aboutsummaryrefslogtreecommitdiffstats
path: root/ssl-source.yaml
AgeCommit message (Collapse)AuthorFilesLines
2014-08-12Move cacert property out of "stunnel" and into a new "ssl" groupJonathan Brownell1-0/+3
The CA certificate is currently passed via ssl-source.yaml as "stunnel.cacert", but this value is not currently used by stunnel since we have no use case for client cert authentication. This change proposes that it also be exposed as "ssl.ca_certificate", which is consistent with the overall SSL direction being driven by the PKI spec: I32473fe797a4c1e28d14c3b82c8892c7c59a4e55 This new CA certificate value will be installed as a trusted CA on all cloud nodes that issue SSL-secured connection requests to OpenStack or other infrastructure (MySQL, RabbitMQ) services. Change-Id: Ibacd7c98980520e11c0df89632013f2ba2dbe370
2014-08-04Port all templates to HOTSteve Baker1-16/+16
This change was generated and validated by running the following: make hot clean all validate-all This converts all templates to be valid HOT. Fn::Select is not converted in this change but this will actually work with heat_template_version 2013-05-23. Fn::Select is converted manually in the next change in this series. This change also sets the heat_template_version to 2014-10-16 which includes the list_join intrinsic functions used throughout these templates. Partial-Blueprint: tripleo-juno-remove-mergepy Change-Id: Ib3cbb83f6ae94adb7b793ab1b662bd5c55cbb5b3
2014-07-19Fix SSL with HAProxy.Robert Collins1-0/+16
The current configuration of services is that if SSL is in use (signaled by stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks simultaneous non-SSL due to there being no pass-through stunnel equivalent on all the nodes. As an interim measure, teach stunnel to connect to the ctlplane address instead. We will need this flexability in future anyway to deal with mixed-mode configurations, but we don't yet have an SSL only configuration. The change will permit SSL only by altering the Deployment object only - the SSL config object should now be flexible enough to run in either mode (but as yet on an all-one-way-or-the-other basis). Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
2014-06-04Setup SSL for CeilometerRob Parker1-0/+3
Establish the Public (SSL) port, 13777, and connect it to the internal port, 8777 Change-Id: I7bba7f8224b6e31fc4f5444eee679ca5a4ce4ebe
2014-05-20ssl: Add support for a CA CertificateStuart McLaren1-0/+6
Add SSLCACertificate to the overcloud yaml. This allows a CA certificate to be specified in cases where the Cert does not come from a CA in the system bundle. Partially implements: blueprint tripleo-ssl-overcloud Full set of blueprint changes: https://review.openstack.org/#/c/85098 https://review.openstack.org/#/c/85099 https://review.openstack.org/#/c/85100 Change-Id: I67d7c1362df323762023be5c74fbe75b1583570c
2014-05-02Specify group os-apply-config for config resourcesSteve Baker1-0/+1
This will indicate to os-collect-config that this config resource represents os-apply-config configuration data, so it can only write out top-level config files for os-apply-config data (or Heat::Ungrouped for backwards compatibility). Change-Id: I3552fdd6df8106ab83cfd17d5f4b137cf33fbc36 Related-Bug: #1299109
2014-04-16Switch overcloud to software-configClint Byrum1-30/+31
This migrates the overcloud to using OS::Heat::StructuredConfig and OS::Heat::StructuredDeployment. With those tools, we can decouple servers from software configuration and begin to deprecate features in tripleo_heat_merge. Change-Id: Ice85f0711e90d0fabf1d1bc4698201c4d6758508
2014-04-09Stop using notCompute in favor of controllerDan Prince1-1/+1
Updates all references for notCompute and notcompute to use 'controller' instead. Change-Id: I70ef83f35064ab388bdc7e1a6da62b6585580010 Partial-bug: #1300324
2014-01-31Prep work for a scalable control plane.Robert Collins1-1/+1
This is complete as far as it goes but it isn't enough to make running a scaled out control plane actually work. Specifically, the constructs to point at API hosts based on looking up a network address aren't suirtable for scaled out - we need to be using the virtual IP or DNS round robin or other such resilient configurations, but that is largely / entirely orthogonal to making the template be ready for scaling. Change-Id: Ib9e6db5e7d5db84e4746afdabea046d2b8702bbb
2014-01-17Add SSL configuration metadata for overclouds.Robert Collins1-0/+43
This passes SSL keys in via Heat which places a high cost on heat compromises or the use of a non-SSL heat to do deploys. We'll want to ensure that that is documented clearly. Change-Id: I14d441460116fda91fbd1d2097c5598b57155a6d