summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Collins <rbtcollins@hp.com>2014-07-18 20:56:23 +1200
committerRobert Collins <rbtcollins@hp.com>2014-07-19 19:42:43 +1200
commit1924e3ac3a04c930648dcc104853cbafa61e2132 (patch)
treebeb118df6dbb066d1160ae2ee330f107fded9edb
parentc71b0a2a7549922caafa166130dc414a6b7420c8 (diff)
Fix SSL with HAProxy.
The current configuration of services is that if SSL is in use (signaled by stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks simultaneous non-SSL due to there being no pass-through stunnel equivalent on all the nodes. As an interim measure, teach stunnel to connect to the ctlplane address instead. We will need this flexability in future anyway to deal with mixed-mode configurations, but we don't yet have an SSL only configuration. The change will permit SSL only by altering the Deployment object only - the SSL config object should now be flexible enough to run in either mode (but as yet on an all-one-way-or-the-other basis). Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
-rw-r--r--overcloud-source.yaml8
-rw-r--r--ssl-source.yaml16
2 files changed, 24 insertions, 0 deletions
diff --git a/overcloud-source.yaml b/overcloud-source.yaml
index a8fcb9a3..4d24b08f 100644
--- a/overcloud-source.yaml
+++ b/overcloud-source.yaml
@@ -670,6 +670,14 @@ Resources:
server: {Ref: controller0}
signal_transport: NO_SIGNAL
input_values:
+ controller_host:
+ Fn::Select:
+ - 0
+ - Fn::Select:
+ - ctlplane
+ - Fn::GetAtt:
+ - controller0
+ - networks
ssl_certificate: {Ref: SSLCertificate}
ssl_key: {Ref: SSLKey}
ssl_ca_certificate: {Ref: SSLCACertificate}
diff --git a/ssl-source.yaml b/ssl-source.yaml
index 38d6d7ec..e64eca51 100644
--- a/ssl-source.yaml
+++ b/ssl-source.yaml
@@ -31,24 +31,40 @@ Resources:
- name: 'ec2'
accept: 13773
connect: 8773
+ connect_host:
+ get_input: controller_host
- name: 'image'
accept: 13292
connect: 9292
+ connect_host:
+ get_input: controller_host
- name: 'identity'
accept: 13000
connect: 5000
+ connect_host:
+ get_input: controller_host
- name: 'network'
accept: 13696
connect: 9696
+ connect_host:
+ get_input: controller_host
- name: 'compute'
accept: 13774
connect: 8774
+ connect_host:
+ get_input: controller_host
- name: 'swift-proxy'
accept: 13080
connect: 8080
+ connect_host:
+ get_input: controller_host
- name: 'cinder'
accept: 13776
connect: 8776
+ connect_host:
+ get_input: controller_host
- name: 'ceilometer'
accept: 13777
connect: 8777
+ connect_host:
+ get_input: controller_host