environments: - name: ssl/enable-tls title: Enable SSL on OpenStack Public Endpoints description: | Use this environment to pass in certificates for SSL deployments. For these values to take effect, one of the tls-endpoints-*.yaml environments must also be used. files: deployment/haproxy/haproxy-public-tls-inject.yaml: parameters: all deployment/horizon/horizon-container-puppet.yaml: parameters: - HorizonSecureCookies deployment/keystone/keystone-container-puppet.yaml: parameters: - PublicTLSCAFile static: # This should probably be private, but for testing static params I'm # setting it as such for now. - DeployedSSLCertificatePath sample_values: SSLCertificate: |- | The contents of your certificate go here SSLKey: |- | The contents of the private key go here HorizonSecureCookies: True PublicTLSCAFile: '' - name: ssl/enable-internal-tls title: Enable SSL on OpenStack Internal Endpoints description: | A Heat environment file which can be used to enable TLS for the internal network via certmonger files: common/post.yaml: parameters: - EnableInternalTLS deployment/nova/nova-base-puppet.yaml: parameters: - RpcUseSSL deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml: parameters: - NotifyUseSSL overcloud.yaml: parameters: - ServerMetadata static: - EnableInternalTLS - RpcUseSSL - NotifyUseSSL - ServerMetadata sample_values: EnableInternalTLS: True RpcUseSSL: True NotifyUseSSL: True ServerMetadata: |-2 ipa_enroll: True resource_registry: OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml # FIXME(xek): after removal of novajoin, switch to using this service instead # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml # Creates nova metadata that will create the extra service principals per # node. OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml - name: ssl/inject-trust-anchor title: Inject SSL Trust Anchor on Overcloud Nodes description: | When using an SSL certificate signed by a CA that is not in the default list of CAs, this environment allows adding a custom CA certificate to the overcloud nodes. files: puppet/extraconfig/tls/ca-inject.yaml: parameters: - SSLRootCertificate sample_values: SSLRootCertificate: |- | The contents of your certificate go here resource_registry: OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml children: - name: ssl/inject-trust-anchor-hiera files: deployment/certs/ca-certs-baremetal-puppet.yaml: parameters: - CAMap # Need to clear this so we don't inherit the parent registry resource_registry: {} sample_values: CAMap: |-2 first-ca-name: content: | The content of the CA cert goes here second-ca-name: content: | The content of the CA cert goes here - name: ssl/tls-endpoints-public-ip title: Deploy Public SSL Endpoints as IP Addresses description: | Use this environment when deploying an SSL-enabled overcloud where the public endpoint is an IP address. files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'} BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'} BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'IP_ADDRESS'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'IP_ADDRESS'} CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'} DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'} DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'} DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'} GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'} HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'} HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'} HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'} IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'} IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'} IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'} KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'} KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'IP_ADDRESS'} MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'} MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'} MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'} MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'} NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'} NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'} NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'} NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'} NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'} NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'} PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'} PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'} NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'} OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'} SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} SaharaPublic: {protocol: 'https', port: '13386', host: 'IP_ADDRESS'} SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'} ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'} ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'} ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'IP_ADDRESS'} ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'} - name: ssl/tls-endpoints-public-dns title: Deploy Public SSL Endpoints as DNS Names description: | Use this environment when deploying an SSL-enabled overcloud where the public endpoint is a DNS name. files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'} BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'} CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'} DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'} IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'} IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'} KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'} MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'} MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'} MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'} NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'} NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'} NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'} NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'} PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'} PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'} NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'} SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'} ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'} ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'} - name: ssl/tls-everywhere-endpoints-dns title: Deploy All SSL Endpoints as DNS Names description: | Use this environment when deploying an overcloud where all the endpoints are DNS names and there's TLS in all endpoint types. files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap sample_values: # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'} BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'} BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'} CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'} CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'} CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'} DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'} DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} HeatUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'} IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'} IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'} IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} IronicUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'} KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'} KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} KeystoneUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'} MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'} MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'} MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} MistralUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'} NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'} NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'} NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'} NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'} NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'} PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'} PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'} NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'} OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'} OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'} SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'} SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'} SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} SwiftUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'} ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'} ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'CLOUDNAME'} - name: ssl/no-tls-endpoints-public-ip title: Deploy All Endpoints without TLS and with IP addresses description: | Use this environment when deploying an overcloud where all the endpoints not using TLS and are using IP addresses. files: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap deployment/haproxy/haproxy-container-puppet.yaml: parameters: - EnablePublicTLS deployment/haproxy/haproxy-pacemaker-puppet.yaml: parameters: - EnablePublicTLS deployment/haproxy/haproxy-container-puppet.yaml: parameters: - EnablePublicTLS sample_values: EnablePublicTLS: false # NOTE(bnemec): This is a bit odd, but it's the only way I've found that # works. The |-2 tells YAML to strip two spaces off the indentation of # the value, which because it's indented six spaces gets us to the four # that we actually want. Note that zero is not a valid value here, so # two seemed like the most sane option. EndpointMap: |-2 AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS} AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS} AodhPublic: {protocol: http, port: '8042', host: IP_ADDRESS} BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS} BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS} BarbicanPublic: {protocol: http, port: '9311', host: IP_ADDRESS} CephDashboardInternal: {protocol: http, port: '8444', host: IP_ADDRESS} CephGrafanaInternal: {protocol: http, port: '3100', host: IP_ADDRESS} CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS} CephRgwPublic: {protocol: http, port: '8080', host: IP_ADDRESS} CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS} CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS} CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS} DesignateAdmin: {protocol: 'http', port: '9001', host: IP_ADDRESS} DesignateInternal: {protocol: 'http', port: '9001', host: IP_ADDRESS} DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS} DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS} GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiPublic: {protocol: http, port: '8041', host: IP_ADDRESS} HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS} HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS} HeatPublic: {protocol: http, port: '8004', host: IP_ADDRESS} HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS} HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS} HeatCfnPublic: {protocol: http, port: '8000', host: IP_ADDRESS} HorizonPublic: {protocol: http, port: '80', host: IP_ADDRESS} IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS} IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS} IronicPublic: {protocol: http, port: '6385', host: IP_ADDRESS} IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS} IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS} IronicInspectorPublic: {protocol: http, port: '5050', host: IP_ADDRESS} IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS} KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS} KeystonePublic: {protocol: http, port: '5000', host: IP_ADDRESS} KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS} ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS} ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS} MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: IP_ADDRESS} MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS} MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS} MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS} MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS} NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS} NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS} NeutronPublic: {protocol: http, port: '9696', host: IP_ADDRESS} NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS} NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS} NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS} NovajoinAdmin: {protocol: http, port: '9090', host: IP_ADDRESS} NovajoinInternal: {protocol: http, port: '9090', host: IP_ADDRESS} NovajoinPublic: {protocol: http, port: '9090', host: IP_ADDRESS} NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS} NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS} PlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS} PlacementPublic: {protocol: http, port: '8778', host: IP_ADDRESS} NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS} OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS} OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS} OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS} SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS} SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS} SaharaPublic: {protocol: http, port: '8386', host: IP_ADDRESS} SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS} ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS} ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS} ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: IP_ADDRESS} ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}