openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Change default endpoint map entries to use TLS 

This changes the default entries to use TLS as a default for
the public endpoints.

Change-Id: I2d211b51ddb2f9fde5902cfb8004392a66e15a5c
Depends-On: I3d3cad0eb1396e7bee146794b29badad302efdf3
Depends-On: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c
Depends-On: Ief352f9e54bee95d5e4035725ab6a63ef4be0269
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-03 11:15:33 +03:00
parent 8e104b3c54
commit 22ad1bc8c5
3 changed files with 93 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
network/endpoints/endpoint_data.yaml
View File

@ -6,6 +6,8 @@ Aodh:
net_param: AodhApi
Public:
net_param: Public
protocol: https
port: 13042
Admin:
net_param: AodhApi
port: 8042
@ -15,6 +17,8 @@ Barbican:
net_param: BarbicanApi
Public:
net_param: Public
protocol: https
port: 13311
Admin:
net_param: BarbicanApi
port: 9311
@ -24,6 +28,8 @@ Ceilometer:
net_param: CeilometerApi
Public:
net_param: Public
protocol: https
port: 13777
Admin:
net_param: CeilometerApi
port: 8777
@ -33,6 +39,8 @@ Designate:
net_param: DesignateApi
Public:
net_param: Public
protocol: https
port: 13001
Admin:
net_param: DesignateApi
port: 9001
@ -42,6 +50,8 @@ Ec2Api:
net_param: Ec2Api
Public:
net_param: Public
protocol: https
port: 13788
Admin:
net_param: Ec2Api
port: 8788
@ -51,6 +61,8 @@ Gnocchi:
net_param: GnocchiApi
Public:
net_param: Public
protocol: https
port: 13041
Admin:
net_param: GnocchiApi
port: 8041
@ -60,6 +72,8 @@ Panko:
net_param: PankoApi
Public:
net_param: Public
protocol: https
portt: 13977
Admin:
net_param: PankoApi
port: 8977
@ -77,6 +91,8 @@ Cinder:
'': /v1/%(tenant_id)s
V2: /v2/%(tenant_id)s
V3: /v3/%(tenant_id)s
protocol: https
port: 13776
Admin:
net_param: CinderApi
uri_suffixes:
@ -90,6 +106,8 @@ Congress:
net_param: CongressApi
Public:
net_param: Public
protocol: https
port: 13789
Admin:
net_param: CongressApi
port: 1789
@ -99,6 +117,8 @@ Glance:
net_param: GlanceApi
Public:
net_param: Public
protocol: https
port: 13292
Admin:
net_param: GlanceApi
port: 9292
@ -118,6 +138,8 @@ Heat:
net_param: Public
uri_suffixes:
'': /v1/%(tenant_id)s
protocol: https
port: 13004
Admin:
net_param: HeatApi
uri_suffixes:
@ -138,6 +160,8 @@ HeatCfn:
net_param: Public
uri_suffixes:
'': /v1
protocol: https
port: 13005
Admin:
net_param: HeatApi
uri_suffixes:
@ -149,7 +173,8 @@ Horizon:
net_param: Public
uri_suffixes:
'': /dashboard
port: 80
protocol: https
port: 443
# TODO(ayoung): V3 is a temporary fix. Endpoints should be versionless.
# Required for https://bugs.launchpad.net/puppet-nova/+bug/1542486
@ -166,6 +191,8 @@ Keystone:
uri_suffixes:
'': /
V3: /v3
protocol: https
port: 13000
Admin:
net_param: KeystoneAdminApi
uri_suffixes:
@ -190,6 +217,8 @@ Manila:
uri_suffixes:
'': /v2/%(tenant_id)s
V1: /v1/%(tenant_id)s
protocol: https
port: 13786
Admin:
net_param: ManilaApi
uri_suffixes:
@ -206,6 +235,8 @@ Mistral:
net_param: Public
uri_suffixes:
'': /v2
protocol: https
port: 13989
Admin:
net_param: MistralApi
uri_suffixes:
@ -222,6 +253,8 @@ Neutron:
net_param: NeutronApi
Public:
net_param: Public
protocol: https
port: 13696
Admin:
net_param: NeutronApi
port: 9696
@ -235,6 +268,8 @@ Nova:
net_param: Public
uri_suffixes:
'': /v2.1
protocol: https
port: 13774
Admin:
net_param: NovaApi
uri_suffixes:
@ -255,6 +290,8 @@ NovaPlacement:
net_param: Public
uri_suffixes:
'': /placement
protocol: https
port: 13778
Admin:
net_param: NovaPlacement
uri_suffixes:
@ -266,6 +303,8 @@ NovaVNCProxy:
net_param: NovaApi
Public:
net_param: Public
protocol: https
port: 13080
Admin:
net_param: NovaApi
port: 6080
@ -281,6 +320,8 @@ Swift:
uri_suffixes:
'': /v1/AUTH_%(tenant_id)s
S3:
protocol: https
port: 13808
Admin:
net_param: SwiftProxy
uri_suffixes:
@ -302,6 +343,8 @@ CephRgw:
net_param: Public
uri_suffixes:
'': /swift/v1
protocol: https
port: 13808
Admin:
net_param: CephRgw
uri_suffixes:
@ -317,6 +360,8 @@ Sahara:
net_param: Public
uri_suffixes:
'': /v1.1/%(tenant_id)s
protocol: https
port: 13386
Admin:
net_param: SaharaApi
uri_suffixes:
@ -328,6 +373,8 @@ Tacker:
net_param: TackerApi
Public:
net_param: Public
protocol: https
port: 13989
Admin:
net_param: TackerApi
port: 9890
@ -341,6 +388,8 @@ Ironic:
net_param: Public
uri_suffixes:
'': /v1
protocol: https
port: 13385
Admin:
net_param: IronicApi
uri_suffixes:
@ -357,6 +406,8 @@ IronicInspector:
net_param: IronicInspector
Public:
net_param: Public
protocol: https
port: 13050
Admin:
net_param: IronicInspector
UIConfig:
@ -371,6 +422,8 @@ Zaqar:
net_param: ZaqarApi
Public:
net_param: Public
protocol: https
port: 13888
Admin:
net_param: ZaqarApi
port: 8888
@ -380,6 +433,7 @@ ZaqarWebSocket:
net_param: ZaqarApi
Public:
net_param: Public
protocol: https
Admin:
net_param: ZaqarApi
UIConfig:
@ -395,6 +449,8 @@ Octavia:
net_param: OctaviaApi
Public:
net_param: Public
protocol: https
port: 13876
Admin:
net_param: OctaviaApi
port: 9876

58
network/endpoints/endpoint_map.yaml
View File

@ -21,101 +21,101 @@ parameters:
default:
AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME}
AodhPublic: {protocol: https, port: '13042', host: CLOUDNAME}
BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME}
BarbicanPublic: {protocol: https, port: '13311', host: CLOUDNAME}
CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS}
CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS}
CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME}
CeilometerPublic: {protocol: https, port: '13777', host: CLOUDNAME}
CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME}
CephRgwPublic: {protocol: https, port: '13808', host: CLOUDNAME}
CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME}
CinderPublic: {protocol: https, port: '13776', host: CLOUDNAME}
CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS}
CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS}
CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME}
CongressPublic: {protocol: https, port: '13789', host: CLOUDNAME}
DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS}
DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS}
DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME}
DesignatePublic: {protocol: https, port: '13001', host: CLOUDNAME}
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME}
Ec2ApiPublic: {protocol: https, port: '13788', host: CLOUDNAME}
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME}
GlancePublic: {protocol: https, port: '13292', host: CLOUDNAME}
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME}
GnocchiPublic: {protocol: https, port: '13041', host: CLOUDNAME}
HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME}
HeatPublic: {protocol: https, port: '13004', host: CLOUDNAME}
HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME}
HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME}
HeatCfnPublic: {protocol: https, port: '13005', host: CLOUDNAME}
HorizonPublic: {protocol: https, port: '443', host: CLOUDNAME}
IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME}
IronicPublic: {protocol: https, port: '13385', host: CLOUDNAME}
IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME}
IronicInspectorPublic: {protocol: https, port: '13050', host: CLOUDNAME}
IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME}
KeystonePublic: {protocol: https, port: '13000', host: CLOUDNAME}
KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME}
ManilaPublic: {protocol: https, port: '13786', host: CLOUDNAME}
MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME}
MistralPublic: {protocol: https, port: '13989', host: CLOUDNAME}
MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME}
NeutronPublic: {protocol: https, port: '13696', host: CLOUDNAME}
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME}
NovaPublic: {protocol: https, port: '13774', host: CLOUDNAME}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME}
NovaPlacementPublic: {protocol: https, port: '13778', host: CLOUDNAME}
NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME}
NovaVNCProxyPublic: {protocol: https, port: '13080', host: CLOUDNAME}
OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME}
OctaviaPublic: {protocol: https, port: '13876', host: CLOUDNAME}
OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME}
PankoPublic: {protocol: https, port: '8977', host: CLOUDNAME}
SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME}
SaharaPublic: {protocol: https, port: '13386', host: CLOUDNAME}
SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME}
SwiftPublic: {protocol: https, port: '13808', host: CLOUDNAME}
SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME}
TackerPublic: {protocol: https, port: '13989', host: CLOUDNAME}
ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME}
ZaqarPublic: {protocol: https, port: '13888', host: CLOUDNAME}
ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME}
ZaqarWebSocketPublic: {protocol: https, port: '9000', host: CLOUDNAME}
ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.

7
releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
TripleO now uses TLS on the public interfaces by default. This is reflected
on the EndpointMap, as now the default entries have 'https' endpoints.
Note that it's still possible to deploy TripleO without TLS, using the
environments/no-tls-endpoints-public-ip.yaml environment file.