starlingx
/
stx-puppet
Code Issues Proposed changes

Config platform service admin endpoints to https for DC 

With this update https is enabled for platform services' admin endpoints
for System Controller and subclouds when the first controller is
unlocked.

The services with admin endpoints enabled are:
- fm
- patching
- vim
- smapi
- barbican
- keystone
- sysinv
- dcdbsync
- dcmanager

Change-Id: I45b3c541cdb6191dad6d3e2b3e9cf8a3398b3a1b
Story: 2007347
Task: 38891
Depends-On: https://review.opendev.org/#/c/720224/
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit is contained in:
Andy Ning 2020-04-06 10:11:56 -04:00
parent 7665c92ec9
commit e5f325ccca
12 changed files with 180 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp
View File

@ -43,6 +43,10 @@ class dcorch::keystone::auth (
$cinder_proxy_public_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s',
$patching_proxy_public_url = 'http://127.0.0.1:25491',
$identity_proxy_public_url = 'http://127.0.0.1:25000/v3',
$identity_proxy_admin_url = 'http://127.0.0.1:25000/v3',
$sysinv_proxy_admin_url = 'http://127.0.0.1:26385/v1',
$patching_proxy_admin_url = 'http://127.0.0.1:25491',
) {
if $::platform::params::distributed_cloud_role =='systemcontroller' {
keystone::resource::service_identity { 'dcorch':
@ -68,7 +72,7 @@ class dcorch::keystone::auth (
type => 'platform',
region => $region,
public_url => $sysinv_proxy_public_url,
admin_url => $sysinv_proxy_internal_url,
admin_url => $sysinv_proxy_admin_url,
internal_url => $sysinv_proxy_internal_url
}
@ -78,7 +82,7 @@ class dcorch::keystone::auth (
type => 'patching',
region => $region,
public_url => $patching_proxy_public_url,
admin_url => $patching_proxy_internal_url,
admin_url => $patching_proxy_admin_url,
internal_url => $patching_proxy_internal_url
}
keystone_endpoint { "${region}/keystone::identity" :
@ -87,7 +91,7 @@ class dcorch::keystone::auth (
type => 'identity',
region => $region,
public_url => $identity_proxy_public_url,
admin_url => $identity_proxy_internal_url,
admin_url => $identity_proxy_admin_url,
internal_url => $identity_proxy_internal_url
}
}

14
puppet-manifests/src/modules/openstack/manifests/barbican.pp
View File

@ -90,12 +90,26 @@ class openstack::barbican::service (
class openstack::barbican::haproxy
inherits ::openstack::barbican::params {
include ::platform::params
include ::platform::haproxy::params
platform::haproxy::proxy { 'barbican-restapi':
server_name => 's-barbican-restapi',
public_port => $api_port,
private_port => $api_port,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'barbican-restapi-admin':
https_ep_type => 'admin',
server_name => 's-barbican-restapi',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}
class openstack::barbican::api

13
puppet-manifests/src/modules/openstack/manifests/keystone.pp
View File

@ -131,6 +131,7 @@ class openstack::keystone::haproxy
inherits ::openstack::keystone::params {
include ::platform::params
include ::platform::haproxy::params
if !$::platform::params::region_config {
platform::haproxy::proxy { 'keystone-restapi':
@ -139,6 +140,18 @@ class openstack::keystone::haproxy
private_port => $api_port,
}
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'keystone-restapi-admin':
https_ep_type => 'admin',
server_name => 's-keystone',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}
define delete_endpoints (

20
puppet-manifests/src/modules/platform/manifests/dcdbsync.pp
View File

@ -41,6 +41,26 @@ class platform::dcdbsync::api
}
}
}
include ::platform::dcdbsync::haproxy
}
class platform::dcdbsync::haproxy
inherits ::platform::dcdbsync::params {
include ::platform::params
include ::platform::haproxy::params
# Configure rules for https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'dcdbsync-restapi-admin':
https_ep_type => 'admin',
server_name => 's-dcdbsync',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}
class platform::dcdbsync::stx_openstack::runtime

14
puppet-manifests/src/modules/platform/manifests/dcmanager.pp
View File

@ -51,6 +51,9 @@ class platform::dcmanager
class platform::dcmanager::haproxy
inherits ::platform::dcmanager::params {
include ::platform::params
include ::platform::haproxy::params
if $::platform::params::distributed_cloud_role =='systemcontroller' {
platform::haproxy::proxy { 'dcmanager-restapi':
server_name => 's-dcmanager',
@ -58,6 +61,17 @@ class platform::dcmanager::haproxy
private_port => $api_port,
}
}
# Configure rules for https enabled admin endpoint.
if $::platform::params::distributed_cloud_role == 'systemcontroller' {
platform::haproxy::proxy { 'dcmanager-restapi-admin':
https_ep_type => 'admin',
server_name => 's-dcmanager',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}
class platform::dcmanager::manager {

27
puppet-manifests/src/modules/platform/manifests/dcorch.pp
View File

@ -69,6 +69,8 @@ class platform::dcorch::firewall
class platform::dcorch::haproxy
inherits ::platform::dcorch::params {
include ::platform::haproxy::params
if $::platform::params::distributed_cloud_role =='systemcontroller' {
platform::haproxy::proxy { 'dcorch-neutron-api-proxy':
server_name => 's-dcorch-neutron-api-proxy',
@ -100,6 +102,31 @@ class platform::dcorch::haproxy
public_port => $identity_api_proxy_port,
private_port => $identity_api_proxy_port,
}
# Configure rules for https enabled identity api proxy admin endpoint.
platform::haproxy::proxy { 'dcorch-identity-api-proxy-admin':
https_ep_type => 'admin',
server_name => 's-dcorch-identity-api-proxy',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $identity_api_proxy_port + 1,
private_port => $identity_api_proxy_port,
}
# Configure rules for https enabled sysinv api proxy admin endpoint.
platform::haproxy::proxy { 'dcorch-sysinv-api-proxy-admin':
https_ep_type => 'admin',
server_name => 's-dcorch-sysinv-api-proxy',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $sysinv_api_proxy_port + 1,
private_port => $sysinv_api_proxy_port,
}
# Configure rules for https enabled patching api proxy admin endpoint.
platform::haproxy::proxy { 'dcorch-patch-api-proxy-admin':
https_ep_type => 'admin',
server_name => 's-dcorch-patch-api-proxy',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $patch_api_proxy_port + 1,
private_port => $patch_api_proxy_port,
}
}
}

13
puppet-manifests/src/modules/platform/manifests/fm.pp
View File

@ -38,6 +38,7 @@ class platform::fm
class platform::fm::haproxy
inherits ::platform::fm::params {
include ::platform::params
include ::platform::haproxy::params
platform::haproxy::proxy { 'fm-api-internal':
@ -54,6 +55,18 @@ class platform::fm::haproxy
public_port => $api_port,
private_port => $api_port,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'fm-api-admin':
https_ep_type => 'admin',
server_name => 's-fm-api-admin',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}
class platform::fm::api

19
puppet-manifests/src/modules/platform/manifests/haproxy.pp
View File

@ -3,6 +3,7 @@ class platform::haproxy::params (
$public_ip_address,
$public_address_url,
$enable_https = false,
$https_ep_type = 'public',
$global_options = undef,
$tpm_object = undef,
@ -20,6 +21,7 @@ define platform::haproxy::proxy (
$client_timeout = undef,
$x_forwarded_proto = true,
$enable_https = undef,
$https_ep_type = undef,
$public_api = true,
$tcp_mode = false,
) {
@ -31,13 +33,23 @@ define platform::haproxy::proxy (
$https_enabled = $::platform::haproxy::params::enable_https
}
if $https_ep_type != undef {
$https_ep = $https_ep_type
} else {
$https_ep = $::platform::haproxy::params::https_ep_type
}
if $x_forwarded_proto {
if $https_enabled and $public_api {
if $https_enabled and $public_api and $https_ep == 'public' {
$ssl_option = 'ssl crt /etc/ssl/private/server-cert.pem'
$proto = 'X-Forwarded-Proto:\ https'
# The value of max-age matches lighttpd.conf, and should be
# maintained for consistency
$hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains'
} elsif $https_ep == 'admin' {
$ssl_option = 'ssl crt /etc/ssl/private/admin-ep-cert.pem'
$proto = 'X-Forwarded-Proto:\ https'
$hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains'
} else {
$ssl_option = ' '
$proto = 'X-Forwarded-Proto:\ http'
@ -147,6 +159,11 @@ class platform::haproxy::runtime {
include ::platform::nfv::haproxy
include ::platform::ceph::haproxy
include ::platform::fm::haproxy
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
include ::platform::dcdbsync::haproxy
include ::platform::smapi::haproxy
}
if $::platform::params::distributed_cloud_role =='systemcontroller' {
include ::platform::dcmanager::haproxy
include ::platform::dcorch::haproxy

14
puppet-manifests/src/modules/platform/manifests/nfv.pp
View File

@ -56,12 +56,26 @@ class platform::nfv::runtime {
class platform::nfv::haproxy
inherits ::platform::nfv::params {
include ::platform::params
include ::platform::haproxy::params
platform::haproxy::proxy { 'vim-restapi':
server_name => 's-vim-restapi',
public_port => $api_port,
private_port => $api_port,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'vim-restapi-admin':
https_ep_type => 'admin',
server_name => 's-vim-restapi',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}

14
puppet-manifests/src/modules/platform/manifests/patching.pp
View File

@ -51,6 +51,8 @@ class platform::patching
class platform::patching::haproxy
inherits ::platform::patching::params {
include ::platform::params
include ::platform::haproxy::params
platform::haproxy::proxy { 'patching-restapi':
server_name => 's-patching',
@ -58,6 +60,18 @@ class platform::patching::haproxy
private_port => $private_port,
server_timeout => $server_timeout,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'patching-restapi-admin':
https_ep_type => 'admin',
server_name => 's-patching',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $private_port + 1,
private_port => $private_port,
}
}
}

12
puppet-manifests/src/modules/platform/manifests/smapi.pp
View File

@ -29,6 +29,18 @@ class platform::smapi::haproxy
public_port => $port,
private_port => $port,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'sm-api-admin':
https_ep_type => 'admin',
server_name => 's-smapi-admin',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $port + 1,
private_port => $port,
}
}
}
class platform::smapi

14
puppet-manifests/src/modules/platform/manifests/sysinv.pp
View File

@ -78,12 +78,26 @@ class platform::sysinv::conductor {
class platform::sysinv::haproxy
inherits ::platform::sysinv::params {
include ::platform::params
include ::platform::haproxy::params
platform::haproxy::proxy { 'sysinv-restapi':
server_name => 's-sysinv',
public_port => $api_port,
private_port => $api_port,
}
# Configure rules for DC https enabled admin endpoint.
if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
$::platform::params::distributed_cloud_role == 'subcloud') {
platform::haproxy::proxy { 'sysinv-restapi-admin':
https_ep_type => 'admin',
server_name => 's-sysinv',
public_ip_address => $::platform::haproxy::params::private_ip_address,
public_port => $api_port + 1,
private_port => $api_port,
}
}
}