tripleo-heat-templates/sample-env-generator/ssl.yaml
Martin Schuppert 2cd9e44e66 Add NovaLocalMetadataPerCell cell support
Indicates that the nova-metadata API service has been deployed
per-cell, so that we can have better performance and data isolation
in a multi-cell deployment. Users should consider the use of this
configuration depending on how neutron is setup. If networks span
cells, you might need to run nova-metadata API service globally.
If your networks are segmented along cell boundaries, then you can
run nova-metadata API service per cell.

Introduces a new endpoint_map entry NovaMetadataInternal.

If NovaLocalMetadataPerCell is true, NovaMetadataCellInternal points
to the local cell endpoint.

If NovaLocalMetadataPerCell is false, NovaMetadataCellInternal points
to the central control plane nova metadata endpoint.

The NovaMetadataCellInternal endpoint is then used to configure the
nova-metadata api endpoint the ovn metadata agent points to.

Also removes setting the deprecated [DEFAULT]/nova_metadata_ip
hiera key and only uses [DEFAULT]/nova_metadata_host for the ovn
metadata agent.

Depends-On: https://review.opendev.org/675070
Depends-On: https://review.opendev.org/650943
Change-Id: I78f6d30676ee166f84d8aca1609b376bb73e5f2c
Closes-Bug: #1823760

Change-Id: I1e05230e4105a3706f0662b0c203137d05ebf3d8
2019-08-12 17:42:51 +02:00

564 lines
37 KiB
YAML

environments:
-
name: ssl/enable-tls
title: Enable SSL on OpenStack Public Endpoints
description: |
Use this environment to pass in certificates for SSL deployments.
For these values to take effect, one of the tls-endpoints-*.yaml
environments must also be used.
files:
deployment/haproxy/haproxy-public-tls-inject.yaml:
parameters: all
deployment/horizon/horizon-container-puppet.yaml:
parameters:
- HorizonSecureCookies
static:
# This should probably be private, but for testing static params I'm
# setting it as such for now.
- DeployedSSLCertificatePath
sample_values:
SSLCertificate: |-
|
The contents of your certificate go here
SSLKey: |-
|
The contents of the private key go here
HorizonSecureCookies: True
-
name: ssl/enable-internal-tls
title: Enable SSL on OpenStack Internal Endpoints
description: |
A Heat environment file which can be used to enable TLS for the internal
network via certmonger
files:
common/post.yaml:
parameters:
- EnableInternalTLS
deployment/nova/nova-base-puppet.yaml:
parameters:
- RpcUseSSL
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml:
parameters:
- NotifyUseSSL
overcloud.yaml:
parameters:
- ServerMetadata
static:
- EnableInternalTLS
- RpcUseSSL
- NotifyUseSSL
- ServerMetadata
sample_values:
EnableInternalTLS: True
RpcUseSSL: True
NotifyUseSSL: True
ServerMetadata: |-2
ipa_enroll: True
resource_registry:
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.
OS::TripleO::ControllerServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/controller-role.yaml
OS::TripleO::ComputeServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/compute-role.yaml
OS::TripleO::BlockStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/blockstorage-role.yaml
OS::TripleO::ObjectStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/objectstorage-role.yaml
OS::TripleO::CephStorageServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/cephstorage-role.yaml
- name: ssl/inject-trust-anchor
title: Inject SSL Trust Anchor on Overcloud Nodes
description: |
When using an SSL certificate signed by a CA that is not in the default
list of CAs, this environment allows adding a custom CA certificate to
the overcloud nodes.
files:
puppet/extraconfig/tls/ca-inject.yaml:
parameters:
- SSLRootCertificate
sample_values:
SSLRootCertificate: |-
|
The contents of your certificate go here
resource_registry:
OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
children:
- name: ssl/inject-trust-anchor-hiera
files:
deployment/certs/ca-certs-baremetal-puppet.yaml:
parameters:
- CAMap
# Need to clear this so we don't inherit the parent registry
resource_registry: {}
sample_values:
CAMap: |-2
first-ca-name:
content: |
The content of the CA cert goes here
second-ca-name:
content: |
The content of the CA cert goes here
-
name: ssl/tls-endpoints-public-ip
title: Deploy Public SSL Endpoints as IP Addresses
description: |
Use this environment when deploying an SSL-enabled overcloud where the public
endpoint is an IP address.
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'}
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'IP_ADDRESS'}
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'}
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'IP_ADDRESS'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'IP_ADDRESS'}
Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'IP_ADDRESS'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'}
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'}
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'}
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'}
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'}
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'IP_ADDRESS'}
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'}
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'}
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
MistralPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'}
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'IP_ADDRESS'}
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'}
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'}
OpenDaylightAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
OpenDaylightInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
PankoAdmin: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
PankoInternal: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
PankoPublic: {protocol: 'https', port: '13977', host: 'IP_ADDRESS'}
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
SaharaPublic: {protocol: 'https', port: '13386', host: 'IP_ADDRESS'}
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'}
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
TackerPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'}
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'}
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'IP_ADDRESS'}
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
-
name: ssl/tls-endpoints-public-dns
title: Deploy Public SSL Endpoints as DNS Names
description: |
Use this environment when deploying an SSL-enabled overcloud where the public
endpoint is a DNS name.
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'}
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
BarbicanAdmin: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
BarbicanInternal: {protocol: 'http', port: '9311', host: 'IP_ADDRESS'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
CephRgwAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
CephRgwInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'}
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
DesignateAdmin: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
DesignateInternal: {protocol: 'http', port: '9001', host: 'IP_ADDRESS'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'}
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'}
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
HeatUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'}
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'IP_ADDRESS'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
IronicUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'}
KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
MistralAdmin: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
MistralInternal: {protocol: 'http', port: '8989', host: 'IP_ADDRESS'}
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
MistralUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'}
NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'IP_ADDRESS'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
PlacementAdmin: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
PlacementInternal: {protocol: 'http', port: '8778', host: 'IP_ADDRESS'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
OpenDaylightAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
OpenDaylightInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'}
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
PankoAdmin: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
PankoInternal: {protocol: 'http', port: '8977', host: 'IP_ADDRESS'}
PankoPublic: {protocol: 'https', port: '13977', host: 'CLOUDNAME'}
SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'}
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
SwiftUIConfig: {protocol: 'https', port: '443', host: 'IP_ADDRESS'}
TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'}
TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'}
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
ZaqarWebSocketAdmin: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
ZaqarWebSocketInternal: {protocol: 'ws', port: '9000', host: 'IP_ADDRESS'}
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'IP_ADDRESS'}
-
name: ssl/tls-everywhere-endpoints-dns
title: Deploy All SSL Endpoints as DNS Names
description: |
Use this environment when deploying an overcloud where all the endpoints are
DNS names and there's TLS in all endpoint types.
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
sample_values:
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'}
AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'}
BarbicanAdmin: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
BarbicanInternal: {protocol: 'https', port: '9311', host: 'CLOUDNAME'}
BarbicanPublic: {protocol: 'https', port: '13311', host: 'CLOUDNAME'}
CephRgwAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
CephRgwInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
CephRgwPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'}
CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'}
DesignateAdmin: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
DesignateInternal: {protocol: 'https', port: '9001', host: 'CLOUDNAME'}
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
Ec2ApiAdmin: {protocol: 'https', port: '8788', host: 'CLOUDNAME'}
Ec2ApiInternal: {protocol: 'https', port: '8788', host: 'CLOUDNAME'}
Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'}
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'}
HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'}
HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'}
HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'}
HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'}
HeatUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'}
IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'}
IronicInspectorAdmin: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
IronicInspectorInternal: {protocol: 'http', port: '5050', host: 'CLOUDNAME'}
IronicInspectorPublic: {protocol: 'https', port: '13050', host: 'CLOUDNAME'}
IronicInspectorUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
IronicUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'}
KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'}
KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'}
KeystoneUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'}
ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'}
MistralAdmin: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
MistralInternal: {protocol: 'https', port: '8989', host: 'CLOUDNAME'}
MistralPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
MistralUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'}
NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'}
NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'}
NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'}
NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'}
NovaMetadataInternal: {protocol: 'https', port: '8775', host: 'CLOUDNAME'}
NovaUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
PlacementAdmin: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
PlacementInternal: {protocol: 'https', port: '8778', host: 'CLOUDNAME'}
PlacementPublic: {protocol: 'https', port: '13778', host: 'CLOUDNAME'}
NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'}
NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'}
OctaviaAdmin: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
OctaviaInternal: {protocol: 'https', port: '9876', host: 'CLOUDNAME'}
OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'}
OpenDaylightAdmin: {protocol: 'https', port: '8081', host: 'CLOUDNAME'}
OpenDaylightInternal: {protocol: 'https', port: '8081', host: 'CLOUDNAME'}
OvnDbInternal: {protocol: tcp, port: '6642', host: 'IP_ADDRESS'}
PankoAdmin: {protocol: 'https', port: '8977', host: 'CLOUDNAME'}
PankoInternal: {protocol: 'https', port: '8977', host: 'CLOUDNAME'}
PankoPublic: {protocol: 'https', port: '13977', host: 'CLOUDNAME'}
SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'}
SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'}
SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'}
SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'}
SwiftUIConfig: {protocol: 'https', port: '443', host: 'CLOUDNAME'}
TackerAdmin: {protocol: 'https', port: '9890', host: 'CLOUDNAME'}
TackerInternal: {protocol: 'https', port: '9890', host: 'CLOUDNAME'}
TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'}
ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'}
ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'}
ZaqarWebSocketAdmin: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
ZaqarWebSocketInternal: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
ZaqarWebSocketPublic: {protocol: 'wss', port: '9000', host: 'CLOUDNAME'}
ZaqarWebSocketUIConfig: {protocol: 'wss', port: '443', host: 'CLOUDNAME'}
-
name: ssl/no-tls-endpoints-public-ip
title: Deploy All Endpoints without TLS and with IP addresses
description: |
Use this environment when deploying an overcloud where all the endpoints not
using TLS and are using IP addresses.
files:
network/endpoints/endpoint_map.yaml:
parameters:
- EndpointMap
deployment/haproxy/haproxy-container-puppet.yaml:
parameters:
- EnablePublicTLS
deployment/haproxy/haproxy-pacemaker-puppet.yaml:
parameters:
- EnablePublicTLS
deployment/haproxy/haproxy-container-puppet.yaml:
parameters:
- EnablePublicTLS
sample_values:
EnablePublicTLS: false
# NOTE(bnemec): This is a bit odd, but it's the only way I've found that
# works. The |-2 tells YAML to strip two spaces off the indentation of
# the value, which because it's indented six spaces gets us to the four
# that we actually want. Note that zero is not a valid value here, so
# two seemed like the most sane option.
EndpointMap: |-2
AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhPublic: {protocol: http, port: '8042', host: IP_ADDRESS}
BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanPublic: {protocol: http, port: '9311', host: IP_ADDRESS}
CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS}
DesignateAdmin: {protocol: 'http', port: '9001', host: IP_ADDRESS}
DesignateInternal: {protocol: 'http', port: '9001', host: IP_ADDRESS}
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiPublic: {protocol: http, port: '8788', host: IP_ADDRESS}
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiPublic: {protocol: http, port: '8041', host: IP_ADDRESS}
HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatPublic: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnPublic: {protocol: http, port: '8000', host: IP_ADDRESS}
HorizonPublic: {protocol: http, port: '80', host: IP_ADDRESS}
IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicPublic: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorPublic: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
KeystonePublic: {protocol: http, port: '5000', host: IP_ADDRESS}
KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaPublic: {protocol: http, port: '8786', host: IP_ADDRESS}
MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralPublic: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronPublic: {protocol: http, port: '9696', host: IP_ADDRESS}
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaMetadataInternal: {protocol: http, port: '8775', host: IP_ADDRESS}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
PlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
PlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
PlacementPublic: {protocol: http, port: '8778', host: IP_ADDRESS}
NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS}
OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS}
OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
OvnDbInternal: {protocol: tcp, port: '6642', host: IP_ADDRESS}
PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoPublic: {protocol: http, port: '8977', host: IP_ADDRESS}
SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaPublic: {protocol: http, port: '8386', host: IP_ADDRESS}
SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerPublic: {protocol: http, port: '9890', host: IP_ADDRESS}
ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}