From ec72e39c36f3771a14381ae78a673ac67be0a3f6 Mon Sep 17 00:00:00 2001
From: Marton Kiss <marton.kiss@gmail.com>
Date: Fri, 5 Sep 2014 14:47:47 +0200
Subject: [PATCH] Openstackid.org openid instance

Create a productive instance of openid service at openstackid.org. This
domain was bought by the Foundation to avoid *.openstack.org cross-domain
issues.

Related tasks:
- create trove database for openid service (openstackid_id_mysql* variables)
- setup connection string to openstack.org profile db
  (openstackid_ss_mysql_* variables)
- issue openstackid.org x509 certificate
  (openstackid_ssl* variables)
- setup openstackid_redis_password and openstackid_site_admin_password
  hiera variables.

Change-Id: Iaf198d004d0c9cad10668405b0e5b2537b791a7f
---
 manifests/site.pp                             | 20 +++++
 .../manifests/openstackid_prod.pp             | 85 +++++++++++++++++++
 modules/openstackid/manifests/init.pp         |  1 +
 .../templates/openstackid.conf.erb            |  4 +-
 4 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 modules/openstack_project/manifests/openstackid_prod.pp

diff --git a/manifests/site.pp b/manifests/site.pp
index e2c9a257a0..76f2f44d7f 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -620,6 +620,26 @@ node 'pypi.slave.openstack.org' {
   }
 }
 
+# Node-OS: precise
+node 'openstackid.org' {
+  class { 'openstack_project::openstackid_prod':
+    sysadmins               => hiera('sysadmins', []),
+    site_admin_password     => hiera('openstackid_site_admin_password', 'XXX'),
+    id_mysql_host           => hiera('openstackid_id_mysql_host', 'localhost'),
+    id_mysql_password       => hiera('openstackid_id_mysql_password', 'XXX'),
+    id_mysql_user           => hiera('openstackid_id_mysql_user', 'username'),
+    id_db_name              => hiera('openstackid_id_db_name', 'XXX'),
+    ss_mysql_host           => hiera('openstackid_ss_mysql_host', 'localhost'),
+    ss_mysql_password       => hiera('openstackid_ss_mysql_password', 'XXX'),
+    ss_mysql_user           => hiera('openstackid_ss_mysql_user', 'username'),
+    ss_db_name              => hiera('openstackid_ss_db_name', 'username'),
+    redis_password          => hiera('openstackid_redis_password', 'XXX'),
+    ssl_cert_file_contents  => hiera('openstackid_ssl_cert_file_contents', 'XXX'),
+    ssl_key_file_contents   => hiera('openstackid_ssl_key_file_contents', 'XXX'),
+    ssl_chain_file_contents => hiera('openstackid_ssl_chain_file_contents', 'XXX'),
+  }
+}
+
 # Node-OS: precise
 node 'openstackid-dev.openstack.org' {
   class { 'openstack_project::openstackid_dev':
diff --git a/modules/openstack_project/manifests/openstackid_prod.pp b/modules/openstack_project/manifests/openstackid_prod.pp
new file mode 100644
index 0000000000..7b54b727bb
--- /dev/null
+++ b/modules/openstack_project/manifests/openstackid_prod.pp
@@ -0,0 +1,85 @@
+# Copyright 2013  OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# openstackid idp(sso-openid) server
+#
+class openstack_project::openstackid_prod (
+  $sysadmins = [],
+  $site_admin_password = '',
+  $id_mysql_host = '',
+  $id_mysql_user = '',
+  $id_mysql_password = '',
+  $id_db_name = '',
+  $ss_mysql_host = '',
+  $ss_mysql_user = '',
+  $ss_mysql_password = '',
+  $ss_db_name = '',
+  $redis_port = '6378',
+  $redis_max_memory = '1gb',
+  $redis_bind = '127.0.0.1',
+  $redis_password = '',
+  $id_recaptcha_public_key = '',
+  $id_recaptcha_private_key = '',
+  $id_recaptcha_template = '',
+  $id_log_error_to_email = '',
+  $id_log_error_from_email = '',
+  $id_environment = 'dev',
+  $ssl_cert_file_contents = '',
+  $ssl_key_file_contents = '',
+  $ssl_chain_file_contents = '',
+  $release = '1.0.2',
+) {
+
+  class { 'openstack_project::server':
+    iptables_public_tcp_ports => [80, 443],
+    sysadmins                 => $sysadmins,
+  }
+
+  class { 'openstackid':
+    site_admin_password      => $site_admin_password,
+    id_mysql_host            => $id_mysql_host,
+    id_mysql_user            => $id_mysql_user,
+    id_mysql_password        => $id_mysql_password,
+    id_db_name               => $id_db_name,
+    ss_mysql_host            => $ss_mysql_host,
+    ss_mysql_user            => $ss_mysql_user,
+    ss_mysql_password        => $ss_mysql_password,
+    ss_db_name               => $ss_db_name,
+    redis_port               => $redis_port,
+    redis_host               => $redis_bind,
+    redis_password           => $redis_password,
+    id_recaptcha_public_key  => $id_recaptcha_public_key,
+    id_recaptcha_private_key => $id_recaptcha_private_key,
+    id_recaptcha_template    => $id_recaptcha_template,
+    id_log_error_to_email    => $id_log_error_to_email,
+    id_log_error_from_email  => $id_log_error_from_email,
+    id_environment           => $id_environment,
+    ssl_cert_file            => "/etc/ssl/certs/${::fqdn}.pem",
+    ssl_key_file             => "/etc/ssl/private/${::fqdn}.key",
+    ssl_chain_file           => '/etc/ssl/certs/intermediate.pem',
+    ssl_cert_file_contents   => $ssl_cert_file_contents,
+    ssl_key_file_contents    => $ssl_key_file_contents,
+    ssl_chain_file_contents  => $ssl_chain_file_contents,
+    openstackid_release      => $release,
+  }
+
+  # redis (custom module written by tipit)
+  class { 'redis':
+    redis_port       => $redis_port,
+    redis_max_memory => $redis_max_memory,
+    redis_bind       => $redis_bind,
+    redis_password   => $redis_password,
+  }
+
+}
diff --git a/modules/openstackid/manifests/init.pp b/modules/openstackid/manifests/init.pp
index 2a3fff686c..a2696de275 100644
--- a/modules/openstackid/manifests/init.pp
+++ b/modules/openstackid/manifests/init.pp
@@ -48,6 +48,7 @@ class openstackid (
   $id_recaptcha_public_key = '',
   $id_recaptcha_private_key = '',
   $id_recaptcha_template = '',
+  $openstackid_release = 'latest',
 ) {
 
   # php packages needed for openid server
diff --git a/modules/openstackid/templates/openstackid.conf.erb b/modules/openstackid/templates/openstackid.conf.erb
index 9d11831986..9fc69589d2 100644
--- a/modules/openstackid/templates/openstackid.conf.erb
+++ b/modules/openstackid/templates/openstackid.conf.erb
@@ -1,5 +1,5 @@
 SITE_ROOT=/srv/openstackid
-SOURCE_TARBALL=http://tarballs.openstack.org/openstackid/openstackid-latest.tar.gz
+SOURCE_TARBALL=http://tarballs.openstack.org/openstackid/openstackid-<%= @openstackid_release %>.tar.gz
 LARAVEL_ENV=dev
-RELEASE_NAME=openstackid-latest.tar.gz
+RELEASE_NAME=openstackid-<%= @openstackid_release %>.tar.gz
 SOURCE_ROOT=http://tarballs.openstack.org/openstackid/
\ No newline at end of file