 +33,26 @@
 
       = select_field %w(log_api log_level), :collection => :api_log_levels
 
+    %fieldset
+      %legend
+        = t(".ssl_header")
+
+      = select_field %w(api protocol),
+        :collection => :api_protocols_for_monasca,
+        "data-sslprefix" => "ssl",
+        "data-sslcert" => "/etc/monasca/ssl/certs/signing_cert.pem",
+        "data-sslkey" => "/etc/monasca/ssl/private/signing_key.pem"
+
+      #ssl_container
+        = boolean_field %w(ssl generate_certs)
+        = string_field %w(ssl certfile)
+        = string_field %w(ssl keyfile)
+        = boolean_field %w(ssl insecure)
+        = boolean_field %w(ssl cert_required),
+          "data-enabler" => "true",
+          "data-enabler-target" => "#ssl_ca_certs"
+        = string_field %w(ssl ca_certs)
+
     %fieldset
       %legend
         = t(".master_notification_header")

crowbar_framework/config/locales/monasca/en.yml

@@ -22,6 +22,7 @@ en:
         keystone_instance: 'Keystone'
         api_header: 'API Settings'
         api:
+          protocol: 'Protocol'
           bind_host: 'Address'
           log_level: 'Log level'
           processes: 'Number of processes'
@@ -62,5 +63,13 @@ en:
         group: 'Group for Monasca services'
         user: 'User for Monasca services'
         tsdb: 'Time series database to use'
+        ssl_header: 'SSL Support'
+          ssl:
+            generate_certs: 'Generate (self-signed) certificates (implies insecure)'
+            certfile: 'SSL Certificate File'
+            keyfile: 'SSL (Private) Key File'
+            insecure: 'SSL Certificate is insecure (for instance, self-signed)'
+            cert_required: 'Require Client Certificate'
+            ca_certs: 'SSL CA Certificates File'
       validation:
         invalid_network: 'Network "%{network}" configured for Monasca is not defined in the configuration of the network barclamp.'