openstack/tripleo-heat-templates
Code Issues Proposed changes

Fix SSL with HAProxy.

Browse Source 
The current configuration of services is that if SSL is in use (signaled by
stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks
simultaneous non-SSL due to there being no pass-through stunnel equivalent on
all the nodes. As an interim measure, teach stunnel to connect to the ctlplane
address instead. We will need this flexability in future anyway to deal with
mixed-mode configurations, but we don't yet have an SSL only configuration.

The change will permit SSL only by altering the Deployment object only - the
SSL config object should now be flexible enough to run in either mode (but as
yet on an all-one-way-or-the-other basis).

Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
This commit is contained in:
Robert Collins 2014-07-18 20:56:23 +12:00
parent c71b0a2a75
commit 1924e3ac3a
2 changed files with 24 additions and 0 deletions

8
overcloud-source.yaml

@ -670,6 +670,14 @@ Resources:
server: {Ref: controller0}
signal_transport: NO_SIGNAL
input_values:
controller_host:
Fn::Select:
- 0
- Fn::Select:
- ctlplane
- Fn::GetAtt:
- controller0
- networks
ssl_certificate: {Ref: SSLCertificate}
ssl_key: {Ref: SSLKey}
ssl_ca_certificate: {Ref: SSLCACertificate}

16
ssl-source.yaml

@ -31,24 +31,40 @@ Resources:
- name: 'ec2'
accept: 13773
connect: 8773
connect_host:
get_input: controller_host
- name: 'image'
accept: 13292
connect: 9292
connect_host:
get_input: controller_host
- name: 'identity'
accept: 13000
connect: 5000
connect_host:
get_input: controller_host
- name: 'network'
accept: 13696
connect: 9696
connect_host:
get_input: controller_host
- name: 'compute'
accept: 13774
connect: 8774
connect_host:
get_input: controller_host
- name: 'swift-proxy'
accept: 13080
connect: 8080
connect_host:
get_input: controller_host
- name: 'cinder'
accept: 13776
connect: 8776
connect_host:
get_input: controller_host
- name: 'ceilometer'
accept: 13777
connect: 8777
connect_host:
get_input: controller_host