aboutsummaryrefslogtreecommitdiffstats
path: root/environments/enable-tls.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-06-08Change HorizonSecureCookies default to FalseBen Nemec1-0/+1
HorizonSecureCookies is incompatible with non-ssl deployments, which is our default deployment method. When SSL is in use, it can be turned on in the enable-tls.yaml file. This does mean that existing users won't automatically get this feature turned on as part of their upgrade because enable-tls.yaml is an environment that is intended to be copied and edited, but it's simple to add the parameter to the file for users who want that behavior after they upgrade to a version where it is available. Change-Id: If83d3d8709fc4e0c09569e8bf524721d332bf560 Closes-Bug: 1696861
2016-08-23Move resource registry override to enable-tls.yamlJuan Antonio Osorio Robles1-0/+3
It makes more sense for the enable-tls.yaml file to contain the resource registry override, since it contains parameters that are actually used there. Also, this allows us to reuse the tls-endpoints-public-* files for other methods of enabling TLS (such as with certmonger). Change-Id: I98c63d0007e61968c0490a474eddb42548891fa6
2016-08-12Decouple EndpointMap from SSL certificate paramsBen Nemec1-52/+3
Having the endpoint map in the same environment as the SSL certificate parameters means that every time a service is added to the overcloud, the user must remember to update their copy of enable-tls.yaml to reflect the new service. To avoid this, let's separate the SSL EndpointMap from the SSL certificates so users can simply pass the shipped list of SSL endpoints and only have to customize the certificate env file. As and added bonus, this means they won't have to put the certificates in enable-tls.yaml specifically. The parameters can be set anywhere, and will be used as long as one of the tls-endpoints envs is also specified. inject-trust-anchor.yaml is not changed, but it could already be used in the same fashion. The root certificate param could be set in any env passed after inject-trust-anchor.yaml, and then inject-trust-anchor.yaml would only be responsible for setting the appropriate resource_registry entry. This way there is no need to customize the in-tree inject-trust-anchor.yaml either. Change-Id: I38eabb903b8382e6577ccc97e21fbb9d09c382b3
2016-08-11Convert EndpointMap to not require per-service VIP parametersSteven Hardy1-1/+0
Currently we have a hard-coded set of per-service parameters, which will cause problems for custom roles and full composability. As a first step towards making this more configurable, remove the hard-coded per-service parameters from overcloud.yaml, and adjust the EndpointMap generation to instead accept two mappings, the ServiceNetMap and a mapping of networks to IPs (effectively this just moves the map lookup inside the endpoint map instead of inside overcloud.yaml) Change-Id: Ib522e89c36eed2115a6586dd5a6770907d9b33db Partially-Implements: blueprint custom-roles
2016-08-02Enable Manila integration - as a composable controller serviceRyan Hefner1-0/+3
Allows the installation and configuration of Manila. Supports the generic driver only. This has a dependency on the puppet-tripleo classes for manila where the puppet specific config now lives. The review at https://review.openstack.org/#/c/315658/ has been merge into this one, as of v68, so manila lands as a composable service. This was brought up on the mailing list at [1] [1] http://lists.openstack.org/pipermail/openstack-dev/2016-May/096126.html Co-Authored-By: Marios Andreou <marios@redhat.com> Implements: blueprint composable-services-within-roles Depends-On: I444916d60a67bf730bf4089323dba1c1429e2e71 Depends-On: I9eda4b3364e5c59342761a1ec71b0eb567c69cf1 Depends-On: I571b65a5402c1028418476a573ebeb9450ed00c9 Change-Id: I7acebac4354fca1f8d7ff6c343c1346bf29b81c6
2016-07-18Add MysqlNoBracketsInternal to enable-tls.yamlJuan Antonio Osorio Robles1-0/+1
Change-Id: Ife466e6a8b8112777d4c0e845e31fa633da5e53d
2016-06-29Basic support for deploying Ironic in overcloudImre Farkas1-0/+3
Note that this change is not enough yet to deploy bare metal instances, it only deploys Ironic services themselves and makes sure they work. Also it does not support HA for now. Co-Authored-By: Dmitry Tantsur <dtansur@redhat.com> Partially-implements: blueprint ironic-integration Change-Id: I541be905022264e2d4828e7c46338f2e300df540
2016-05-30Pass MysqlVirtualIP via EndpointMapGiulio Fidente1-0/+1
By passing the MysqlVirtualIP via the EndpointMap we won't need it to be provided as a parameter to the services. This follows what is already happening for the glance registry service with I9186e56cd4746a60e65dc5ac12e6595ac56505f0. Change-Id: Iad2ab389bf64d0fc8b06eb0e7d29b5370ff27dff Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2016-05-19Merge "add heat-api-cfn to endpoint map"Jenkins1-0/+3
2016-05-16Remove Nova EC2 deploymentEmilien Macchi1-3/+0
Nova EC2 does not exist anymore since Mitaka, parameters are already deprecated in Mitaka and send warnings to the Puppet catalog. The service has been replaced by ec2api project, where Puppet OpenStack team is currently writting a module. In the meantime we add support in TripleO, this patch removes all occurences of Nova EC2 configuration, which are useless and send warnings for nothing. Change-Id: Ief2d0e5c77b5ac58560606fee930fbd66c40ffc3
2016-05-12add heat-api-cfn to endpoint mapSteven Hardy1-0/+3
Change-Id: I8f98ce92fc387d2263fda738c1c8a209e3cbbb85
2016-04-21The Sahara SSL endpoint was announced on the wrong portGiulio Fidente1-1/+1
Change-Id: I0cab3cdb2189dab3844f2eda52b8697d05ad3447
2016-04-14Add GlanceRegistry to the endpoint mapDan Prince1-0/+1
This patch adds GlanceRegistry to the endpoint map. This will make accessing Glance registry setings via the endpoint map possible. Change-Id: I9186e56cd4746a60e65dc5ac12e6595ac56505f0
2016-04-11Deploy Gnocchi as a Ceilometer metrics storage backendPradeep Kilambi1-0/+3
* Deploy Gnocchi API. * Storage backends: swift, rbd and file. * Indexer backend default to mysql * Configure Ceilometer to send metrics datas to Gnocchi * Pacemaker config Depends-On: Ic8778a3104e0ed0460423e4bf857682220dc5802 Depends-On: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2 Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Change-Id: Ifde17b1ab8fa2b30544633e455e1c7eb475705aa
2016-04-11Don't have separate protocols/ports for Keystone v3Zane Bitter1-3/+0
The change in ab068a824ed51e78bf111387223e58e885ec5c84 is described as temporary, so it would be better if it did not affect the EndpointMap parameter (which is effectively a public interface, since it may be overridden in an environment file). No configuration should end up with different ports/protocols/hosts for Keystone v2 and v3, and somebody customising them should not have to account for them separately. Nor should things break when the need to distinguish between v2 and v3 endpoints goes away. This change removes the KeystoneV3* keys from the EndpointMap input and uses the Keystone* keys instead, so that any change to the internal organisation becomes transparent to the user. Change-Id: If4cdd9232f4dbc9f2af651bbdfe68f09dc26ed2e
2016-03-24Merge "Deploy Aodh services, replacing Ceilometer Alarm"Jenkins1-0/+3
2016-03-20Deploy Aodh services, replacing Ceilometer AlarmPradeep Kilambi1-0/+3
Ceilometer Alarm is deprecated in Liberty by Aodh. This patch: * manage Aodh Keystone resources * deploy Aodh API under WSGI, Notifier, Listener and Evaluator * manage new parameters to customize Aodh deployment * uses ceilometer DB for the upgrade path * pacemaker config * Add migration logic to remove pcs resources Depends-On: I5333faa72e52d2aa2a622ac2d4b60825aadc52b5 Depends-On: Ib6c9c4c35da3fb55e0ca8e2d5a58ebaf4204d792 Co-Authored-By: Emilien Macchi <emilien@redhat.com> Change-Id: Ib47a22884afb032ebc1655e1a4a06bfe70249134
2016-03-18Remove GlanceRegistry from EndpointMapGiulio Fidente1-3/+0
We don't need an endpoint for the glance-registry service, that is used by glance-api when needed and is not meant to be user-facing. Change-Id: Ia6c9dd6164d3b91adbc937d70fa74d5fbbfb28a3
2016-03-08Update enable-tls.yaml with new endpointsBen Nemec1-0/+6
A couple of new endpoints have been added, and if they're not in the configured value for EndpointMap it will cause problems. Sahara is not added as ssl-enabled because I don't believe it has been added to the loadbalancer yet. Note that there is work underway to CI overcloud SSL, which should catch problems like this in the future. Change-Id: Ia8a106fd94da7be8675ea84f5fbb9ac959771d10
2016-03-04Revert "Deploy Aodh services, replacing Ceilometer Alarm"James Slagle1-3/+0
This just a revert to see if reverting this gets back to a normal CI run time. This reverts commit f72aed85594f223b6f888e6d0af3c880ea581a66. Change-Id: I04a0893f6cf69f547a4db26261005e580e1fc90b
2016-03-03Deploy Aodh services, replacing Ceilometer AlarmEmilien Macchi1-0/+3
Ceilometer Alarm is deprecated in Liberty by Aodh. This patch: * manage Aodh Keystone resources * deploy Aodh API under WSGI, Notifier, Listener and Evaluator * manage new parameters to customize Aodh deployment * uses ceilometer DB for the upgrade path * pacemaker config Depends-On: I9e34485285829884d9c954b804e3bdd5d6e31635 Depends-On: I891985da9248a88c6ce2df1dd186881f582605ee Depends-On: Ied8ba5985f43a5c5b3be5b35a091aef6ed86572f Co-Authored-By: Pradeep Kilambi <pkilambi@redhat.com> Change-Id: I58d419173e80d2462accf7324c987c71420fd5f6
2016-01-15Allow vncproxy to work with ssl enabledBen Nemec1-0/+3
Right now our vncproxy settings are hard-coded to http and the non-ssl port. This change adds a vncproxy entry to the endpoint map and uses those values to configure the proxy correctly on compute nodes. This is sufficient to get it working in my environment with ssl enabled. Change-Id: I9d69b088eef4700959b33c7e0eb44932949d7b71
2015-12-08Enable TLS in loadbalancer if cert path is detectedJuan Antonio Osorio Robles1-0/+32
If there is a value for the certificate path (which should only happen if the environment for enabling TLS is used) then the loadbalancer will detect it and configure it's front ends correctly. On the other hand a proper override for the example environment was given, since this will be needed because we want to pass the hosts and protocols correctly so the tripleoclient will catch it and pass it to os-cloud-config Change-Id: Ifba51495f0c99398291cfd29d10c04ec33b8fc34 Depends-On: Ie2428093b270ab8bc19fcb2130bb16a41ca0ce09
2015-11-23Inject TLS certificate and keys for the OvercloudJuan Antonio Osorio Robles1-0/+9
This is a first implementation of adding TLS termination to the load balancer in the controllers. The implementation was made so that the appropriate certificate/private key in PEM format is copied to the appropriate controller(s) via a software deployment resource. And the path is then referenced on the HAProxy configuration, but this part was left commented out because we need to be able to configure the keystone endpoints in order for this to work properly. Change-Id: I0ba8e38d75a0c628d8132a66dc25a30fc5183c79