+ # Configuration of ODL NB REST port to listen on
+ if $opendaylight::enable_tls {
+
+ if $::opendaylight::tls_keystore_password == undef {
+ fail('Enabling TLS requires setting a TLS password for the ODL keystore')
+ }
+
+ if $::opendaylight::tls_key_file or $::opendaylight::tls_cert_file {
+ if $::opendaylight::tls_key_file and $::opendaylight::tls_cert_file {
+ odl_keystore { 'controller':
+ password => $::opendaylight::tls_keystore_password,
+ cert_file => $::opendaylight::tls_cert_file,
+ key_file => $::opendaylight::tls_key_file,
+ ca_file => $::opendaylight::tls_ca_cert_file,
+ require => File['/opt/opendaylight/configuration/ssl']
+ }
+ } else {
+ fail('Must specify both TLS key file path AND certificate file path')
+ }
+ }
+
+ augeas {'Remove HTTP ODL REST Port':
+ incl => '/opt/opendaylight/etc/jetty.xml',
+ context => '/files/opt/opendaylight/etc/jetty.xml/Configure',
+ lens => 'Xml.lns',
+ changes => ["rm Call[2]/Arg/New/Set[#attribute[name='port']]"]
+ }
+
+ augeas {'ODL SSL REST Port':
+ incl => '/opt/opendaylight/etc/jetty.xml',
+ context => '/files/opt/opendaylight/etc/jetty.xml/Configure',
+ lens => 'Xml.lns',
+ changes => ["set New[2]/Set[#attribute[name='securePort']]/Property/#attribute/default ${opendaylight::odl_rest_port}"]
+ }
+
+ file_line { 'set pax TLS port':
+ ensure => present,
+ path => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',
+ line => "org.osgi.service.http.port.secure = ${opendaylight::odl_rest_port}",
+ match => '^#?org.osgi.service.http.port.secure.*$',
+ require => File['org.ops4j.pax.web.cfg']
+ }
+
+ file_line { 'enable pax TLS':
+ ensure => present,
+ path => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',
+ line => 'org.osgi.service.http.secure.enabled = true',
+ match => '^#?org.osgi.service.http.secure.enabled.*$',
+ require => File['org.ops4j.pax.web.cfg']
+ }
+
+ file {'aaa-cert-config.xml':
+ ensure => file,
+ path => '/opt/opendaylight/etc/opendaylight/datastore/initial/config/aaa-cert-config.xml',
+ owner => 'odl',
+ group => 'odl',
+ content => template('opendaylight/aaa-cert-config.xml.erb'),
+ }
+
+ file_line {'set pax TLS keystore location':
+ ensure => present,
+ path => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',
+ line => 'org.ops4j.pax.web.ssl.keystore = configuration/ssl/ctl.jks',
+ match => '^#?org.ops4j.pax.web.ssl.keystore.*$',
+ require => File['org.ops4j.pax.web.cfg']
+ }
+ file_line {'set pax TLS keystore integrity password':
+ ensure => present,
+ path => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',
+ line => "org.ops4j.pax.web.ssl.password = ${opendaylight::tls_keystore_password}",
+ match => '^#?org.ops4j.pax.web.ssl.password.*$',
+ require => File['org.ops4j.pax.web.cfg']
+ }
+
+ file_line {'set pax TLS keystore password':
+ ensure => present,
+ path => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',
+ line => "org.ops4j.pax.web.ssl.keypassword = ${opendaylight::tls_keystore_password}",
+ match => '^#?org.ops4j.pax.web.ssl.keypassword.*$',
+ require => File['org.ops4j.pax.web.cfg']
+ }
+
+ # Enable TLS with OVSDB
+ file { 'org.opendaylight.ovsdb.library.cfg':
+ ensure => file,
+ path => '/opt/opendaylight/etc/org.opendaylight.ovsdb.library.cfg',
+ owner => 'odl',
+ group => 'odl',
+ source => 'puppet:///modules/opendaylight/org.opendaylight.ovsdb.library.cfg',
+ }
+
+ # Configure OpenFlow plugin to use TLS
+ $transport_protocol = 'TLS'
+ } else {
+ $transport_protocol = 'TCP'
+ augeas { 'ODL REST Port':
+ incl => '/opt/opendaylight/etc/jetty.xml',
+ context => '/files/opt/opendaylight/etc/jetty.xml/Configure',
+ lens => 'Xml.lns',
+ changes => [
+ "set Call[2]/Arg/New/Set[#attribute[name='port']]/Property/#attribute/default
+ ${opendaylight::odl_rest_port}"]
+ }
+ }
+ # Configure OpenFlow plugin to use TCP/TLS
+ file { 'default-openflow-connection-config.xml':