Change default endpoint map entries to use TLS

This changes the default entries to use TLS as a default for the public endpoints. Change-Id: I2d211b51ddb2f9fde5902cfb8004392a66e15a5c Depends-On: I3d3cad0eb1396e7bee146794b29badad302efdf3 Depends-On: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c Depends-On: Ief352f9e54bee95d5e4035725ab6a63ef4be0269
2018-04-03 11:15:33 +03:00 · 2018-04-03 11:15:33 +03:00 · 22ad1bc8c5
parent 8e104b3c54
commit 22ad1bc8c5
3 changed files with 93 additions and 30 deletions
--- a/network/endpoints/endpoint_data.yaml
+++ b/network/endpoints/endpoint_data.yaml
@ -6,6 +6,8 @@ Aodh:
        net_param: AodhApi
    Public:
        net_param: Public
        protocol: https
        port: 13042
    Admin:
        net_param: AodhApi
    port: 8042
@ -15,6 +17,8 @@ Barbican:
        net_param: BarbicanApi
    Public:
        net_param: Public
        protocol: https
        port: 13311
    Admin:
        net_param: BarbicanApi
    port: 9311
@ -24,6 +28,8 @@ Ceilometer:
        net_param: CeilometerApi
    Public:
        net_param: Public
        protocol: https
        port: 13777
    Admin:
        net_param: CeilometerApi
    port: 8777
@ -33,6 +39,8 @@ Designate:
        net_param: DesignateApi
    Public:
        net_param: Public
        protocol: https
        port: 13001
    Admin:
        net_param: DesignateApi
    port: 9001
@ -42,6 +50,8 @@ Ec2Api:
        net_param: Ec2Api
    Public:
        net_param: Public
        protocol: https
        port: 13788
    Admin:
        net_param: Ec2Api
    port: 8788
@ -51,6 +61,8 @@ Gnocchi:
        net_param: GnocchiApi
    Public:
        net_param: Public
        protocol: https
        port: 13041
    Admin:
        net_param: GnocchiApi
    port: 8041
@ -60,6 +72,8 @@ Panko:
        net_param: PankoApi
    Public:
        net_param: Public
        protocol: https
        portt: 13977
    Admin:
        net_param: PankoApi
    port: 8977
@ -77,6 +91,8 @@ Cinder:
            '': /v1/%(tenant_id)s
            V2: /v2/%(tenant_id)s
            V3: /v3/%(tenant_id)s
        protocol: https
        port: 13776
    Admin:
        net_param: CinderApi
        uri_suffixes:
@ -90,6 +106,8 @@ Congress:
        net_param: CongressApi
    Public:
        net_param: Public
        protocol: https
        port: 13789
    Admin:
        net_param: CongressApi
    port: 1789
@ -99,6 +117,8 @@ Glance:
        net_param: GlanceApi
    Public:
        net_param: Public
        protocol: https
        port: 13292
    Admin:
        net_param: GlanceApi
    port: 9292
@ -118,6 +138,8 @@ Heat:
        net_param: Public
        uri_suffixes:
            '': /v1/%(tenant_id)s
        protocol: https
        port: 13004
    Admin:
        net_param: HeatApi
        uri_suffixes:
@ -138,6 +160,8 @@ HeatCfn:
        net_param: Public
        uri_suffixes:
            '': /v1
        protocol: https
        port: 13005
    Admin:
        net_param: HeatApi
        uri_suffixes:
@ -149,7 +173,8 @@ Horizon:
        net_param: Public
        uri_suffixes:
            '': /dashboard
-    port: 80
+        protocol: https
    port: 443
 # TODO(ayoung): V3 is a temporary fix. Endpoints should be versionless.
 # Required for https://bugs.launchpad.net/puppet-nova/+bug/1542486
@ -166,6 +191,8 @@ Keystone:
        uri_suffixes:
            '': /
            V3: /v3
        protocol: https
        port: 13000
    Admin:
        net_param: KeystoneAdminApi
        uri_suffixes:
@ -190,6 +217,8 @@ Manila:
        uri_suffixes:
            '': /v2/%(tenant_id)s
            V1: /v1/%(tenant_id)s
        protocol: https
        port: 13786
    Admin:
        net_param: ManilaApi
        uri_suffixes:
@ -206,6 +235,8 @@ Mistral:
        net_param: Public
        uri_suffixes:
            '': /v2
        protocol: https
        port: 13989
    Admin:
        net_param: MistralApi
        uri_suffixes:
@ -222,6 +253,8 @@ Neutron:
        net_param: NeutronApi
    Public:
        net_param: Public
        protocol: https
        port: 13696
    Admin:
        net_param: NeutronApi
    port: 9696
@ -235,6 +268,8 @@ Nova:
        net_param: Public
        uri_suffixes:
            '': /v2.1
        protocol: https
        port: 13774
    Admin:
        net_param: NovaApi
        uri_suffixes:
@ -255,6 +290,8 @@ NovaPlacement:
        net_param: Public
        uri_suffixes:
            '': /placement
        protocol: https
        port: 13778
    Admin:
        net_param: NovaPlacement
        uri_suffixes:
@ -266,6 +303,8 @@ NovaVNCProxy:
        net_param: NovaApi
    Public:
        net_param: Public
        protocol: https
        port: 13080
    Admin:
        net_param: NovaApi
    port: 6080
@ -281,6 +320,8 @@ Swift:
        uri_suffixes:
            '': /v1/AUTH_%(tenant_id)s
            S3:
        protocol: https
        port: 13808
    Admin:
        net_param: SwiftProxy
        uri_suffixes:
@ -302,6 +343,8 @@ CephRgw:
        net_param: Public
        uri_suffixes:
            '': /swift/v1
        protocol: https
        port: 13808
    Admin:
        net_param: CephRgw
        uri_suffixes:
@ -317,6 +360,8 @@ Sahara:
        net_param: Public
        uri_suffixes:
            '': /v1.1/%(tenant_id)s
        protocol: https
        port: 13386
    Admin:
        net_param: SaharaApi
        uri_suffixes:
@ -328,6 +373,8 @@ Tacker:
        net_param: TackerApi
    Public:
        net_param: Public
        protocol: https
        port: 13989
    Admin:
        net_param: TackerApi
    port: 9890
@ -341,6 +388,8 @@ Ironic:
        net_param: Public
        uri_suffixes:
            '': /v1
        protocol: https
        port: 13385
    Admin:
        net_param: IronicApi
        uri_suffixes:
@ -357,6 +406,8 @@ IronicInspector:
        net_param: IronicInspector
    Public:
        net_param: Public
        protocol: https
        port: 13050
    Admin:
        net_param: IronicInspector
    UIConfig:
@ -371,6 +422,8 @@ Zaqar:
        net_param: ZaqarApi
    Public:
        net_param: Public
        protocol: https
        port: 13888
    Admin:
        net_param: ZaqarApi
    port: 8888
@ -380,6 +433,7 @@ ZaqarWebSocket:
        net_param: ZaqarApi
    Public:
        net_param: Public
        protocol: https
    Admin:
        net_param: ZaqarApi
    UIConfig:
@ -395,6 +449,8 @@ Octavia:
        net_param: OctaviaApi
    Public:
        net_param: Public
        protocol: https
        port: 13876
    Admin:
        net_param: OctaviaApi
    port: 9876
--- a/network/endpoints/endpoint_map.yaml
+++ b/network/endpoints/endpoint_map.yaml
@ -21,101 +21,101 @@ parameters:
    default:
      AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
      AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
-      AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME}
+      AodhPublic: {protocol: https, port: '13042', host: CLOUDNAME}
      BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
      BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
-      BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME}
+      BarbicanPublic: {protocol: https, port: '13311', host: CLOUDNAME}
      CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS}
      CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS}
-      CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME}
+      CeilometerPublic: {protocol: https, port: '13777', host: CLOUDNAME}
      CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
      CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
-      CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME}
+      CephRgwPublic: {protocol: https, port: '13808', host: CLOUDNAME}
      CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
      CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
-      CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME}
+      CinderPublic: {protocol: https, port: '13776', host: CLOUDNAME}
      CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS}
      CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS}
-      CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME}
+      CongressPublic: {protocol: https, port: '13789', host: CLOUDNAME}
      DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS}
      DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS}
-      DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME}
+      DesignatePublic: {protocol: https, port: '13001', host: CLOUDNAME}
      DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
      Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
      Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
-      Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME}
+      Ec2ApiPublic: {protocol: https, port: '13788', host: CLOUDNAME}
      GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
      GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
      GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
-      GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME}
+      GlancePublic: {protocol: https, port: '13292', host: CLOUDNAME}
      GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
      GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
-      GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME}
+      GnocchiPublic: {protocol: https, port: '13041', host: CLOUDNAME}
      HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
      HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
-      HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME}
+      HeatPublic: {protocol: https, port: '13004', host: CLOUDNAME}
      HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
      HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
-      HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME}
+      HeatCfnPublic: {protocol: https, port: '13005', host: CLOUDNAME}
-      HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME}
+      HorizonPublic: {protocol: https, port: '443', host: CLOUDNAME}
      IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
      IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
-      IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME}
+      IronicPublic: {protocol: https, port: '13385', host: CLOUDNAME}
      IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
      IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
-      IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME}
+      IronicInspectorPublic: {protocol: https, port: '13050', host: CLOUDNAME}
      IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
      KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
-      KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME}
+      KeystonePublic: {protocol: https, port: '13000', host: CLOUDNAME}
      KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
      ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
-      ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME}
+      ManilaPublic: {protocol: https, port: '13786', host: CLOUDNAME}
      MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
      MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
-      MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME}
+      MistralPublic: {protocol: https, port: '13989', host: CLOUDNAME}
      MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
      NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
      NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
-      NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME}
+      NeutronPublic: {protocol: https, port: '13696', host: CLOUDNAME}
      NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
      NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
-      NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME}
+      NovaPublic: {protocol: https, port: '13774', host: CLOUDNAME}
      NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
      NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
-      NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME}
+      NovaPlacementPublic: {protocol: https, port: '13778', host: CLOUDNAME}
      NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
      NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
-      NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME}
+      NovaVNCProxyPublic: {protocol: https, port: '13080', host: CLOUDNAME}
      OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
      OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
-      OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME}
+      OctaviaPublic: {protocol: https, port: '13876', host: CLOUDNAME}
      OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
      OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
      PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
      PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
-      PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME}
+      PankoPublic: {protocol: https, port: '8977', host: CLOUDNAME}
      SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
      SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
-      SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME}
+      SaharaPublic: {protocol: https, port: '13386', host: CLOUDNAME}
      SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
      SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
-      SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME}
+      SwiftPublic: {protocol: https, port: '13808', host: CLOUDNAME}
      SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
      TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
      TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
-      TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME}
+      TackerPublic: {protocol: https, port: '13989', host: CLOUDNAME}
      ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
      ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
-      ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME}
+      ZaqarPublic: {protocol: https, port: '13888', host: CLOUDNAME}
      ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
      ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
-      ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME}
+      ZaqarWebSocketPublic: {protocol: https, port: '9000', host: CLOUDNAME}
      ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
    description: Mapping of service endpoint -> protocol. Typically set
      via parameter_defaults in the resource registry.
--- a/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml
+++ b/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml
@ -0,0 +1,7 @@
 ---
 features:
  - |
    TripleO now uses TLS on the public interfaces by default. This is reflected
    on the EndpointMap, as now the default entries have 'https' endpoints.
    Note that it's still possible to deploy TripleO without TLS, using the
    environments/no-tls-endpoints-public-ip.yaml environment file.