environments: - name: ssl/enable-tls title: Enable SSL on OpenStack Public Endpoints description: | Use this environment to pass in certificates for SSL deployments. For these values to take effect, one of the tls-endpoints-*.yaml environments must also be used. files: deployment/haproxy/haproxy-public-tls-inject.yaml: parameters: all deployment/horizon/horizon-container-puppet.yaml: parameters: - HorizonSecureCookies deployment/keystone/keystone-container-puppet.yaml: parameters: - PublicTLSCAFile static: # This should probably be private, but for testing static params I'm # setting it as such for now. - DeployedSSLCertificatePath sample_values: SSLCertificate: |- | The contents of your certificate go here SSLKey: |- | The contents of the private key go here HorizonSecureCookies: True PublicTLSCAFile: '' - name: ssl/enable-internal-tls title: Enable SSL on OpenStack Internal Endpoints description: | A Heat environment file which can be used to enable TLS for the internal network via certmonger files: common/post.yaml: parameters: - EnableInternalTLS deployment/nova/nova-base-puppet.yaml: parameters: - RpcUseSSL deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml: parameters: - NotifyUseSSL overcloud.yaml: parameters: - ServerMetadata static: - EnableInternalTLS - RpcUseSSL - NotifyUseSSL - ServerMetadata sample_values: EnableInternalTLS: True RpcUseSSL: True NotifyUseSSL: True ServerMetadata: |-2 ipa_enroll: True resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml # Creates nova metadata that will create the extra service principals per # node. OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml - name: ssl/inject-trust-anchor title: Inject SSL Trust Anchor on Overcloud Nodes description: | When using an SSL certificate signed by a CA that is not in the default list of CAs, this environment allows adding a custom CA certificate to the overcloud nodes. files: puppet/extraconfig/tls/ca-inject.yaml: parameters: - SSLRootCertificate sample_values: SSLRootCertificate: |- | The contents of your certificate go here resource_registry: OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml children: - name: ssl/inject-trust-anchor-hiera files: deployment/certs/ca-certs-baremetal-puppet.yaml: parameters: - CAMap # Need to clear this so we don't inherit the parent registry resource_registry: {} sample_values: CAMap: |-2 first-ca-name: content: | The content of the CA cert goes here second-ca-name: content: | The content of the CA cert goes here - name: ssl/tls-endpoints-public-ip title: Deploy Public SSL Endpoints as IP Addresses description: | Use this environment when deploying an SSL-enabled overcloud where the public endpoint is an IP address. parameter_merge_strategies: EndpointMap: merge files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'IP_ADDRESS'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'IP_ADDRESS'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'} DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'} HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'} HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'} KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'} ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'} MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'} NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'} NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'} NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'} PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'} SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'} ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'IP_ADDRESS'} - name: ssl/tls-endpoints-public-dns title: Deploy Public SSL Endpoints as DNS Names description: | Use this environment when deploying an SSL-enabled overcloud where the public endpoint is a DNS name. parameter_merge_strategies: EndpointMap: merge files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'} KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'} MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'} PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'CLOUDNAME'} - name: ssl/tls-everywhere-endpoints-dns title: Deploy All SSL Endpoints as DNS Names description: | Use this environment when deploying an overcloud where all the endpoints are DNS names and there's TLS in all endpoint types. parameter_merge_strategies: EndpointMap: merge files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'} BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'} CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'} DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'} IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'} KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'} KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'} KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'} MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'} MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'} MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'} NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'} NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'} NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'} PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'} PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'} PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'} NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'} OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'CLOUDNAME'}