From 22ad1bc8c51dffb40e3ebaf5fef35de333adb53d Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 3 Apr 2018 11:15:33 +0300 Subject: [PATCH] Change default endpoint map entries to use TLS This changes the default entries to use TLS as a default for the public endpoints. Change-Id: I2d211b51ddb2f9fde5902cfb8004392a66e15a5c Depends-On: I3d3cad0eb1396e7bee146794b29badad302efdf3 Depends-On: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c Depends-On: Ief352f9e54bee95d5e4035725ab6a63ef4be0269 --- network/endpoints/endpoint_data.yaml | 58 ++++++++++++++++++- network/endpoints/endpoint_map.yaml | 58 +++++++++---------- ...endpoints-by-default-6f70ef3c82c547de.yaml | 7 +++ 3 files changed, 93 insertions(+), 30 deletions(-) create mode 100644 releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index a8aa8b176f..31c2ceb218 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -6,6 +6,8 @@ Aodh: net_param: AodhApi Public: net_param: Public + protocol: https + port: 13042 Admin: net_param: AodhApi port: 8042 @@ -15,6 +17,8 @@ Barbican: net_param: BarbicanApi Public: net_param: Public + protocol: https + port: 13311 Admin: net_param: BarbicanApi port: 9311 @@ -24,6 +28,8 @@ Ceilometer: net_param: CeilometerApi Public: net_param: Public + protocol: https + port: 13777 Admin: net_param: CeilometerApi port: 8777 @@ -33,6 +39,8 @@ Designate: net_param: DesignateApi Public: net_param: Public + protocol: https + port: 13001 Admin: net_param: DesignateApi port: 9001 @@ -42,6 +50,8 @@ Ec2Api: net_param: Ec2Api Public: net_param: Public + protocol: https + port: 13788 Admin: net_param: Ec2Api port: 8788 @@ -51,6 +61,8 @@ Gnocchi: net_param: GnocchiApi Public: net_param: Public + protocol: https + port: 13041 Admin: net_param: GnocchiApi port: 8041 @@ -60,6 +72,8 @@ Panko: net_param: PankoApi Public: net_param: Public + protocol: https + portt: 13977 Admin: net_param: PankoApi port: 8977 @@ -77,6 +91,8 @@ Cinder: '': /v1/%(tenant_id)s V2: /v2/%(tenant_id)s V3: /v3/%(tenant_id)s + protocol: https + port: 13776 Admin: net_param: CinderApi uri_suffixes: @@ -90,6 +106,8 @@ Congress: net_param: CongressApi Public: net_param: Public + protocol: https + port: 13789 Admin: net_param: CongressApi port: 1789 @@ -99,6 +117,8 @@ Glance: net_param: GlanceApi Public: net_param: Public + protocol: https + port: 13292 Admin: net_param: GlanceApi port: 9292 @@ -118,6 +138,8 @@ Heat: net_param: Public uri_suffixes: '': /v1/%(tenant_id)s + protocol: https + port: 13004 Admin: net_param: HeatApi uri_suffixes: @@ -138,6 +160,8 @@ HeatCfn: net_param: Public uri_suffixes: '': /v1 + protocol: https + port: 13005 Admin: net_param: HeatApi uri_suffixes: @@ -149,7 +173,8 @@ Horizon: net_param: Public uri_suffixes: '': /dashboard - port: 80 + protocol: https + port: 443 # TODO(ayoung): V3 is a temporary fix. Endpoints should be versionless. # Required for https://bugs.launchpad.net/puppet-nova/+bug/1542486 @@ -166,6 +191,8 @@ Keystone: uri_suffixes: '': / V3: /v3 + protocol: https + port: 13000 Admin: net_param: KeystoneAdminApi uri_suffixes: @@ -190,6 +217,8 @@ Manila: uri_suffixes: '': /v2/%(tenant_id)s V1: /v1/%(tenant_id)s + protocol: https + port: 13786 Admin: net_param: ManilaApi uri_suffixes: @@ -206,6 +235,8 @@ Mistral: net_param: Public uri_suffixes: '': /v2 + protocol: https + port: 13989 Admin: net_param: MistralApi uri_suffixes: @@ -222,6 +253,8 @@ Neutron: net_param: NeutronApi Public: net_param: Public + protocol: https + port: 13696 Admin: net_param: NeutronApi port: 9696 @@ -235,6 +268,8 @@ Nova: net_param: Public uri_suffixes: '': /v2.1 + protocol: https + port: 13774 Admin: net_param: NovaApi uri_suffixes: @@ -255,6 +290,8 @@ NovaPlacement: net_param: Public uri_suffixes: '': /placement + protocol: https + port: 13778 Admin: net_param: NovaPlacement uri_suffixes: @@ -266,6 +303,8 @@ NovaVNCProxy: net_param: NovaApi Public: net_param: Public + protocol: https + port: 13080 Admin: net_param: NovaApi port: 6080 @@ -281,6 +320,8 @@ Swift: uri_suffixes: '': /v1/AUTH_%(tenant_id)s S3: + protocol: https + port: 13808 Admin: net_param: SwiftProxy uri_suffixes: @@ -302,6 +343,8 @@ CephRgw: net_param: Public uri_suffixes: '': /swift/v1 + protocol: https + port: 13808 Admin: net_param: CephRgw uri_suffixes: @@ -317,6 +360,8 @@ Sahara: net_param: Public uri_suffixes: '': /v1.1/%(tenant_id)s + protocol: https + port: 13386 Admin: net_param: SaharaApi uri_suffixes: @@ -328,6 +373,8 @@ Tacker: net_param: TackerApi Public: net_param: Public + protocol: https + port: 13989 Admin: net_param: TackerApi port: 9890 @@ -341,6 +388,8 @@ Ironic: net_param: Public uri_suffixes: '': /v1 + protocol: https + port: 13385 Admin: net_param: IronicApi uri_suffixes: @@ -357,6 +406,8 @@ IronicInspector: net_param: IronicInspector Public: net_param: Public + protocol: https + port: 13050 Admin: net_param: IronicInspector UIConfig: @@ -371,6 +422,8 @@ Zaqar: net_param: ZaqarApi Public: net_param: Public + protocol: https + port: 13888 Admin: net_param: ZaqarApi port: 8888 @@ -380,6 +433,7 @@ ZaqarWebSocket: net_param: ZaqarApi Public: net_param: Public + protocol: https Admin: net_param: ZaqarApi UIConfig: @@ -395,6 +449,8 @@ Octavia: net_param: OctaviaApi Public: net_param: Public + protocol: https + port: 13876 Admin: net_param: OctaviaApi port: 9876 diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index 4666f637d0..b943921520 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -21,101 +21,101 @@ parameters: default: AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS} AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS} - AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME} + AodhPublic: {protocol: https, port: '13042', host: CLOUDNAME} BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS} BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS} - BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME} + BarbicanPublic: {protocol: https, port: '13311', host: CLOUDNAME} CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS} CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS} - CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME} + CeilometerPublic: {protocol: https, port: '13777', host: CLOUDNAME} CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS} - CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME} + CephRgwPublic: {protocol: https, port: '13808', host: CLOUDNAME} CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS} CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS} - CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME} + CinderPublic: {protocol: https, port: '13776', host: CLOUDNAME} CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS} CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS} - CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME} + CongressPublic: {protocol: https, port: '13789', host: CLOUDNAME} DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS} DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS} - DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME} + DesignatePublic: {protocol: https, port: '13001', host: CLOUDNAME} DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS} Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS} Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS} - Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME} + Ec2ApiPublic: {protocol: https, port: '13788', host: CLOUDNAME} GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} - GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME} + GlancePublic: {protocol: https, port: '13292', host: CLOUDNAME} GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS} - GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME} + GnocchiPublic: {protocol: https, port: '13041', host: CLOUDNAME} HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS} HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS} - HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME} + HeatPublic: {protocol: https, port: '13004', host: CLOUDNAME} HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS} HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS} - HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME} - HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME} + HeatCfnPublic: {protocol: https, port: '13005', host: CLOUDNAME} + HorizonPublic: {protocol: https, port: '443', host: CLOUDNAME} IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS} IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS} - IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME} + IronicPublic: {protocol: https, port: '13385', host: CLOUDNAME} IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS} IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS} - IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME} + IronicInspectorPublic: {protocol: https, port: '13050', host: CLOUDNAME} IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS} KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS} - KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME} + KeystonePublic: {protocol: https, port: '13000', host: CLOUDNAME} KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS} ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS} - ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME} + ManilaPublic: {protocol: https, port: '13786', host: CLOUDNAME} MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS} MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS} - MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME} + MistralPublic: {protocol: https, port: '13989', host: CLOUDNAME} MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS} NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS} NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS} - NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME} + NeutronPublic: {protocol: https, port: '13696', host: CLOUDNAME} NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS} NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS} - NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME} + NovaPublic: {protocol: https, port: '13774', host: CLOUDNAME} NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS} NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS} - NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME} + NovaPlacementPublic: {protocol: https, port: '13778', host: CLOUDNAME} NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS} - NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME} + NovaVNCProxyPublic: {protocol: https, port: '13080', host: CLOUDNAME} OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS} OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS} - OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME} + OctaviaPublic: {protocol: https, port: '13876', host: CLOUDNAME} OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS} OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS} PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS} PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS} - PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME} + PankoPublic: {protocol: https, port: '8977', host: CLOUDNAME} SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS} SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS} - SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME} + SaharaPublic: {protocol: https, port: '13386', host: CLOUDNAME} SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS} - SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME} + SwiftPublic: {protocol: https, port: '13808', host: CLOUDNAME} SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS} TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS} - TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME} + TackerPublic: {protocol: https, port: '13989', host: CLOUDNAME} ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS} - ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME} + ZaqarPublic: {protocol: https, port: '13888', host: CLOUDNAME} ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS} ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS} - ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME} + ZaqarWebSocketPublic: {protocol: https, port: '9000', host: CLOUDNAME} ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. diff --git a/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml b/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml new file mode 100644 index 0000000000..d739ee9552 --- /dev/null +++ b/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + TripleO now uses TLS on the public interfaces by default. This is reflected + on the EndpointMap, as now the default entries have 'https' endpoints. + Note that it's still possible to deploy TripleO without TLS, using the + environments/no-tls-endpoints-public-ip.yaml environment file.