| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Adds a class to configure SELinux. The code is taken from
puppet-openstack-cloud:
https://github.com/redhat-cip/puppet-openstack-cloud
This allows to share the same code for usage by both the Undercloud and
Overcloud.
Co-Authored By: Emilien Macchi <emilien@redhat.com>
Co-Authored By: Yanis Guenane <yguenane@redhat.com>
blueprint undercloud-elements
Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
|
|
The port parameter to puppetlabs-firewall is actually deprecated[1].
This adds support for using the new parameter names dport and sport. The
port parameter is still retained in puppet-tripleo for backwards
compatibily for anyone using that interface. It is marked deprecated in
the documentation, however no deprecation warning is needed because
there is already a warning from from puppetlabs-firewall.
blueprint undercloud-elements
Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
|
|
Change-Id: Ifb0cc7769ef99e4c7142c8f955f0ca721d61e9b5
|
|
|
|
|
|
|
|
|
|
Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.
This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.
Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
|
|
Database schema profiles were missing step information, causing
schemas to be created too early.
Change-Id: Ic381804ce5f1aa257ece75d2e079f4b02f446344
|
|
TL;DR:
If keystone_public_api_vip and/or public_virtual_ip is an array of IPs,
HAproxy will be configured to listen on all IPs that are given in the
arrays.
It allows to specify an array for keystone_public_api_vip and/or
public_virtual_ip where one IP is v4 and another one is v6.
HAproxy will configured to listen on both and redirect the traffic to
the IPv6 network (Dual-Stack).
Implementation & background:
HAproxy requires binding options as an hash where each IP contains an
array of binding options.
TripleO does not support Puppet Parser [1] (yet) so we can't manipulate
data iterations inside the manifests.
This patch creates a custom function, called list_to_hash.
Example:
keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000']
$keystone_bind_opts = ['transparent']
Using this function:
$keystone_vips_hash = list_to_hash($keystone_vips,
$keystone_bind_opts)
Would return:
$keystone_vips_hash = {
'192.168.0.1:5000' => ['transparent'],
'192.168.0.2:5000' => ['transparent'],
}
This function will help us in loadbalancer.pp to construct binding
options in dynamic way.
It's backward compatible, so you don't have to give an array.
But if you do, multiple binding will be configured in HAproxy and you'll
also be able to deploy IPv6 Dual-Stack.
[1] https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html
Change-Id: I003b6d7d171652654745861d4231882f9e0d373e
|
|
|
|
Horizon's backends (httpd) see IP address of the haproxy in the logs instead
of the client address.
Adding forwardfor option allows to add the client address to the
X-Forwarded-For HTTP header and can be replace in the logs by configured the
backend servers with this header.
Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
|
|
|
|
|
|
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of
duplicate code to define haproxy and vip creation. This is an attempt
to refactor this.
Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
|
|
|
|
Add Glance profiles for non-ha & ha scenarios.
Change-Id: Ifc388f7058ccfff2818f531bcbc00c7179874bbc
Implements: blueprint refactor-puppet-manifests
|
|
This commits adds the option to pass an internal certificate.
The aforementioned certificate will be used to terminate TLS
connections for the internal and admin endpoints.
Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
|
|
In order to reduce repeated code in the loadbalancer manifest, the
repeated parts were moved into one manifest that contains the
endpoint resource.
Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
|
|
There were two issues with the SSL port for sahara.
* It was conflicting with Manila's port
* It was documented incorrectly
This has been fixed
Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
|
|
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
|
|
|
|
They are not being used and add extra logic and unnecessary clutter
to the code. So this CR removes them in favor of just configuring
TLS with the service_certificate. The only individual cert left was
the one for haproxy stats.
Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
|
|
AODH, Gnocchi, Sahara and Trove were missing from the service_ports
maps and thus had hardcoded ports in the listener configuration. The
addition of those ports to the map is required to give the
possibility to deployers to configure those ports if needed. This
commit adds them to that map.
Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
|
|
When managing the vip's, we were incorrectly comparing the vip to
$control_virtual_interface instead of $controller_virtual_ip when
determining if we needed to actually create the vip or not.
This caused the vips for internal api, storage, and storage mgmt to
always be created even if they were the same as the control vip. Afaict,
this didn't actually cause any problems, other than having extra vip's
created when they weren't needed. Still, this corrects the code to do
what it was intended to do.
Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
|
|
|
|
|
|
|
|
When accessing Redis, if password protected, we need to update
the HAProxy checks so that they use a password or we won't be able
to gather which node is the replica master.
Also adds PING/PONG and QUIT/OK sequence before and after the info
command is sent.
More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036
Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
|
|
This CR enables the ability to set the cipher suite to be used by
HAproxy and the SSL options. So now the user can enable these through
hiera. The cipher suite comes from the Fedora system crypto policy.
Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
|
|
Implements: blueprint refactor-puppet-manifests
Add keystone profiles for both pacemaker and non-ha.
Add db sync profiles for pacemaker and non-ha.
HA profiles are designed such that they include the base
profiles, disabling features as needed, while the base
profile can be used independently.
Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
|
|
This adds a TLS binding listening on the internal network for
horizon. And on the other hand, if the public binding for horizon is
accessed via non-https, it will redirect to https.
Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
|
|
Right now we always deploy the haproxy.stats endpoint with no
authentication, which is a security concern. Allow setting a
password on the endpoint so it isn't accessible to the world.
While this allows configuring SSL on the stats endpoint, it does
not use the service_certificate parameter because that certificate
is intended to be used only for public endpoints, and the stats
endpoint is actually on the admin VIP. Once we have support for
SSL on admin endpoints we can have stats use it by default.
Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
|
|
|
|
Some deployments were expecting specific ports for the OpenStack
services; In case the default ports are not meeting those needs, we
need to provide the means of changing the defaults.
Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
|
|
|
|
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
|
|
Current HAproxy config is broken for Redis timeout parameters. This is what we
have today by default in HAproxy logs:
[WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
This patch removes the explicit setting of client and server timeouts to 0,
which is the cause of the above warning. Instead, Redis will simply inherit the
haproxy defaults, which should be a more reasonable setting, and result in no
warnings.
Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
|
|
Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.
This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.
Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
|
|
|
|
|
|
|
|
As for Heat, we need to be able to handle 30X redirects from Horizon
when configured to use SSL. Because Horizon's redirects are
handled directly by Apache, we can't use middleware to handle the
X-Forwarded-Proto header like we are planning to do for the other
services. However, in this case we don't need to worry about
rewriting urls in the payload like we do for the other services
because Horizon is just serving standard web pages, not custom
HTTP bodies with JSON contents.
One other change from the previous Heat patch is to drop the IP
from the rewrite regex. This is because Horizon will generally be
accessed via a DNS name, so the IP won't appear in the Location
header. The heat regex should probably be changed as well since
we now support registering endpoints with DNS names, but since we
plan to move all the other services to the X-Forwarded-Proto header
middleware anyway we can probably just wait until that happens and
then remove the Heat rule entirely.
Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
|
|
|
|
|
|
|
|
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in
ssl_header_handler middlewarefilter so we can run Nova API with SSL
support.
Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
|
|
Change the workflow to be:
Upgrade all packages before any services that is notified & managed by
Puppet.
It also disable the Exec timeout so we rely on Heat timeout and not on
the 300s that are the default in Puppet [1]
Example: we upgrade and OpenStack config will change (obviously).
Puppet catalog will contain 3 important things:
* config resources
* service resources
* package-upgrade Exec resource
with that patch, what will happen:
* puppet will update config first or second and notify
services
* puppet will run package-upgrade first or second but before
the package-upgrade Exec resource
* at the very end, puppet will restart services
That way, we avoid complications with Puppet dependency cycle issues.
[1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout
Closes-Bug: 1536349
Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
|
|
This is useful for handling URLs properly when TLS is enabled.
Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
|
|
Change-Id: Ib57a4bf463900e68cbf97900027f972e590799c2
|
James Slagle
Giulio Fidente
Jenkins
Michael Chapman
Emilien Macchi
Dimitri Savineau
Sofer Athlan-Guyot
Juan Antonio Osorio Robles
Pradeep Kilambi
Ben Nemec
Jason Guiditta