ae68c90b92
This new role is used to register nodes as ipa-clients and configure the services required in IPA using ansible, rather than using novajoin. This is required on the standalone environment, where there is no novajoin. It will also be the implementation used when nova is removed from the undercloud and for pre-provisioned nodes. The existing IpaClient composable service will be removed in a future release. This code replaces the server ipaclient-baremetal-ansible by using a role from freeipa-ansible to register the nodes (controllers, computes) as ipa-clients. In external_tasks, the host entry is created and an otp is stored as a host variable. In deploy_step_tasks, this otp is used to register the node. The IPA configuration tasks are delegated to http://opendev.org/x/tripleo-ipa roles. Co-Authored-By: Grzegorz Grasza <xek@redhat.com> Change-Id: I7dcd4608d3998596c2e4da19a8eca0d48e1fa841
541 lines
35 KiB
YAML
541 lines
35 KiB
YAML
environments:
|
|
-
|
|
name: ssl/enable-tls
|
|
title: Enable SSL on OpenStack Public Endpoints
|
|
description: |
|
|
Use this environment to pass in certificates for SSL deployments.
|
|
For these values to take effect, one of the tls-endpoints-*.yaml
|
|
environments must also be used.
|
|
files:
|
|
deployment/haproxy/haproxy-public-tls-inject.yaml:
|
|
parameters: all
|
|
deployment/horizon/horizon-container-puppet.yaml:
|
|
parameters:
|
|
- HorizonSecureCookies
|
|
static:
|
|
# This should probably be private, but for testing static params I'm
|
|
# setting it as such for now.
|
|
- DeployedSSLCertificatePath
|
|
sample_values:
|
|
SSLCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
SSLKey: |-
|
|
|
|
|
The contents of the private key go here
|
|
HorizonSecureCookies: True
|
|
-
|
|
name: ssl/enable-internal-tls
|
|
title: Enable SSL on OpenStack Internal Endpoints
|
|
description: |
|
|
A Heat environment file which can be used to enable TLS for the internal
|
|
network via certmonger
|
|
files:
|
|
common/post.yaml:
|
|
parameters:
|
|
- EnableInternalTLS
|
|
deployment/nova/nova-base-puppet.yaml:
|
|
parameters:
|
|
- RpcUseSSL
|
|
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml:
|
|
parameters:
|
|
- NotifyUseSSL
|
|
overcloud.yaml:
|
|
parameters:
|
|
- ServerMetadata
|
|
static:
|
|
- EnableInternalTLS
|
|
- RpcUseSSL
|
|
- NotifyUseSSL
|
|
- ServerMetadata
|
|
sample_values:
|
|
EnableInternalTLS: True
|
|
RpcUseSSL: True
|
|
NotifyUseSSL: True
|
|
ServerMetadata: |-2
|
|
|
|
ipa_enroll: True
|
|
resource_registry:
|
|
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
|
|
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
|
# We use apache as a TLS proxy
|
|
# FIXME(bogdando): switch it, once it is containerized
|
|
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
|
# FIXME(xek): after removal of novajoin, switch to using this service instead
|
|
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
|
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
# Creates nova metadata that will create the extra service principals per
|
|
# node.
|
|
OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
|
|
OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
|
|
OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
|
|
OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
|
|
OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
|
|
- name: ssl/inject-trust-anchor
|
|
title: Inject SSL Trust Anchor on Overcloud Nodes
|
|
description: |
|
|
When using an SSL certificate signed by a CA that is not in the default
|
|
list of CAs, this environment allows adding a custom CA certificate to
|
|
the overcloud nodes.
|
|
files:
|
|
puppet/extraconfig/tls/ca-inject.yaml:
|
|
parameters:
|
|
- SSLRootCertificate
|
|
sample_values:
|
|
SSLRootCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
resource_registry:
|
|
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
|
|
children:
|
|
- name: ssl/inject-trust-anchor-hiera
|
|
files:
|
|
deployment/certs/ca-certs-baremetal-puppet.yaml:
|
|
parameters:
|
|
- CAMap
|
|
# Need to clear this so we don't inherit the parent registry
|
|
resource_registry: {}
|
|
sample_values:
|
|
CAMap: |-2
|
|
|
|
first-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
second-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
-
|
|
name: ssl/tls-endpoints-public-ip
|
|
title: Deploy Public SSL Endpoints as IP Addresses
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is an IP address.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'}
|
|
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'IP_ADDRESS'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'IP_ADDRESS'}
|
|
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'}
|
|
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'}
|
|
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'}
|
|
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
|
|
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'IP_ADDRESS'}
|
|
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
|
|
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'}
|
|
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
|
|
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
|
|
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'}
|
|
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'}
|
|
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'IP_ADDRESS'}
|
|
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
|
|
-
|
|
name: ssl/tls-endpoints-public-dns
|
|
title: Deploy Public SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is a DNS name.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
|
|
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
|
|
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
|
|
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
|
|
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovajoinAdmin: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
|
|
NovajoinInternal: {protocol: 'http', port: '9090', host: 'IP_ADDRESS'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
|
|
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
|
|
-
|
|
name: ssl/tls-everywhere-endpoints-dns
|
|
title: Deploy All SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an overcloud where all the endpoints are
|
|
DNS names and there's TLS in all endpoint types.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
|
|
CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
|
|
KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
|
|
MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
|
|
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
|
|
NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
|
|
SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
|
|
SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'CLOUDNAME'}
|
|
-
|
|
name: ssl/no-tls-endpoints-public-ip
|
|
title: Deploy All Endpoints without TLS and with IP addresses
|
|
description: |
|
|
Use this environment when deploying an overcloud where all the endpoints not
|
|
using TLS and are using IP addresses.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
deployment/haproxy/haproxy-container-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
deployment/haproxy/haproxy-pacemaker-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
deployment/haproxy/haproxy-container-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
sample_values:
|
|
EnablePublicTLS: false
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
AodhPublic: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
BarbicanPublic: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
CephDashboardInternal: {protocol: http, port: '8444', host: IP_ADDRESS}
|
|
CephGrafanaInternal: {protocol: http, port: '3100', host: IP_ADDRESS}
|
|
CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CephRgwPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
|
|
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
|
|
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
GnocchiPublic: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatPublic: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HeatCfnPublic: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HorizonPublic: {protocol: http, port: '80', host: IP_ADDRESS}
|
|
IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicPublic: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorPublic: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
|
|
KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
|
|
KeystonePublic: {protocol: http, port: '5000', host: IP_ADDRESS}
|
|
KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: IP_ADDRESS}
|
|
MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
|
|
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NeutronPublic: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovajoinAdmin: {protocol: http, port: '9090', host: IP_ADDRESS}
|
|
NovajoinInternal: {protocol: http, port: '9090', host: IP_ADDRESS}
|
|
NovajoinPublic: {protocol: http, port: '9090', host: IP_ADDRESS}
|
|
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
|
|
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
PlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
PlacementPublic: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SaharaPublic: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
|