diff options
| -rw-r--r-- | docker/firstboot/start_docker_agents.sh | 2 | ||||
| -rw-r--r-- | environments/enable-internal-tls.yaml | 2 | ||||
| -rw-r--r-- | environments/services/haproxy-internal-tls-certmonger.yaml | 4 | ||||
| -rw-r--r-- | environments/services/haproxy-public-tls-certmonger.yaml | 4 | ||||
| -rw-r--r-- | environments/tls-everywhere-endpoints-dns.yaml | 52 | ||||
| -rw-r--r-- | overcloud-resource-registry-puppet.j2.yaml | 13 | ||||
| -rw-r--r-- | puppet/all-nodes-config.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/glance-api.yaml | 151 | ||||
| -rw-r--r-- | puppet/services/glance-base.yaml | 110 | ||||
| -rw-r--r-- | puppet/services/glance-registry.yaml | 76 | ||||
| -rw-r--r-- | puppet/services/haproxy-internal-tls-certmonger.yaml | 51 | ||||
| -rw-r--r-- | puppet/services/haproxy-public-tls-certmonger.yaml | 37 | ||||
| -rw-r--r-- | puppet/services/haproxy.yaml | 43 | ||||
| -rw-r--r-- | puppet/services/kernel.yaml | 4 |
14 files changed, 401 insertions, 152 deletions
diff --git a/docker/firstboot/start_docker_agents.sh b/docker/firstboot/start_docker_agents.sh index 65c4e6dc..68625032 100644 --- a/docker/firstboot/start_docker_agents.sh +++ b/docker/firstboot/start_docker_agents.sh @@ -23,7 +23,7 @@ if [ $docker_namespace_is_registry ]; then # if namespace is used with local registry, trim all namespacing trim_var=$docker_registry registry_host="${trim_var%%/*}" - /bin/sed -i "s/# INSECURE_REGISTRY='--insecure-registry[ ]'/INSECURE_REGISTRY='--insecure-registry $registry_host'/g" /etc/sysconfig/docker + /bin/sed -i -r "s/^[# ]*INSECURE_REGISTRY *=.+$/INSECURE_REGISTRY='--insecure-registry $registry_host'/" /etc/sysconfig/docker /usr/bin/systemctl start --no-block docker.service fi diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml new file mode 100644 index 00000000..801dcde9 --- /dev/null +++ b/environments/enable-internal-tls.yaml @@ -0,0 +1,2 @@ +parameter_defaults: + EnableInternalTLS: true diff --git a/environments/services/haproxy-internal-tls-certmonger.yaml b/environments/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..074fec4d --- /dev/null +++ b/environments/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,4 @@ +# A Heat environment file which can be used to enable a +# a TLS for HAProxy via certmonger +resource_registry: + OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml diff --git a/environments/services/haproxy-public-tls-certmonger.yaml b/environments/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..d3ad3ad4 --- /dev/null +++ b/environments/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,4 @@ +# A Heat environment file which can be used to enable a +# a TLS for HAProxy via certmonger +resource_registry: + OS::TripleO::Services::HAProxyPublicTLS: ../../puppet/services/haproxy-public-tls-certmonger.yaml diff --git a/environments/tls-everywhere-endpoints-dns.yaml b/environments/tls-everywhere-endpoints-dns.yaml new file mode 100644 index 00000000..88a108a6 --- /dev/null +++ b/environments/tls-everywhere-endpoints-dns.yaml @@ -0,0 +1,52 @@ +# Use this environment when deploying an overcloud where all the endpoints are +# DNS names and there's TLS in all endpoint types. +parameter_defaults: + EndpointMap: + AodhAdmin: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} + AodhInternal: {protocol: 'https', port: '8042', host: 'CLOUDNAME'} + AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} + CeilometerAdmin: {protocol: 'https', port: '8777', host: 'CLOUDNAME'} + CeilometerInternal: {protocol: 'https', port: '8777', host: 'CLOUDNAME'} + CeilometerPublic: {protocol: 'https', port: '13777', host: 'CLOUDNAME'} + CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} + CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} + CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} + GlanceRegistryInternal: {protocol: 'https', port: '9191', host: 'CLOUDNAME'} + GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} + GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} + GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} + HeatAdmin: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} + HeatInternal: {protocol: 'https', port: '8004', host: 'CLOUDNAME'} + HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} + HeatCfnAdmin: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} + HeatCfnInternal: {protocol: 'https', port: '8000', host: 'CLOUDNAME'} + HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} + HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} + IronicAdmin: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} + IronicInternal: {protocol: 'https', port: '6385', host: 'CLOUDNAME'} + IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} + KeystoneAdmin: {protocol: 'https', port: '35357', host: 'CLOUDNAME'} + KeystoneInternal: {protocol: 'https', port: '5000', host: 'CLOUDNAME'} + KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} + ManilaAdmin: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} + ManilaInternal: {protocol: 'https', port: '8786', host: 'CLOUDNAME'} + ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} + MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'CLOUDNAME'} + NeutronAdmin: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} + NeutronInternal: {protocol: 'https', port: '9696', host: 'CLOUDNAME'} + NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} + NovaAdmin: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} + NovaInternal: {protocol: 'https', port: '8774', host: 'CLOUDNAME'} + NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} + NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} + NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} + NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + SaharaAdmin: {protocol: 'https', port: '8386', host: 'CLOUDNAME'} + SaharaInternal: {protocol: 'https', port: '8386', host: 'CLOUDNAME'} + SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'} + SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} + SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} + SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 1102a7f4..c7f15105 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -16,14 +16,23 @@ resource_registry: OS::TripleO::Tasks::{{role.name}}PostConfig: OS::Heat::None OS::TripleO::{{role.name}}ExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml # Port assignments for the {{role.name}} role + # Note we have to special-case ObjectStorage for backwards compatibility + {% if role.name != 'ObjectStorage' %} OS::TripleO::{{role.name}}::Ports::ExternalPort: network/ports/noop.yaml OS::TripleO::{{role.name}}::Ports::InternalApiPort: network/ports/noop.yaml OS::TripleO::{{role.name}}::Ports::StoragePort: network/ports/noop.yaml OS::TripleO::{{role.name}}::Ports::StorageMgmtPort: network/ports/noop.yaml OS::TripleO::{{role.name}}::Ports::TenantPort: network/ports/noop.yaml OS::TripleO::{{role.name}}::Ports::ManagementPort: network/ports/noop.yaml + {% else %} + OS::TripleO::SwiftStorage::Ports::ExternalPort: network/ports/noop.yaml + OS::TripleO::SwiftStorage::Ports::InternalApiPort: network/ports/noop.yaml + OS::TripleO::SwiftStorage::Ports::StoragePort: network/ports/noop.yaml + OS::TripleO::SwiftStorage::Ports::StorageMgmtPort: network/ports/noop.yaml + OS::TripleO::SwiftStorage::Ports::TenantPort: network/ports/noop.yaml + OS::TripleO::SwiftStorage::Ports::ManagementPort: network/ports/noop.yaml + {% endif %} OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml - {% endfor %} # This resource registry entry will override the one generated by default @@ -133,6 +142,8 @@ resource_registry: OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml + OS::TripleO::Services::HAProxyPublicTLS: OS::Heat::None + OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None OS::TripleO::Services::Keepalived: puppet/services/keepalived.yaml OS::TripleO::Services::Memcached: puppet/services/memcached.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index cae60aab..d64f70db 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -64,6 +64,9 @@ parameters: CertmongerCA: type: string default: 'IPA' + EnableInternalTLS: + type: boolean + default: false resources: @@ -207,6 +210,7 @@ resources: cloud_name_ctlplane: {get_param: cloud_name_ctlplane} # TLS parameters certmonger_ca: {get_param: CertmongerCA} + enable_internal_tls: {get_param: EnableInternalTLS} outputs: config_id: diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index b47d98a7..33abdbf9 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -18,32 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - CephClientUserName: - default: openstack - type: string Debug: default: '' description: Set to True to enable debugging on all services. type: string - GlanceNotifierStrategy: - description: Strategy to use for Glance notification queue - type: string - default: noop - GlanceLogFile: - description: The filepath of the file to use for logging messages from Glance. - type: string - default: '' GlancePassword: description: The password for the glance service and db account, used by the glance services. type: string hidden: true - GlanceBackend: - default: swift - description: The short name of the Glance backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GlanceWorkers: default: '' description: | @@ -55,31 +37,6 @@ parameters: memory consumption. It is recommended that a suitable non-default value be selected on such systems. type: string - GlanceRbdPoolName: - default: images - type: string - RabbitPassword: - description: The password for RabbitMQ - type: string - hidden: true - RabbitUserName: - default: guest - description: The username for RabbitMQ - type: string - RabbitClientPort: - default: 5672 - description: Set rabbit subscriber port, change this if using SSL - type: number - RabbitClientUseSSL: - default: false - description: > - Rabbit client subscriber parameter to specify - an SSL connection to the RabbitMQ host. - type: string - KeystoneRegion: - type: string - default: 'regionOne' - description: Keystone region for endpoint MonitoringSubscriptionGlanceApi: default: 'overcloud-glance-api' type: string @@ -89,6 +46,14 @@ parameters: tag: openstack.glance.api path: /var/log/glance/api.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance API role. @@ -99,66 +64,46 @@ outputs: logging_groups: - glance config_settings: - glance::api::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} - glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::api::registry_host: - str_replace: - template: "'REGISTRY_HOST'" - params: - REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} - glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } - glance::api::authtoken::password: {get_param: GlancePassword} - glance::api::enable_proxy_headers_parsing: true - glance::api::debug: {get_param: Debug} - glance::api::workers: {get_param: GlanceWorkers} - glance_notifier_strategy: {get_param: GlanceNotifierStrategy} - glance_log_file: {get_param: GlanceLogFile} - glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::backend::swift::swift_store_user: service:glance - glance::backend::swift::swift_store_key: {get_param: GlancePassword} - glance::backend::swift::swift_store_create_container_on_put: true - glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} - glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} - glance_backend: {get_param: GlanceBackend} - glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} - glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} - glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} - glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} - glance::notify::rabbitmq::notification_driver: messagingv2 - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_api.firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 - glance::api::authtoken::project_name: 'service' - glance::api::pipeline: 'keystone' - glance::api::show_image_direct_url: true - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + - glance::api::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} + glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::registry_host: + str_replace: + template: "'REGISTRY_HOST'" + params: + REGISTRY_HOST: {get_param: [EndpointMap, GlanceRegistryInternal, host]} + glance::api::registry_client_protocol: {get_param: [EndpointMap, GlanceRegistryInternal, protocol] } + glance::api::authtoken::password: {get_param: GlancePassword} + glance::api::enable_proxy_headers_parsing: true + glance::api::debug: {get_param: Debug} + glance::api::workers: {get_param: GlanceWorkers} + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 + glance::api::authtoken::project_name: 'service' + glance::api::pipeline: 'keystone' + glance::api::show_image_direct_url: true + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: - keystone: - glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} - glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} - glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} - glance::keystone::auth::password: {get_param: GlancePassword } - glance::keystone::auth::region: {get_param: KeystoneRegion} - glance::keystone::auth::tenant: 'service' + get_attr: [GlanceBase, role_data, service_config_settings] diff --git a/puppet/services/glance-base.yaml b/puppet/services/glance-base.yaml new file mode 100644 index 00000000..3294fc0f --- /dev/null +++ b/puppet/services/glance-base.yaml @@ -0,0 +1,110 @@ +heat_template_version: 2016-10-14 + +description: > + OpenStack Glance Common settings with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + Debug: + default: '' + description: Set to True to enable debugging on all services. + type: string + GlanceNotifierStrategy: + description: Strategy to use for Glance notification queue + type: string + default: noop + GlanceLogFile: + description: The filepath of the file to use for logging messages from Glance. + type: string + default: '' + GlancePassword: + description: The password for the glance service and db account, used by the glance services. + type: string + hidden: true + GlanceBackend: + default: swift + description: The short name of the Glance backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] + GlanceRbdPoolName: + default: images + type: string + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + +outputs: + role_data: + description: Role data for the Glance common role. + value: + service_name: glance_base + config_settings: + glance_notifier_strategy: {get_param: GlanceNotifierStrategy} + glance_log_file: {get_param: GlanceLogFile} + glance::backend::swift::swift_store_auth_address: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::backend::swift::swift_store_user: service:glance + glance::backend::swift::swift_store_key: {get_param: GlancePassword} + glance::backend::swift::swift_store_create_container_on_put: true + glance::backend::rbd::rbd_store_pool: {get_param: GlanceRbdPoolName} + glance::backend::rbd::rbd_store_user: {get_param: CephClientUserName} + glance_backend: {get_param: GlanceBackend} + glance::notify::rabbitmq::rabbit_userid: {get_param: RabbitUserName} + glance::notify::rabbitmq::rabbit_port: {get_param: RabbitClientPort} + glance::notify::rabbitmq::rabbit_password: {get_param: RabbitPassword} + glance::notify::rabbitmq::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + glance::notify::rabbitmq::notification_driver: messagingv2 + glance::registry::db::database_db_max_retries: -1 + glance::registry::db::database_max_retries: -1 + service_config_settings: + keystone: + glance::keystone::auth::public_url: {get_param: [EndpointMap, GlancePublic, uri]} + glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} + glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} + glance::keystone::auth::password: {get_param: GlancePassword } + glance::keystone::auth::region: {get_param: KeystoneRegion} + glance::keystone::auth::tenant: 'service' + mysql: + glance::db::mysql::password: {get_param: GlancePassword} + glance::db::mysql::user: glance + glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + glance::db::mysql::dbname: glance + glance::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 30df67fe..c45582d4 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -46,6 +46,14 @@ parameters: tag: openstack.glance.registry path: /var/log/glance/registry.log +resources: + GlanceBase: + type: ./glance-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the Glance Registry role. @@ -56,43 +64,37 @@ outputs: logging_groups: - glance config_settings: - glance::registry::database_connection: - list_join: - - '' - - - {get_param: [EndpointMap, MysqlInternal, protocol]} - - '://glance:' - - {get_param: GlancePassword} - - '@' - - {get_param: [EndpointMap, MysqlInternal, host]} - - '/glance' - glance::registry::authtoken::password: {get_param: GlancePassword} - glance::registry::authtoken::project_name: 'service' - glance::registry::pipeline: 'keystone' - glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } - glance::registry::debug: {get_param: Debug} - glance::registry::workers: {get_param: GlanceWorkers} - glance::registry::db::database_db_max_retries: -1 - glance::registry::db::database_max_retries: -1 - tripleo.glance_registry.firewall_rules: - '112 glance_registry': - dport: - - 9191 - # NOTE: bind IP is found in Heat replacing the network name with the - # local node IP for the given network; replacement examples - # (eg. for internal_api): - # internal_api -> IP - # internal_api_uri -> [IP] - # internal_api_subnet - > IP/CIDR - glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} + map_merge: + - get_attr: [GlanceBase, role_data, config_settings] + + - glance::registry::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://glance:' + - {get_param: GlancePassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/glance' + glance::registry::authtoken::password: {get_param: GlancePassword} + glance::registry::authtoken::project_name: 'service' + glance::registry::pipeline: 'keystone' + glance::registry::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + glance::registry::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::registry::debug: {get_param: Debug} + glance::registry::workers: {get_param: GlanceWorkers} + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 + # NOTE: bind IP is found in Heat replacing the network name with the + # local node IP for the given network; replacement examples + # (eg. for internal_api): + # internal_api -> IP + # internal_api_uri -> [IP] + # internal_api_subnet - > IP/CIDR + glance::registry::bind_host: {get_param: [ServiceNetMap, GlanceRegistryNetwork]} step_config: | include ::tripleo::profile::base::glance::registry service_config_settings: - mysql: - glance::db::mysql::password: {get_param: GlancePassword} - glance::db::mysql::user: glance - glance::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} - glance::db::mysql::dbname: glance - glance::db::mysql::allowed_hosts: - - '%' - - "%{hiera('mysql_bind_host')}" + get_attr: [GlanceBase, role_data, config_settings] diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml new file mode 100644 index 00000000..1551d16a --- /dev/null +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -0,0 +1,37 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy public TLS via certmonger role. + value: + service_name: haproxy_public_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + certificates_specs: + haproxy-external: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-external.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-external.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-external.key' + hostname: "%{hiera('cloud_name_external')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_external')}" diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 974928c5..0813cb7e 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2016-04-08 +heat_template_version: 2016-10-14 description: > HAproxy service configured with Puppet @@ -48,6 +48,22 @@ parameters: default: 'overcloud-haproxy' type: string +resources: + + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + outputs: role_data: description: Role data for the HAproxy role. @@ -55,14 +71,21 @@ outputs: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: - tripleo.haproxy.firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} - tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] + - tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::control_virtual_interface: {get_param: ControlVirtualInterface} + tripleo::haproxy::public_virtual_interface: {get_param: PublicVirtualInterface} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 2f01578e..1fc88bf1 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,8 +39,12 @@ outputs: net.netfilter.nf_conntrack_max: value: 500000 # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.all.accept_ra: + value: 0 net.ipv6.conf.default.accept_ra: value: 0 + net.ipv6.conf.all.autoconf: + value: 0 net.ipv6.conf.default.autoconf: value: 0 net.core.netdev_max_backlog: |