diff options
Diffstat (limited to 'puppet/services')
| -rw-r--r-- | puppet/services/kernel.yaml | 18 | ||||
| -rw-r--r-- | puppet/services/swift-proxy.yaml | 33 |
2 files changed, 49 insertions, 2 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index bc4380a5..9b314b2a 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,6 +39,20 @@ outputs: value: 5 net.ipv4.tcp_keepalive_time: value: 5 + net.ipv4.conf.default.send_redirects: + value: 0 + net.ipv4.conf.all.send_redirects: + value: 0 + net.ipv4.conf.default.accept_redirects: + value: 0 + net.ipv4.conf.default.secure_redirects: + value: 0 + net.ipv4.conf.all.secure_redirects: + value: 0 + net.ipv4.conf.default.log_martians: + value: 1 + net.ipv4.conf.all.log_martians: + value: 1 net.nf_conntrack_max: value: 500000 net.netfilter.nf_conntrack_max: @@ -52,6 +66,10 @@ outputs: value: 0 net.ipv6.conf.default.autoconf: value: 0 + net.ipv6.conf.default.accept_redirects: + value: 0 + net.ipv6.conf.all.accept_redirects: + value: 0 net.core.netdev_max_backlog: value: 10000 kernel.pid_max: diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 0c3cc1ec..0ecc942c 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -63,10 +63,14 @@ parameters: Rabbit client subscriber parameter to specify an SSL connection to the RabbitMQ host. type: string + EnableInternalTLS: + type: boolean + default: false conditions: ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]} + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: SwiftBase: @@ -76,6 +80,14 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + outputs: role_data: description: Role data for the Swift proxy service. @@ -85,7 +97,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - + - get_attr: [TLSProxyBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} @@ -146,7 +158,22 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_bind_ip: + get_param: [ServiceNetMap, SwiftProxyNetwork] + tripleo::profile::base::swift::proxy::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + tripleo::profile::base::swift::proxy::tls_proxy_port: + get_param: [EndpointMap, SwiftInternal, port] + swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]} + swift::proxy::proxy_local_net_ip: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, SwiftProxyNetwork]} step_config: | include ::tripleo::profile::base::swift::proxy service_config_settings: @@ -169,3 +196,5 @@ outputs: - name: Stop swift_proxy service tags: step1 service: name=openstack-swift-proxy state=stopped + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] |