Age | Commit message (Collapse) | Author | Files | Lines |
|
The CA certificate is currently passed via ssl-source.yaml as
"stunnel.cacert", but this value is not currently used by stunnel
since we have no use case for client cert authentication.
This change proposes that it also be exposed as
"ssl.ca_certificate", which is consistent with the overall SSL
direction being driven by the PKI spec:
I32473fe797a4c1e28d14c3b82c8892c7c59a4e55
This new CA certificate value will be installed as a trusted CA
on all cloud nodes that issue SSL-secured connection requests to
OpenStack or other infrastructure (MySQL, RabbitMQ) services.
Change-Id: Ibacd7c98980520e11c0df89632013f2ba2dbe370
|
|
This change was generated and validated by running the following:
make hot clean all validate-all
This converts all templates to be valid HOT.
Fn::Select is not converted in this change but this will actually
work with heat_template_version 2013-05-23. Fn::Select is converted
manually in the next change in this series.
This change also sets the heat_template_version to 2014-10-16 which
includes the list_join intrinsic functions used throughout these
templates.
Partial-Blueprint: tripleo-juno-remove-mergepy
Change-Id: Ib3cbb83f6ae94adb7b793ab1b662bd5c55cbb5b3
|
|
The current configuration of services is that if SSL is in use (signaled by
stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks
simultaneous non-SSL due to there being no pass-through stunnel equivalent on
all the nodes. As an interim measure, teach stunnel to connect to the ctlplane
address instead. We will need this flexability in future anyway to deal with
mixed-mode configurations, but we don't yet have an SSL only configuration.
The change will permit SSL only by altering the Deployment object only - the
SSL config object should now be flexible enough to run in either mode (but as
yet on an all-one-way-or-the-other basis).
Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
|
|
Establish the Public (SSL) port, 13777, and connect it to the internal port, 8777
Change-Id: I7bba7f8224b6e31fc4f5444eee679ca5a4ce4ebe
|
|
Add SSLCACertificate to the overcloud yaml.
This allows a CA certificate to be specified in cases where the Cert
does not come from a CA in the system bundle.
Partially implements: blueprint tripleo-ssl-overcloud
Full set of blueprint changes:
https://review.openstack.org/#/c/85098
https://review.openstack.org/#/c/85099
https://review.openstack.org/#/c/85100
Change-Id: I67d7c1362df323762023be5c74fbe75b1583570c
|
|
This will indicate to os-collect-config that this config
resource represents os-apply-config configuration data,
so it can only write out top-level config files for
os-apply-config data (or Heat::Ungrouped for backwards
compatibility).
Change-Id: I3552fdd6df8106ab83cfd17d5f4b137cf33fbc36
Related-Bug: #1299109
|
|
This migrates the overcloud to using OS::Heat::StructuredConfig and
OS::Heat::StructuredDeployment. With those tools, we can decouple
servers from software configuration and begin to deprecate features in
tripleo_heat_merge.
Change-Id: Ice85f0711e90d0fabf1d1bc4698201c4d6758508
|
|
Updates all references for notCompute and notcompute
to use 'controller' instead.
Change-Id: I70ef83f35064ab388bdc7e1a6da62b6585580010
Partial-bug: #1300324
|
|
This is complete as far as it goes but it isn't enough to make running
a scaled out control plane actually work. Specifically, the constructs
to point at API hosts based on looking up a network address aren't
suirtable for scaled out - we need to be using the virtual IP or DNS
round robin or other such resilient configurations, but that is
largely / entirely orthogonal to making the template be ready for
scaling.
Change-Id: Ib9e6db5e7d5db84e4746afdabea046d2b8702bbb
|
|
This passes SSL keys in via Heat which places a high cost on heat
compromises or the use of a non-SSL heat to do deploys. We'll want
to ensure that that is documented clearly.
Change-Id: I14d441460116fda91fbd1d2097c5598b57155a6d
|