2cd9e44e66
Indicates that the nova-metadata API service has been deployed per-cell, so that we can have better performance and data isolation in a multi-cell deployment. Users should consider the use of this configuration depending on how neutron is setup. If networks span cells, you might need to run nova-metadata API service globally. If your networks are segmented along cell boundaries, then you can run nova-metadata API service per cell. Introduces a new endpoint_map entry NovaMetadataInternal. If NovaLocalMetadataPerCell is true, NovaMetadataCellInternal points to the local cell endpoint. If NovaLocalMetadataPerCell is false, NovaMetadataCellInternal points to the central control plane nova metadata endpoint. The NovaMetadataCellInternal endpoint is then used to configure the nova-metadata api endpoint the ovn metadata agent points to. Also removes setting the deprecated [DEFAULT]/nova_metadata_ip hiera key and only uses [DEFAULT]/nova_metadata_host for the ovn metadata agent. Depends-On: https://review.opendev.org/675070 Depends-On: https://review.opendev.org/650943 Change-Id: I78f6d30676ee166f84d8aca1609b376bb73e5f2c Closes-Bug: #1823760 Change-Id: I1e05230e4105a3706f0662b0c203137d05ebf3d8
564 lines
37 KiB
YAML
564 lines
37 KiB
YAML
environments:
|
|
-
|
|
name: ssl/enable-tls
|
|
title: Enable SSL on OpenStack Public Endpoints
|
|
description: |
|
|
Use this environment to pass in certificates for SSL deployments.
|
|
For these values to take effect, one of the tls-endpoints-*.yaml
|
|
environments must also be used.
|
|
files:
|
|
deployment/haproxy/haproxy-public-tls-inject.yaml:
|
|
parameters: all
|
|
deployment/horizon/horizon-container-puppet.yaml:
|
|
parameters:
|
|
- HorizonSecureCookies
|
|
static:
|
|
# This should probably be private, but for testing static params I'm
|
|
# setting it as such for now.
|
|
- DeployedSSLCertificatePath
|
|
sample_values:
|
|
SSLCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
SSLKey: |-
|
|
|
|
|
The contents of the private key go here
|
|
HorizonSecureCookies: True
|
|
-
|
|
name: ssl/enable-internal-tls
|
|
title: Enable SSL on OpenStack Internal Endpoints
|
|
description: |
|
|
A Heat environment file which can be used to enable TLS for the internal
|
|
network via certmonger
|
|
files:
|
|
common/post.yaml:
|
|
parameters:
|
|
- EnableInternalTLS
|
|
deployment/nova/nova-base-puppet.yaml:
|
|
parameters:
|
|
- RpcUseSSL
|
|
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml:
|
|
parameters:
|
|
- NotifyUseSSL
|
|
overcloud.yaml:
|
|
parameters:
|
|
- ServerMetadata
|
|
static:
|
|
- EnableInternalTLS
|
|
- RpcUseSSL
|
|
- NotifyUseSSL
|
|
- ServerMetadata
|
|
sample_values:
|
|
EnableInternalTLS: True
|
|
RpcUseSSL: True
|
|
NotifyUseSSL: True
|
|
ServerMetadata: |-2
|
|
|
|
ipa_enroll: True
|
|
resource_registry:
|
|
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
|
|
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
|
# We use apache as a TLS proxy
|
|
# FIXME(bogdando): switch it, once it is containerized
|
|
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
|
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
|
# Creates nova metadata that will create the extra service principals per
|
|
# node.
|
|
OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
|
|
OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
|
|
OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
|
|
OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
|
|
OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
|
|
- name: ssl/inject-trust-anchor
|
|
title: Inject SSL Trust Anchor on Overcloud Nodes
|
|
description: |
|
|
When using an SSL certificate signed by a CA that is not in the default
|
|
list of CAs, this environment allows adding a custom CA certificate to
|
|
the overcloud nodes.
|
|
files:
|
|
puppet/extraconfig/tls/ca-inject.yaml:
|
|
parameters:
|
|
- SSLRootCertificate
|
|
sample_values:
|
|
SSLRootCertificate: |-
|
|
|
|
|
The contents of your certificate go here
|
|
resource_registry:
|
|
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
|
|
children:
|
|
- name: ssl/inject-trust-anchor-hiera
|
|
files:
|
|
deployment/certs/ca-certs-baremetal-puppet.yaml:
|
|
parameters:
|
|
- CAMap
|
|
# Need to clear this so we don't inherit the parent registry
|
|
resource_registry: {}
|
|
sample_values:
|
|
CAMap: |-2
|
|
|
|
first-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
second-ca-name:
|
|
content: |
|
|
The content of the CA cert goes here
|
|
-
|
|
name: ssl/tls-endpoints-public-ip
|
|
title: Deploy Public SSL Endpoints as IP Addresses
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is an IP address.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'}
|
|
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'}
|
|
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'}
|
|
Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
|
|
Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
|
|
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'IP_ADDRESS'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'}
|
|
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'}
|
|
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'}
|
|
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
|
|
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
|
|
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
|
|
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'}
|
|
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'}
|
|
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'}
|
|
OpenDaylightAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
|
|
OpenDaylightInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
|
|
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
|
|
PankoAdmin: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
|
|
PankoInternal: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
|
|
PankoPublic: {protocol: 'https', port: '13977', host: 'IP_ADDRESS'}
|
|
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'IP_ADDRESS'}
|
|
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
|
|
TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
|
|
TackerPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
|
|
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
|
|
-
|
|
name: ssl/tls-endpoints-public-dns
|
|
title: Deploy Public SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an SSL-enabled overcloud where the public
|
|
endpoint is a DNS name.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
|
|
Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
|
|
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
|
|
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
|
|
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
OpenDaylightAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
|
|
OpenDaylightInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
|
|
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
|
|
PankoAdmin: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
|
|
PankoInternal: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
|
|
PankoPublic: {protocol: 'https', port: '13977', host: 'CLOUDNAME'}
|
|
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
|
|
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
|
|
TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
|
|
TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
|
|
TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
|
|
-
|
|
name: ssl/tls-everywhere-endpoints-dns
|
|
title: Deploy All SSL Endpoints as DNS Names
|
|
description: |
|
|
Use this environment when deploying an overcloud where all the endpoints are
|
|
DNS names and there's TLS in all endpoint types.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
sample_values:
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
|
|
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
|
|
BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
|
|
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
|
|
CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
|
|
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
|
|
DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
|
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
|
Ec2ApiAdmin: {protocol: 'https', port: '8788', host: 'CLOUDNAME'}
|
|
Ec2ApiInternal: {protocol: 'https', port: '8788', host: 'CLOUDNAME'}
|
|
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'}
|
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
|
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
|
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
|
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
|
|
HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
|
|
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
|
|
HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
|
|
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
|
|
HeatUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
|
|
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
|
|
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
|
|
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
|
|
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
IronicUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
|
|
KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
|
|
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
|
|
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
|
|
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
|
|
MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
|
|
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
MistralUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
|
|
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
|
|
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
|
|
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
|
|
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
|
|
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
|
|
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
|
|
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
|
|
NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
|
|
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
|
|
OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
|
|
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
|
|
OpenDaylightAdmin: {protocol: 'https', port: '8081', host: 'CLOUDNAME'}
|
|
OpenDaylightInternal: {protocol: 'https', port: '8081', host: 'CLOUDNAME'}
|
|
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
|
|
PankoAdmin: {protocol: 'https', port: '8977', host: 'CLOUDNAME'}
|
|
PankoInternal: {protocol: 'https', port: '8977', host: 'CLOUDNAME'}
|
|
PankoPublic: {protocol: 'https', port: '13977', host: 'CLOUDNAME'}
|
|
SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
|
|
SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
|
|
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
|
|
SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
|
|
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
|
|
SwiftUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
|
|
TackerAdmin: {protocol: 'https', port: '9890', host: 'CLOUDNAME'}
|
|
TackerInternal: {protocol: 'https', port: '9890', host: 'CLOUDNAME'}
|
|
TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
|
|
ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
|
|
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
|
|
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'CLOUDNAME'}
|
|
-
|
|
name: ssl/no-tls-endpoints-public-ip
|
|
title: Deploy All Endpoints without TLS and with IP addresses
|
|
description: |
|
|
Use this environment when deploying an overcloud where all the endpoints not
|
|
using TLS and are using IP addresses.
|
|
files:
|
|
network/endpoints/endpoint_map.yaml:
|
|
parameters:
|
|
- EndpointMap
|
|
deployment/haproxy/haproxy-container-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
deployment/haproxy/haproxy-pacemaker-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
deployment/haproxy/haproxy-container-puppet.yaml:
|
|
parameters:
|
|
- EnablePublicTLS
|
|
sample_values:
|
|
EnablePublicTLS: false
|
|
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
|
|
# works. The |-2 tells YAML to strip two spaces off the indentation of
|
|
# the value, which because it's indented six spaces gets us to the four
|
|
# that we actually want. Note that zero is not a valid value here, so
|
|
# two seemed like the most sane option.
|
|
EndpointMap: |-2
|
|
|
|
AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
AodhPublic: {protocol: http, port: '8042', host: IP_ADDRESS}
|
|
BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
BarbicanPublic: {protocol: http, port: '9311', host: IP_ADDRESS}
|
|
CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CephRgwPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS}
|
|
DesignateAdmin: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DesignateInternal: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
|
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
|
|
Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
|
|
Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
|
|
Ec2ApiPublic: {protocol: http, port: '8788', host: IP_ADDRESS}
|
|
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
|
|
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
|
|
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
GnocchiPublic: {protocol: http, port: '8041', host: IP_ADDRESS}
|
|
HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatPublic: {protocol: http, port: '8004', host: IP_ADDRESS}
|
|
HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HeatCfnPublic: {protocol: http, port: '8000', host: IP_ADDRESS}
|
|
HorizonPublic: {protocol: http, port: '80', host: IP_ADDRESS}
|
|
IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicPublic: {protocol: http, port: '6385', host: IP_ADDRESS}
|
|
IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorPublic: {protocol: http, port: '5050', host: IP_ADDRESS}
|
|
IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
|
|
KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
|
|
KeystonePublic: {protocol: http, port: '5000', host: IP_ADDRESS}
|
|
KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS}
|
|
MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS}
|
|
MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
|
|
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NeutronPublic: {protocol: http, port: '9696', host: IP_ADDRESS}
|
|
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
|
|
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
|
|
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
PlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
PlacementPublic: {protocol: http, port: '8778', host: IP_ADDRESS}
|
|
NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS}
|
|
OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS}
|
|
OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
|
|
OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
|
|
OvnDbInternal: {protocol: tcp, port: '6642', host: IP_ADDRESS}
|
|
PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
|
|
PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
|
|
PankoPublic: {protocol: http, port: '8977', host: IP_ADDRESS}
|
|
SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SaharaPublic: {protocol: http, port: '8386', host: IP_ADDRESS}
|
|
SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
|
|
SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
|
|
TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
|
|
TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
|
|
TackerPublic: {protocol: http, port: '9890', host: IP_ADDRESS}
|
|
ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS}
|
|
ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: IP_ADDRESS}
|
|
ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
|
|
|