From 1a061497ab57e76cc6cbaa8e53f2fce1641ae7f7 Mon Sep 17 00:00:00 2001
From: Matthew Treinish <mtreinish@kortar.org>
Date: Mon, 8 Aug 2016 11:03:11 -0400
Subject: [PATCH] Add tls support to firehose

This commit adds the necessary configuration to pass the tls certs
to the puppet-mosquitto module to configure 2 tls enabled ports on
the mosquitto server.

Change-Id: I128b2bb5d061794746bedd7541988c65abcaafff
Depends-On: I7c77285e347d8c1b2c3318360258246b78f885a8
---
 manifests/site.pp                               | 5 ++++-
 modules/openstack_project/manifests/firehose.pp | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 1aa2411b99..e1610bf076 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -468,7 +468,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
 # Node-OS: xenial
 node /^firehose\d+\.openstack\.org$/ {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 1883],
+    iptables_public_tcp_ports => [22, 80, 1883, 8080, 8883],
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::firehose':
@@ -476,6 +476,9 @@ node /^firehose\d+\.openstack\.org$/ {
     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),
     gerrit_private_key  => hiera('germqtt_gerrit_ssh_private_key'),
     mqtt_password       => hiera('mqtt_service_user_password'),
+    ca_file             => hiera('mosquitto_tls_ca_file'),
+    cert_file           => hiera('mosquitto_tls_server_cert_file'),
+    key_file            => hiera('mosquitto_tls_server_key_file'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/firehose.pp b/modules/openstack_project/manifests/firehose.pp
index d663b272b8..49418cff34 100644
--- a/modules/openstack_project/manifests/firehose.pp
+++ b/modules/openstack_project/manifests/firehose.pp
@@ -22,11 +22,18 @@ class openstack_project::firehose (
   $mqtt_hostname = 'firehose01.openstack.org',
   $mqtt_password,
   $mqtt_username = 'infra',
+  $ca_file,
+  $cert_file,
+  $key_file,
 ) {
   include mosquitto
   class {'mosquitto::server':
     infra_service_username => $mqtt_username,
     infra_service_password => $mqtt_password,
+    enable_tls             => true,
+    ca_file                => $ca_file,
+    cert_file              => $cert_file,
+    key_file               => $key_file,
   }
 
   include germqtt