From 8e104b3c549118727b53c9825a438e799715b7f9 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 10 Apr 2018 09:57:21 +0300 Subject: [PATCH] Switch public endpoints to use FQDNs by default This is in preparation for TLS by default, since the TLS certificate will use FQDNs for the SubjectAltName, and that will be verified. This required for us to change both CloudDomain and CloudName to be required parameters, and not default them to use localdomain. This is to avoid folks in real deployments using them in their clouds. Change-Id: Ic70dd323b33596eaa3fc18bdc69a7c011ccd7fa1 --- .../predictable-placement/custom-domain.yaml | 3 +- .../krb-service-principals.j2.yaml | 1 - network/endpoints/build_endpoint_map.py | 2 +- network/endpoints/endpoint_map.yaml | 58 +++++++++---------- overcloud.j2.yaml | 1 - ...cloud-endpoints-FQDN-78797a6c34e31bd5.yaml | 11 ++++ 6 files changed, 43 insertions(+), 33 deletions(-) create mode 100644 releasenotes/notes/Overcloud-endpoints-FQDN-78797a6c34e31bd5.yaml diff --git a/environments/predictable-placement/custom-domain.yaml b/environments/predictable-placement/custom-domain.yaml index 28472fe30c..25664d2500 100644 --- a/environments/predictable-placement/custom-domain.yaml +++ b/environments/predictable-placement/custom-domain.yaml @@ -14,8 +14,9 @@ parameter_defaults: CloudDomain: localdomain # The DNS name of this cloud. E.g. ci-overcloud.tripleo.org + # Mandatory. This parameter must be set by the user. # Type: string - CloudName: overcloud.localdomain + CloudName: # The DNS name of this cloud's provisioning network endpoint. E.g. 'ci-overcloud.ctlplane.tripleo.org'. # Type: string diff --git a/extraconfig/nova_metadata/krb-service-principals.j2.yaml b/extraconfig/nova_metadata/krb-service-principals.j2.yaml index f8be39256f..a3aabf561f 100644 --- a/extraconfig/nova_metadata/krb-service-principals.j2.yaml +++ b/extraconfig/nova_metadata/krb-service-principals.j2.yaml @@ -9,7 +9,6 @@ parameters: {%- if network.name == 'External' %} # Special case the External hostname param, which is CloudName CloudName: - default: overcloud.localdomain description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org type: string {%- elif network.name == 'InternalApi' %} diff --git a/network/endpoints/build_endpoint_map.py b/network/endpoints/build_endpoint_map.py index 1f251d81e5..d6845b340d 100755 --- a/network/endpoints/build_endpoint_map.py +++ b/network/endpoints/build_endpoint_map.py @@ -68,7 +68,7 @@ def endpoint_map_default(config): (F_PROTOCOL, str(svc[ep_type].get(F_PROTOCOL, svc.get(F_PROTOCOL, 'http')))), (F_PORT, str(svc[ep_type].get(F_PORT, svc[F_PORT]))), - (F_HOST, SUBST_IP_ADDRESS), + (F_HOST, SUBST_IP_ADDRESS if ep_type != 'Public' else SUBST_CLOUDNAME), ]) return ep_name + ep_type, values diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index 2c0c8330f8..4666f637d0 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -21,101 +21,101 @@ parameters: default: AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS} AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS} - AodhPublic: {protocol: http, port: '8042', host: IP_ADDRESS} + AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME} BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS} BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS} - BarbicanPublic: {protocol: http, port: '9311', host: IP_ADDRESS} + BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME} CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS} CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS} - CeilometerPublic: {protocol: http, port: '8777', host: IP_ADDRESS} + CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME} CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS} - CephRgwPublic: {protocol: http, port: '8080', host: IP_ADDRESS} + CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME} CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS} CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS} - CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS} + CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME} CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS} CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS} - CongressPublic: {protocol: http, port: '1789', host: IP_ADDRESS} + CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME} DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS} DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS} - DesignatePublic: {protocol: http, port: '9001', host: IP_ADDRESS} + DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME} DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS} Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS} Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS} - Ec2ApiPublic: {protocol: http, port: '8788', host: IP_ADDRESS} + Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME} GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} - GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} + GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME} GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS} - GnocchiPublic: {protocol: http, port: '8041', host: IP_ADDRESS} + GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME} HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS} HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS} - HeatPublic: {protocol: http, port: '8004', host: IP_ADDRESS} + HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME} HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS} HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS} - HeatCfnPublic: {protocol: http, port: '8000', host: IP_ADDRESS} - HorizonPublic: {protocol: http, port: '80', host: IP_ADDRESS} + HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME} + HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME} IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS} IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS} - IronicPublic: {protocol: http, port: '6385', host: IP_ADDRESS} + IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME} IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS} IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS} - IronicInspectorPublic: {protocol: http, port: '5050', host: IP_ADDRESS} + IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME} IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS} KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS} - KeystonePublic: {protocol: http, port: '5000', host: IP_ADDRESS} + KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME} KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS} ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS} - ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS} + ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME} MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS} MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS} - MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS} + MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME} MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS} NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS} NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS} - NeutronPublic: {protocol: http, port: '9696', host: IP_ADDRESS} + NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME} NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS} NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS} - NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS} + NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME} NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS} NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS} - NovaPlacementPublic: {protocol: http, port: '8778', host: IP_ADDRESS} + NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME} NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS} - NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS} + NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME} OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS} OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS} - OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS} + OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME} OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS} OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS} PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS} PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS} - PankoPublic: {protocol: http, port: '8977', host: IP_ADDRESS} + PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME} SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS} SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS} - SaharaPublic: {protocol: http, port: '8386', host: IP_ADDRESS} + SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME} SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS} - SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS} + SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME} SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS} TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS} - TackerPublic: {protocol: http, port: '9890', host: IP_ADDRESS} + TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME} ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS} - ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS} + ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME} ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS} ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS} - ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: IP_ADDRESS} + ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME} ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 61a7401656..d5693ec94f 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -25,7 +25,6 @@ parameters: {%- if network.name == 'External' %} # Special case the External hostname param, which is CloudName CloudName: - default: overcloud.localdomain description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org type: string {%- elif network.name == 'InternalApi' %} diff --git a/releasenotes/notes/Overcloud-endpoints-FQDN-78797a6c34e31bd5.yaml b/releasenotes/notes/Overcloud-endpoints-FQDN-78797a6c34e31bd5.yaml new file mode 100644 index 0000000000..64f2ad0836 --- /dev/null +++ b/releasenotes/notes/Overcloud-endpoints-FQDN-78797a6c34e31bd5.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + CloudName is now a required parameter. Given that FQDNs are now the + default instead of IP addresses, to avoid people using the localdomain + (which used to be the default for domain for CloudName), we now remove + the default, and require folks to set their own. + - | + The overcloud endpoints now point to FQDNs instead of IP addresses. + This was done as part of the public TLS by default work, and is needed + since the certificates have FQDNs for SubjectAltNames.