diff options
| author |   Robert Collins <rbtcollins@hp.com> | 2014-07-18 20:56:23 +1200 |
|---|---|---|
| committer | Robert Collins <rbtcollins@hp.com> | 2014-07-19 19:42:43 +1200 |
| commit | 1924e3ac3a04c930648dcc104853cbafa61e2132 (patch) | |
| tree | beb118df6dbb066d1160ae2ee330f107fded9edb | |
| parent | c71b0a2a7549922caafa166130dc414a6b7420c8 (diff) | |
Fix SSL with HAProxy.
The current configuration of services is that if SSL is in use (signaled by
stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks
simultaneous non-SSL due to there being no pass-through stunnel equivalent on
all the nodes. As an interim measure, teach stunnel to connect to the ctlplane
address instead. We will need this flexability in future anyway to deal with
mixed-mode configurations, but we don't yet have an SSL only configuration.
The change will permit SSL only by altering the Deployment object only - the
SSL config object should now be flexible enough to run in either mode (but as
yet on an all-one-way-or-the-other basis).
Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
| -rw-r--r-- | overcloud-source.yaml | 8 | ||||
| -rw-r--r-- | ssl-source.yaml | 16 |
2 files changed, 24 insertions, 0 deletions
diff --git a/overcloud-source.yaml b/overcloud-source.yaml index a8fcb9a3..4d24b08f 100644 --- a/overcloud-source.yaml +++ b/overcloud-source.yaml @@ -670,6 +670,14 @@ Resources: server: {Ref: controller0} signal_transport: NO_SIGNAL input_values: + controller_host: + Fn::Select: + - 0 + - Fn::Select: + - ctlplane + - Fn::GetAtt: + - controller0 + - networks ssl_certificate: {Ref: SSLCertificate} ssl_key: {Ref: SSLKey} ssl_ca_certificate: {Ref: SSLCACertificate} diff --git a/ssl-source.yaml b/ssl-source.yaml index 38d6d7ec..e64eca51 100644 --- a/ssl-source.yaml +++ b/ssl-source.yaml @@ -31,24 +31,40 @@ Resources: - name: 'ec2' accept: 13773 connect: 8773 + connect_host: + get_input: controller_host - name: 'image' accept: 13292 connect: 9292 + connect_host: + get_input: controller_host - name: 'identity' accept: 13000 connect: 5000 + connect_host: + get_input: controller_host - name: 'network' accept: 13696 connect: 9696 + connect_host: + get_input: controller_host - name: 'compute' accept: 13774 connect: 8774 + connect_host: + get_input: controller_host - name: 'swift-proxy' accept: 13080 connect: 8080 + connect_host: + get_input: controller_host - name: 'cinder' accept: 13776 connect: 8776 + connect_host: + get_input: controller_host - name: 'ceilometer' accept: 13777 connect: 8777 + connect_host: + get_input: controller_host |