tripleo-heat-templates/sample-env-generator/ssl.yaml
Takashi Kajinami 20230cd597 Remove support for the novajoin service
... because it was deprecated during Wallaby cycle by [1].

[1] bf910512c3

Change-Id: Ib9379b2fdb24773eb38c4baec18c1d50aa60d2f4
2022-03-13 23:34:42 +09:00

281 lines
16 KiB
YAML

environments:
-
name: ssl/enable-tls
title: Enable SSL on OpenStack Public Endpoints
description: |
Use this environment to pass in certificates for SSL deployments.
For these values to take effect, one of the tls-endpoints-*.yaml
environments must also be used.
files:
deployment/haproxy/haproxy-public-tls-inject.yaml:
parameters: all
deployment/horizon/horizon-container-puppet.yaml:
parameters:
- HorizonSecureCookies
deployment/keystone/keystone-container-puppet.yaml:
parameters:
- PublicTLSCAFile
static:
# This should probably be private, but for testing static params I'm
# setting it as such for now.
- DeployedSSLCertificatePath
sample_values:
SSLCertificate: |-
|
The contents of your certificate go here
SSLKey: |-
|
The contents of the private key go here
HorizonSecureCookies: True
PublicTLSCAFile: ''
-
name: ssl/enable-internal-tls
title: Enable SSL on OpenStack Internal Endpoints
description: |
A Heat environment file which can be used to enable TLS for the internal
network via certmonger
files:
common/post.yaml:
parameters:
- EnableInternalTLS
deployment/nova/nova-base-puppet.yaml:
parameters:
- RpcUseSSL
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml:
parameters:
- NotifyUseSSL
overcloud.yaml:
parameters:
- ServerMetadata
static:
- EnableInternalTLS
- RpcUseSSL
- NotifyUseSSL
- ServerMetadata
sample_values:
EnableInternalTLS: True
RpcUseSSL: True
NotifyUseSSL: True
ServerMetadata: |-2
ipa_enroll: True
resource_registry:
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.
OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
- name: ssl/inject-trust-anchor
title: Inject SSL Trust Anchor on Overcloud Nodes
description: |
When using an SSL certificate signed by a CA that is not in the default
list of CAs, this environment allows adding a custom CA certificate to
the overcloud nodes.
files:
puppet/extraconfig/tls/ca-inject.yaml:
parameters:
- SSLRootCertificate
sample_values:
SSLRootCertificate: |-
|
The contents of your certificate go here
resource_registry:
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
children:
- name: ssl/inject-trust-anchor-hiera
files:
deployment/certs/ca-certs-baremetal-puppet.yaml:
parameters:
- CAMap
# Need to clear this so we don't inherit the parent registry
resource_registry: {}
sample_values:
CAMap: |-2
first-ca-name:
content: |
The content of the CA cert goes here
second-ca-name:
content: |
The content of the CA cert goes here
-
name: ssl/tls-endpoints-public-ip
title: Deploy Public SSL Endpoints as IP Addresses
description: |
Use this environment when deploying an SSL-enabled overcloud where the public
endpoint is an IP address.
parameter_merge_strategies:
EndpointMap: merge
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'}
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'IP_ADDRESS'}
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'IP_ADDRESS'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'}
GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'}
HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'}
HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
-
name: ssl/tls-endpoints-public-dns
title: Deploy Public SSL Endpoints as DNS Names
description: |
Use this environment when deploying an SSL-enabled overcloud where the public
endpoint is a DNS name.
parameter_merge_strategies:
EndpointMap: merge
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
-
name: ssl/tls-everywhere-endpoints-dns
title: Deploy All SSL Endpoints as DNS Names
description: |
Use this environment when deploying an overcloud where all the endpoints are
DNS names and there's TLS in all endpoint types.
parameter_merge_strategies:
EndpointMap: merge
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}