diff options
-rw-r--r-- | environments/enable-tls.yaml | 55 | ||||
-rw-r--r-- | environments/tls-endpoints-public-dns.yaml | 55 | ||||
-rw-r--r-- | environments/tls-endpoints-public-ip.yaml | 55 | ||||
-rw-r--r-- | overcloud-resource-registry-puppet.yaml | 5 | ||||
-rw-r--r-- | overcloud.yaml | 2 | ||||
-rw-r--r-- | puppet/all-nodes-config.yaml | 32 | ||||
-rw-r--r-- | puppet/services/gnocchi-api.yaml | 25 | ||||
-rw-r--r-- | puppet/services/gnocchi-base.yaml | 16 | ||||
-rw-r--r-- | puppet/services/neutron-api.yaml (renamed from puppet/services/neutron-server.yaml) | 2 |
9 files changed, 139 insertions, 108 deletions
diff --git a/environments/enable-tls.yaml b/environments/enable-tls.yaml index 290d2011..a3f39ebe 100644 --- a/environments/enable-tls.yaml +++ b/environments/enable-tls.yaml @@ -1,58 +1,9 @@ +# Use this environment to pass in certificates for SSL deployments. +# For these values to take effect, one of the tls-endpoints-*.yaml environments +# must also be used. parameter_defaults: SSLCertificate: | The contents of your certificate go here SSLIntermediateCertificate: '' SSLKey: | The contents of the private key go here - EndpointMap: - AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} - AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} - AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} - CeilometerAdmin: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} - CeilometerInternal: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} - CeilometerPublic: {protocol: 'https', port: '13777', host: 'CLOUDNAME'} - CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} - CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} - CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} - GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} - GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} - GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} - GlanceRegistryInternal: {protocol: 'http', port: '9191', host: 'IP_ADDRESS'} - GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} - GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} - GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} - HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} - HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} - HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} - HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} - HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} - HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} - HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} - IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} - IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} - IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} - KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} - KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'} - KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} - ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} - ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} - ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} - MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'} - NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} - NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} - NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} - NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} - NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} - NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} - NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} - NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} - NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} - SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} - SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} - SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'} - SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} - SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} - SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} - -resource_registry: - OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml diff --git a/environments/tls-endpoints-public-dns.yaml b/environments/tls-endpoints-public-dns.yaml new file mode 100644 index 00000000..3629672a --- /dev/null +++ b/environments/tls-endpoints-public-dns.yaml @@ -0,0 +1,55 @@ +# Use this environment when deploying an SSL-enabled overcloud where the public +# endpoint is a DNS name. +parameter_defaults: + EndpointMap: + AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} + AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} + AodhPublic: {protocol: 'https', port: '13042', host: 'CLOUDNAME'} + CeilometerAdmin: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} + CeilometerInternal: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} + CeilometerPublic: {protocol: 'https', port: '13777', host: 'CLOUDNAME'} + CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} + CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} + CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} + GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} + GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} + GlanceRegistryInternal: {protocol: 'http', port: '9191', host: 'IP_ADDRESS'} + GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} + GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} + GnocchiPublic: {protocol: 'https', port: '13041', host: 'CLOUDNAME'} + HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} + HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} + HeatPublic: {protocol: 'https', port: '13004', host: 'CLOUDNAME'} + HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} + HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} + HeatCfnPublic: {protocol: 'https', port: '13005', host: 'CLOUDNAME'} + HorizonPublic: {protocol: 'https', port: '443', host: 'CLOUDNAME'} + IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} + IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} + IronicPublic: {protocol: 'https', port: '13385', host: 'CLOUDNAME'} + KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} + KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'} + KeystonePublic: {protocol: 'https', port: '13000', host: 'CLOUDNAME'} + ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} + ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} + ManilaPublic: {protocol: 'https', port: '13786', host: 'CLOUDNAME'} + MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'} + NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} + NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} + NeutronPublic: {protocol: 'https', port: '13696', host: 'CLOUDNAME'} + NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} + NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} + NovaPublic: {protocol: 'https', port: '13774', host: 'CLOUDNAME'} + NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} + NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} + NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} + SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} + SaharaPublic: {protocol: 'https', port: '13386', host: 'CLOUDNAME'} + SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} + +resource_registry: + OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml diff --git a/environments/tls-endpoints-public-ip.yaml b/environments/tls-endpoints-public-ip.yaml new file mode 100644 index 00000000..d3f07cda --- /dev/null +++ b/environments/tls-endpoints-public-ip.yaml @@ -0,0 +1,55 @@ +# Use this environment when deploying an SSL-enabled overcloud where the public +# endpoint is an IP address. +parameter_defaults: + EndpointMap: + AodhAdmin: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} + AodhInternal: {protocol: 'http', port: '8042', host: 'IP_ADDRESS'} + AodhPublic: {protocol: 'https', port: '13042', host: 'IP_ADDRESS'} + CeilometerAdmin: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} + CeilometerInternal: {protocol: 'http', port: '8777', host: 'IP_ADDRESS'} + CeilometerPublic: {protocol: 'https', port: '13777', host: 'IP_ADDRESS'} + CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} + CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} + CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'} + GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} + GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} + GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'} + GlanceRegistryInternal: {protocol: 'http', port: '9191', host: 'IP_ADDRESS'} + GnocchiAdmin: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} + GnocchiInternal: {protocol: 'http', port: '8041', host: 'IP_ADDRESS'} + GnocchiPublic: {protocol: 'https', port: '13041', host: 'IP_ADDRESS'} + HeatAdmin: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} + HeatInternal: {protocol: 'http', port: '8004', host: 'IP_ADDRESS'} + HeatPublic: {protocol: 'https', port: '13004', host: 'IP_ADDRESS'} + HeatCfnAdmin: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} + HeatCfnInternal: {protocol: 'http', port: '8000', host: 'IP_ADDRESS'} + HeatCfnPublic: {protocol: 'https', port: '13005', host: 'IP_ADDRESS'} + HorizonPublic: {protocol: 'https', port: '443', host: 'IP_ADDRESS'} + IronicAdmin: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} + IronicInternal: {protocol: 'http', port: '6385', host: 'IP_ADDRESS'} + IronicPublic: {protocol: 'https', port: '13385', host: 'IP_ADDRESS'} + KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} + KeystoneInternal: {protocol: 'http', port: '5000', host: 'IP_ADDRESS'} + KeystonePublic: {protocol: 'https', port: '13000', host: 'IP_ADDRESS'} + ManilaAdmin: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} + ManilaInternal: {protocol: 'http', port: '8786', host: 'IP_ADDRESS'} + ManilaPublic: {protocol: 'https', port: '13786', host: 'IP_ADDRESS'} + MysqlInternal: {protocol: 'mysql+pymysql', port: '3306', host: 'IP_ADDRESS'} + NeutronAdmin: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} + NeutronInternal: {protocol: 'http', port: '9696', host: 'IP_ADDRESS'} + NeutronPublic: {protocol: 'https', port: '13696', host: 'IP_ADDRESS'} + NovaAdmin: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} + NovaInternal: {protocol: 'http', port: '8774', host: 'IP_ADDRESS'} + NovaPublic: {protocol: 'https', port: '13774', host: 'IP_ADDRESS'} + NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} + NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} + NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'} + SaharaAdmin: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} + SaharaInternal: {protocol: 'http', port: '8386', host: 'IP_ADDRESS'} + SaharaPublic: {protocol: 'https', port: '13386', host: 'IP_ADDRESS'} + SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} + +resource_registry: + OS::TripleO::NodeTLSData: ../puppet/extraconfig/tls/tls-cert-inject.yaml diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml index 10d4b25d..4219db58 100644 --- a/overcloud-resource-registry-puppet.yaml +++ b/overcloud-resource-registry-puppet.yaml @@ -150,7 +150,10 @@ resource_registry: OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml - OS::TripleO::Services::NeutronServer: puppet/services/neutron-server.yaml + # FIXME(shardy) the duplicate NeutronServer line can be removed when we've updated + # the multinode job ControllerServices after this patch merges + OS::TripleO::Services::NeutronServer: puppet/services/neutron-api.yaml + OS::TripleO::Services::NeutronApi: puppet/services/neutron-api.yaml OS::TripleO::Services::NeutronCorePlugin: puppet/services/neutron-plugin-ml2.yaml # can be the same as NeutronCorePlugin but some vendors install different # things where VMs run diff --git a/overcloud.yaml b/overcloud.yaml index e8734851..2c0076e3 100644 --- a/overcloud.yaml +++ b/overcloud.yaml @@ -128,7 +128,7 @@ parameters: - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL3Agent - OS::TripleO::Services::NeutronMetadataAgent - - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronApi - OS::TripleO::Services::NeutronCorePlugin - OS::TripleO::Services::NeutronOvsAgent - OS::TripleO::Services::RabbitMQ diff --git a/puppet/all-nodes-config.yaml b/puppet/all-nodes-config.yaml index 6f13b74e..f1ce42b1 100644 --- a/puppet/all-nodes-config.yaml +++ b/puppet/all-nodes-config.yaml @@ -104,14 +104,6 @@ resources: list_join: - ',' - {get_param: controller_names} - rabbit_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: rabbit_node_ips} rabbitmq_node_ips: &rabbit_nodes_array str_replace: template: "['SERVERS_LIST']" @@ -128,14 +120,6 @@ resources: list_join: - "','" - {get_param: mongo_node_ips} - mongo_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: mongo_node_ips} redis_node_ips: str_replace: template: "['SERVERS_LIST']" @@ -160,22 +144,6 @@ resources: list_join: - "]','inet6:[" - {get_param: memcache_node_ips} - memcache_node_ips: - str_replace: - template: "['SERVERS_LIST']" - params: - SERVERS_LIST: - list_join: - - "','" - - {get_param: memcache_node_ips} - memcache_node_ips_v6: - str_replace: - template: "['inet6:[SERVERS_LIST]']" - params: - SERVERS_LIST: - list_join: - - "]','inet6:[" - - {get_param: memcache_node_ips} mysql_node_ips: str_replace: template: "['SERVERS_LIST']" diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 265cb9f0..19c77612 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -13,6 +13,13 @@ parameters: description: The password for the gnocchi service and db account. type: string hidden: true + GnocchiBackend: + default: file + description: The short name of the Gnocchi backend to use. Should be one + of swift, rbd, or file + type: string + constraints: + - allowed_values: ['swift', 'file', 'rbd'] KeystoneRegion: type: string default: 'regionOne' @@ -37,12 +44,20 @@ outputs: dport: - 8041 - 13041 - gnocchi::api::keystone_tenant: 'service' - gnocchi::keystone::auth::tenant: 'service' - gnocchi::keystone::auth::region: {get_param: KeystoneRegion} + gnocchi::api::enabled: true + gnocchi::api::manage_service: false + gnocchi::api::service_name: 'httpd' + gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } + gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} gnocchi::keystone::auth::password: {get_param: GnocchiPassword} gnocchi::keystone::auth::public_url: { get_param: [ EndpointMap, GnocchiPublic, uri ] } - gnocchi::keystone::auth::internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]} - gnocchi::keystone::auth::admin_url: { get_param: [ EndpointMap, GnocchiAdmin, uri ] } + gnocchi::keystone::auth::region: {get_param: KeystoneRegion} + gnocchi::keystone::auth::tenant: 'service' + gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} + gnocchi::keystone::authtoken::project_name: 'service' + gnocchi::wsgi::apache::ssl: false + tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index a072e8ef..844d1469 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -9,13 +9,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - GnocchiBackend: - default: file - description: The short name of the Gnocchi backend to use. Should be one - of swift, rbd, or file - type: string - constraints: - - allowed_values: ['swift', 'file', 'rbd'] GnocchiIndexerBackend: default: 'mysql' description: The short name of the Gnocchi indexer backend to use. @@ -62,13 +55,6 @@ outputs: - '/gnocchi' gnocchi::db::mysql::password: {get_param: GnocchiPassword} gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' - #Gnocchi API - tripleo::profile::base::gnocchi::api::gnocchi_backend: {get_param: GnocchiBackend} - gnocchi::api::manage_service: false - gnocchi::api::enabled: true - gnocchi::api::service_name: 'httpd' - gnocchi::api::keystone_password: {get_param: GnocchiPassword} - gnocchi::wsgi::apache::ssl: false gnocchi::storage::coordination_url: list_join: - '' @@ -102,5 +88,3 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" - gnocchi::auth::auth_region: {get_param: KeystoneRegion} - gnocchi::auth::auth_tenant_name: 'service' diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-api.yaml index c40b37b0..c0c8122c 100644 --- a/puppet/services/neutron-server.yaml +++ b/puppet/services/neutron-api.yaml @@ -47,7 +47,7 @@ outputs: role_data: description: Role data for the Neutron Server agent service. value: - service_name: neutron_server + service_name: neutron_api config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] |