Age | Commit message (Collapse) | Author | Files | Lines |
|
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.
Thus, we add manifests to configure it as such.
bp tls-via-certmonger
Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c
(cherry picked from commit f85199c77826017e383534051ada57ef1ea4ddcc)
|
|
Leave the version fields blank, since the release notes document
applies to all versions.
That will avoid manual changes in the future like we did until now.
Change-Id: I9c64787b278b53a0f4125275678ded3f46d05be2
(cherry picked from commit aefd5f7afd238b50eff71fe6f583ef7cadb54d12)
|
|
stable/pike
|
|
stable/pike
|
|
|
|
|
|
the postsave command is ran by certmonger when a certificate is
requested (which will happen on certificate renewal). The previous
command given didn't take into account the file that haproxy expects,
which is a bundled PEM file with both the certificate and the key. Thus,
certmonger would have never generated a new bundle that haproxy would
use, resulting in haproxy always having an old bundle after certificate
expiration.
This fixes that.
Change-Id: Idb650d35f56abaf6a17e17794a068dd5933e6a62
Closes-Bug: #1712514
(cherry picked from commit e1791a37d557b14bb8f833363cabe5c98e151548)
|
|
Previously, certmonger tried to reload haproxy every time after a
certificate is requested. This is useful for certificate resubmits or
renewals. However, it turned out problematic on installation, when
haproxy is not yet active, as it would try many times and end up having
a race-condition with puppet.
This checks if haproxy is active and only then will it attempt to reload
it.
Change-Id: I51f9cccb5d1518a9647778e7bf6f9426a02ceb60
Closes-Bug: #1712377
(cherry picked from commit 351ab932514f13d7a139b0b41fdc4f6f7e990c8f)
|
|
This changes adds Dell EMC Unity backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I0df1e16db89cd53e4f16cd08ccb975d8e7e9a470
Implements: blueprint dellemc-unity-manila
(cherry picked from commit 2f93b4fc3aa63d99b7dcb0302e9ee48bda1f4282)
|
|
This changes adds Dell EMC Isilon backend as composable service
and matches the tripleo-heat-templates.
Change-Id: I30f6b4c4ebe0a708a5eb34cd016544f4d2b9c2bb
Implements: blueprint dellemc-isilon-manila
(cherry picked from commit 75ee7f12f165d4ef6e47600d8c0ec93dff3b610d)
|
|
We missed to mount the Ceph config files into the docker/pacemaker
profiles.
Change-Id: I23b6890b4cf7f1e6fe84b6be280dde82218275fc
Closes-Bug: #1713421
(cherry picked from commit b18ae72c6aaad9eb98d7e4490a6572441f63b9a1)
|
|
Exposes a way to configure the docker daemon with debug enabled.
Change-Id: I654a70c8bb7753679be83d78ca653ed44c3a7395
Related-Bug: #1710533
(cherry picked from commit 44b90c9a79146139cbcbe7f560bd1df667cca780)
|
|
|
|
|
|
|
|
In templates we use 13977 as the port for panko. The
old 13779 is reserved for trove so it conflicts.
Closes-bug: #1712566
Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db
(cherry picked from commit 5064677dda8e4f140df6d024089e95afe11a91f1)
|
|
Checking the root's mail (/var/mail/root) I finally saw the root cause
of the CRL cronjob not working.
/bin/sh: curl: command not found
now, curl, (and most commands used by that cronjob) is in the /bin bash,
so we need to add it to the environment's PATH for the cronjob.
Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2
Closes-Bug: #1712404
(cherry picked from commit 139ac85028947f476a085e89bd54f3dfacd886cf)
|
|
Change-Id: Ibc02e4e87593f18c4c48a9e8197a4cd3c16d9cd4
|
|
Change-Id: Ib750ba8a4e76a25ffd2352b420e97548447eae97
|
|
|
|
|
|
This is requires for when libvirt is running over a container, since
we shouldn't try to restart the libvirt process, but the container
itself.
bp tls-via-certmonger-containers
Change-Id: I26a7748b37059ea37f460d8c70ef684cc41b16d3
|
|
|
|
Change Ifef08033043a4cc90a6261e962d2fdecdf275650 moved the stonith
property definition to the pacemaker_master node. This means that the
Class['tripleo::fencing'] -> Class['pacemaker::stonith'] ordering
breaks on non-boostrap pacemaker nodes because the pacemaker::stonith
property is not defined there any longer.
Let's fix this by simply using a resource collector and set the ordering
on that instead of adding yet anoth if statement. Ordering on
enablement of stonith is actually more correct formally.
Tested this on a broken setup successfully.
Closes-Bug: #1712605
Change-Id: I616d340bdf75da9d9eb8b83b2e804dff3d07d58e
|
|
Without it, it doesn't reload the services it should.
Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45
Closes-Bug: #1712404
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.
This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.
bp tls-via-certmonger-containers
Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
|
|
|
|
|
|
|
|
|
|
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
|
|
|
|
If we're using local registries, we may want to use different
registries e.g. for Ceph and for OpenStack. We allow multiple
registries in general for this purpose, and we should also allow it in
the insecure registry configuration.
Change-Id: I5cddd20a123a85516577bde1b793a30d43171285
Related-Bug: #1709310
|
|
|
|
|
|
This enables the usage of TLS by the apache vhost that hosts horizon.
bp tls-via-certmonger
Change-Id: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
|
|
This removes clutter from the main haproxy manifest and allows TLS in
the internal network as well. Trying to keep the previous behavior.
bp tls-via-certmonger-containers
Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
|
|
Change-Id: Id3277c97052e1dd88e6d2de6c5f92b32b95fa210
|
|
This makes sure that the database creation is only executed on the mysql
profile (or container if that's enabled), and stops the conflicts and
errors that were happening when barbican was deployed in containerized
environments.
Change-Id: Ib5c99482f62397fc5fb79a9dc537dfb06ee7f4df
Closes-Bug: #1710928
|
|
It uses the control-port 3125.
Partial-bug: #1699085
Change-Id: I4787321e10cc35beeb5ec3f585dafb2268ea4f21
|
|
Generate a cron job and a config for logrotate
to be run against containerized services logs.
Related-bug: #1700912
Change-Id: Ib9d5d8ca236296179182613e1ff625deea168614
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.
If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.
Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.
Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #1710909
Closes-Bug: #1639996
|
|
|
|
|