Commit Graph

7 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles
c6b6466f07 Add novajoin entries to the TLS-everywhere environment file
These metadata settings (the hardcoded metadata and the hook override)
are used by the novajoin service when it's deployed in the undercloud,
and will tell it to enroll the overcloud nodes and the services that are
specified by the metadata hook.

bp novajoin
bp tls-via-certmonger

Change-Id: Ia4645cc356688b7bcf82ed7765c0b74d53d64ed1
2017-01-25 22:54:34 +02:00
Juan Antonio Osorio Robles
a88261aa05 Pass parameters for TLS proxy in front of Glance-API
If TLS in the internal network is enabled, we run glance-api beind a
TLS proxy (which is actually httpd's mod_proxy). This passes the
necessary hieradata.

bp tls-via-certmonger
Change-Id: I693213a1f35021b540202240e512d121cc1cd0eb
Depends-On: Id35a846d43ecae8903a0d58306d9803d5ea00bee
2017-01-24 17:52:22 +00:00
Juan Antonio Osorio Robles
4b425b95f4 Enable haproxy internal TLS through enable-internal-tls.yaml
For usability and to reduce the number of environments that need to be
given when enabling TLS in the internal network, it's convenient to add
the enabling of TLS in the internal front-ends for HAProxy, instead of
doing that in a separate environment file.

bp tls-via-certmonger

Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
2016-12-07 09:03:18 +02:00
Juan Antonio Osorio Robles
22003fbcba Enable TLS in the internal networkf or Mysql
This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.

Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).

Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-25 08:45:36 +02:00
Juan Antonio Osorio Robles
d9b80a8cf6 Fix resource_registry path in enable-internal-tls
It had a wrong path and thus crashed when one tried to use it.

Change-Id: Ida4f899c76cce6e819d7e0effaf038f699763bee
Closes-Bug: #1643863
2016-11-22 14:32:07 +02:00
Juan Antonio Osorio Robles
debbfbbf8f Generate internal TLS hieradata for apache services
This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.

When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands

bp tls-via-certmonger

Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
2016-10-20 12:22:42 +03:00
Juan Antonio Osorio Robles
d2af1b887a Add flag for internal TLS
This sets up a flag that tells the profiles to use TLS (this will happen
in the internal network).

bp tls-via-certmonger

Change-Id: If47febb5b38b1c65f60f9de87a34cb31936a7c0d
2016-09-30 04:32:08 +00:00