Age | Commit message (Collapse) | Author | Files | Lines |
|
All of the other SSL environments were converted, but this one was
missed. That's an inconsistent user experience and should be
cleaned up.
This environment also exposed a bug in the tool where it did not
include the parameter_defaults section key if all the parameters
were marked static.
Change-Id: I19bc422c22b9f60f781e696ce703b026dc317786
Closes-Bug: 1713761
(cherry picked from commit 7c06db3d1c384773c4abccbce450c259f75e5e4a)
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
|
|
This profile will request the certificates for the services on the node.
So with this, we will remove the requesting of these certs on the
services' profiles themselves.
The reasoning for this is that for a containerized environment, the
containers won't have credentials to the CA while the baremetal node
does. So, with this, we will have this profile that still gets executed
in the baremetal nodes, and we can subsequently pass the requested
certificates by bind-mounting them on the containers. On the other hand,
this approach still works well for the TLS-everywhere case when the
services are running on baremetal.
Change-Id: Ibf58dfd7d783090e927de6629e487f968f7e05b6
Depends-On: I4d2e62b5c1b893551f9478cf5f69173c334ac81f
|
|
As with other services, this passes the necessary hieradata to enable
TLS for RabbitMQ. This will mean (once we set it via puppet-tripleo)
that there will only be TLS connections, as the ssl_only option is being
used.
bp tls-via-certmonger
Change-Id: I960bf747cd5e3040f99b28e2fc5873ca3a7472b5
Depends-On: Ic2a7f877745a0a490ddc9315123bd1180b03c514
|
|
These metadata settings (the hardcoded metadata and the hook override)
are used by the novajoin service when it's deployed in the undercloud,
and will tell it to enroll the overcloud nodes and the services that are
specified by the metadata hook.
bp novajoin
bp tls-via-certmonger
Change-Id: Ia4645cc356688b7bcf82ed7765c0b74d53d64ed1
|
|
If TLS in the internal network is enabled, we run glance-api beind a
TLS proxy (which is actually httpd's mod_proxy). This passes the
necessary hieradata.
bp tls-via-certmonger
Change-Id: I693213a1f35021b540202240e512d121cc1cd0eb
Depends-On: Id35a846d43ecae8903a0d58306d9803d5ea00bee
|
|
For usability and to reduce the number of environments that need to be
given when enabling TLS in the internal network, it's convenient to add
the enabling of TLS in the internal front-ends for HAProxy, instead of
doing that in a separate environment file.
bp tls-via-certmonger
Change-Id: Icef0c70b4b166ce2108315d5cf0763d4e8585ae1
|
|
This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.
Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).
Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
|
|
It had a wrong path and thus crashed when one tried to use it.
Change-Id: Ida4f899c76cce6e819d7e0effaf038f699763bee
Closes-Bug: #1643863
|
|
This adds an environment file that can be used to enable TLS in
the internal endpoints via certmonger if used. This will include
a nested stack that will create the hash that will be used to
create the certmonger certificates.
When setting up a service over apache via puppet, we used to disable
explicitly ssl (which sets modd_ssl-related fields for that vhost).
We now make this depend on the EnableInternalTLS flag. This has only
been done for keystone, but more services will be added as the
puppet code lands
bp tls-via-certmonger
Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039
Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
|
|
This sets up a flag that tells the profiles to use TLS (this will happen
in the internal network).
bp tls-via-certmonger
Change-Id: If47febb5b38b1c65f60f9de87a34cb31936a7c0d
|