a263da138f
Now someone can override individual endpoints like below in an environment: parameter_merge_strategies: EndpointMap: merge parameter_defaults: EndpointMap: AodhPublic: protocol: http port: 9999 host: 121.21.2.1 Closes-Bug: #1897592 Change-Id: Ibf2e0d183dd51421c4feb7467c3c01fb416d2965
301 lines
17 KiB
YAML
301 lines
17 KiB
YAML
environments:
|
|
-
|
|
name: ssl/enable-tls
|
|
title: Enable SSL on OpenStack Public Endpoints
|
|
description: |
|
|
Use this environment to pass in certificates for SSL deployments.
|
|
For these values to take effect, one of the tls-endpoints-*.yaml
|
|
environments must also be used.
|
|
files:
|
|
deployment/haproxy/haproxy-public-tls-inject.yaml:
|
|
parameters: all
|
|
deployment/horizon/horizon-container-puppet.yaml:
|
|
parameters:
|
|
- HorizonSecureCookies
|
|
deployment/keystone/keystone-container-puppet.yaml:
|
|
parameters:
|
|
- PublicTLSCAFile
|
|
static:
|
|
# This should probably be private, but for testing static params I'm
|
|
# setting it as such for now.
|
|
- DeployedSSLCertificatePath
|
|
sample_values:
|
|
SSLCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
SSLKey: |-
|
|
|
|
|
The contents of the private key go here
|
|
HorizonSecureCookies: True
|
|
PublicTLSCAFile: ''
|
|
-
|
|
name: ssl/enable-internal-tls
|
|
title: Enable SSL on OpenStack Internal Endpoints
|
|
description: |
|
|
A Heat environment file which can be used to enable TLS for the internal
|
|
network via certmonger
|
|
files:
|
|
common/post.yaml:
|
|
parameters:
|
|
- EnableInternalTLS
|
|
deployment/nova/nova-base-puppet.yaml:
|
|
parameters:
|
|
- RpcUseSSL
|
|
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml:
|
|
parameters:
|
|
- NotifyUseSSL
|
|
overcloud.yaml:
|
|
parameters:
|
|
- ServerMetadata
|
|
static:
|
|
- EnableInternalTLS
|
|
- RpcUseSSL
|
|
- NotifyUseSSL
|
|
- ServerMetadata
|
|
sample_values:
|
|
EnableInternalTLS: True
|
|
RpcUseSSL: True
|
|
NotifyUseSSL: True
|
|
ServerMetadata: |-2
|
|
|
|
ipa_enroll: True
|
|
resource_registry:
|
|
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
|
# We use apache as a TLS proxy
|
|
# FIXME(bogdando): switch it, once it is containerized
|
|
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
|
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
# Creates nova metadata that will create the extra service principals per
|
|
# node.
|
|
OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
|
|
OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
|
|
OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
|
|
OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
|
|
OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
|
|
- name: ssl/inject-trust-anchor
|
|
title: Inject SSL Trust Anchor on Overcloud Nodes
|
|
description: |
|
|
When using an SSL certificate signed by a CA that is not in the default
|
|
list of CAs, this environment allows adding a custom CA certificate to
|
|
the overcloud nodes.
|
|
files:
|
|
puppet/extraconfig/tls/ca-inject.yaml:
|
|
parameters:
|
|
- SSLRootCertificate
|
|
sample_values:
|
|
SSLRootCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
resource_registry:
|
|
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
|
|
children:
|
|
- name: ssl/inject-trust-anchor-hiera
|
|
files:
|
|
deployment/certs/ca-certs-baremetal-puppet.yaml:
|
|
parameters:
|
|
- CAMap
|
|
# Need to clear this so we don't inherit the parent registry
|
|
resource_registry: {}
|
|
sample_values:
|
|
CAMap: |-2
|
|
|
|
first-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
second-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
-
|
|
name: ssl/tls-endpoints-public-ip
|
|
title: Deploy Public SSL Endpoints as IP Addresses
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is an IP address.
|
|
parameter_merge_strategies:
|
|
EndpointMap: merge
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'IP_ADDRESS'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'IP_ADDRESS'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'IP_ADDRESS'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'IP_ADDRESS'}
|
|
-
|
|
name: ssl/tls-endpoints-public-dns
|
|
title: Deploy Public SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is a DNS name.
|
|
parameter_merge_strategies:
|
|
EndpointMap: merge
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'CLOUDNAME'}
|
|
-
|
|
name: ssl/tls-everywhere-endpoints-dns
|
|
title: Deploy All SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an overcloud where all the endpoints are
|
|
DNS names and there's TLS in all endpoint types.
|
|
parameter_merge_strategies:
|
|
EndpointMap: merge
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephDashboardInternal: {protocol: 'https', port: '8444', host: 'CLOUDNAME'}
|
|
CephGrafanaInternal: {protocol: 'https', port: '3100', host: 'CLOUDNAME'}
|
|
CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
|
|
KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MetricsQdrPublic: {protocol: 'amqp', port: '5666', host: 'CLOUDNAME'}
|
|
MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
|
|
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovajoinAdmin: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
|
|
NovajoinInternal: {protocol: 'https', port: '9090', host: 'CLOUDNAME'}
|
|
NovajoinPublic: {protocol: 'https', port: '13090', host: 'CLOUDNAME'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
|
|
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '3000', host: 'CLOUDNAME'}
|