Pass parameters for TLS proxy in front of Octavia-API
If TLS in the internal network is enabled, we run octavia-api behind a TLS proxy.This passes the necessary hieradata. Depends-On: https://review.openstack.org/597038 Closes-Bug: #1789303 Co-Authored-By: Kellen Gattis <kgattis@redhat.com> Change-Id: I735f701c90492fa0cf09417c8c71c2868ca85d08
This commit is contained in:
parent
b7e124bad9
commit
0e6087d93a
@ -60,9 +60,26 @@ parameters:
|
||||
e.g. { octavia-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
|
||||
default: {}
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
TLSProxyBase:
|
||||
type: OS::TripleO::Services::TLSProxyBase
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||
|
||||
OctaviaBase:
|
||||
type: ./octavia-base.yaml
|
||||
properties:
|
||||
@ -82,6 +99,7 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OctaviaBase, role_data, config_settings]
|
||||
- get_attr: [TLSProxyBase, role_data, config_settings]
|
||||
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
@ -104,12 +122,36 @@ outputs:
|
||||
dport:
|
||||
- 9876
|
||||
- 13876
|
||||
octavia::api::host:
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
tripleo::profile::base::octavia::api::tls_proxy_bind_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
tripleo::profile::base::octavia::api::tls_proxy_fqdn:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
tripleo::profile::base::octavia::api::tls_proxy_port:
|
||||
get_param: [EndpointMap, OctaviaInternal, port]
|
||||
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
||||
# proxy in front.
|
||||
octavia::api::host:
|
||||
if:
|
||||
- use_tls_proxy
|
||||
- '127.0.0.1'
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
step_config: |
|
||||
include tripleo::profile::base::octavia::api
|
||||
service_config_settings:
|
||||
|
Loading…
Reference in New Issue
Block a user