openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Change default endpoint map entries to use TLS"

Browse Source
This commit is contained in:
Zuul 2018-05-15 12:28:26 +00:00 committed by Gerrit Code Review
commit aec81d595e
3 changed files with 93 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
network/endpoints/endpoint_data.yaml
View File

@ -6,6 +6,8 @@ Aodh:
net_param: AodhApi
Public:
net_param: Public
protocol: https
port: 13042
Admin:
net_param: AodhApi
port: 8042
@ -15,6 +17,8 @@ Barbican:
net_param: BarbicanApi
Public:
net_param: Public
protocol: https
port: 13311
Admin:
net_param: BarbicanApi
port: 9311
@ -24,6 +28,8 @@ Ceilometer:
net_param: CeilometerApi
Public:
net_param: Public
protocol: https
port: 13777
Admin:
net_param: CeilometerApi
port: 8777
@ -33,6 +39,8 @@ Designate:
net_param: DesignateApi
Public:
net_param: Public
protocol: https
port: 13001
Admin:
net_param: DesignateApi
port: 9001
@ -42,6 +50,8 @@ Ec2Api:
net_param: Ec2Api
Public:
net_param: Public
protocol: https
port: 13788
Admin:
net_param: Ec2Api
port: 8788
@ -51,6 +61,8 @@ Gnocchi:
net_param: GnocchiApi
Public:
net_param: Public
protocol: https
port: 13041
Admin:
net_param: GnocchiApi
port: 8041
@ -60,6 +72,8 @@ Panko:
net_param: PankoApi
Public:
net_param: Public
protocol: https
portt: 13977
Admin:
net_param: PankoApi
port: 8977
@ -77,6 +91,8 @@ Cinder:
'': /v1/%(tenant_id)s
V2: /v2/%(tenant_id)s
V3: /v3/%(tenant_id)s
protocol: https
port: 13776
Admin:
net_param: CinderApi
uri_suffixes:
@ -90,6 +106,8 @@ Congress:
net_param: CongressApi
Public:
net_param: Public
protocol: https
port: 13789
Admin:
net_param: CongressApi
port: 1789
@ -99,6 +117,8 @@ Glance:
net_param: GlanceApi
Public:
net_param: Public
protocol: https
port: 13292
Admin:
net_param: GlanceApi
port: 9292
@ -118,6 +138,8 @@ Heat:
net_param: Public
uri_suffixes:
'': /v1/%(tenant_id)s
protocol: https
port: 13004
Admin:
net_param: HeatApi
uri_suffixes:
@ -138,6 +160,8 @@ HeatCfn:
net_param: Public
uri_suffixes:
'': /v1
protocol: https
port: 13005
Admin:
net_param: HeatApi
uri_suffixes:
@ -149,7 +173,8 @@ Horizon:
net_param: Public
uri_suffixes:
'': /dashboard
port: 80
protocol: https
port: 443
# TODO(ayoung): V3 is a temporary fix. Endpoints should be versionless.
# Required for https://bugs.launchpad.net/puppet-nova/+bug/1542486
@ -166,6 +191,8 @@ Keystone:
uri_suffixes:
'': /
V3: /v3
protocol: https
port: 13000
Admin:
net_param: KeystoneAdminApi
uri_suffixes:
@ -190,6 +217,8 @@ Manila:
uri_suffixes:
'': /v2/%(tenant_id)s
V1: /v1/%(tenant_id)s
protocol: https
port: 13786
Admin:
net_param: ManilaApi
uri_suffixes:
@ -206,6 +235,8 @@ Mistral:
net_param: Public
uri_suffixes:
'': /v2
protocol: https
port: 13989
Admin:
net_param: MistralApi
uri_suffixes:
@ -222,6 +253,8 @@ Neutron:
net_param: NeutronApi
Public:
net_param: Public
protocol: https
port: 13696
Admin:
net_param: NeutronApi
port: 9696
@ -235,6 +268,8 @@ Nova:
net_param: Public
uri_suffixes:
'': /v2.1
protocol: https
port: 13774
Admin:
net_param: NovaApi
uri_suffixes:
@ -255,6 +290,8 @@ NovaPlacement:
net_param: Public
uri_suffixes:
'': /placement
protocol: https
port: 13778
Admin:
net_param: NovaPlacement
uri_suffixes:
@ -266,6 +303,8 @@ NovaVNCProxy:
net_param: NovaApi
Public:
net_param: Public
protocol: https
port: 13080
Admin:
net_param: NovaApi
port: 6080
@ -281,6 +320,8 @@ Swift:
uri_suffixes:
'': /v1/AUTH_%(tenant_id)s
S3:
protocol: https
port: 13808
Admin:
net_param: SwiftProxy
uri_suffixes:
@ -302,6 +343,8 @@ CephRgw:
net_param: Public
uri_suffixes:
'': /swift/v1
protocol: https
port: 13808
Admin:
net_param: CephRgw
uri_suffixes:
@ -317,6 +360,8 @@ Sahara:
net_param: Public
uri_suffixes:
'': /v1.1/%(tenant_id)s
protocol: https
port: 13386
Admin:
net_param: SaharaApi
uri_suffixes:
@ -328,6 +373,8 @@ Tacker:
net_param: TackerApi
Public:
net_param: Public
protocol: https
port: 13989
Admin:
net_param: TackerApi
port: 9890
@ -341,6 +388,8 @@ Ironic:
net_param: Public
uri_suffixes:
'': /v1
protocol: https
port: 13385
Admin:
net_param: IronicApi
uri_suffixes:
@ -357,6 +406,8 @@ IronicInspector:
net_param: IronicInspector
Public:
net_param: Public
protocol: https
port: 13050
Admin:
net_param: IronicInspector
UIConfig:
@ -371,6 +422,8 @@ Zaqar:
net_param: ZaqarApi
Public:
net_param: Public
protocol: https
port: 13888
Admin:
net_param: ZaqarApi
port: 8888
@ -380,6 +433,7 @@ ZaqarWebSocket:
net_param: ZaqarApi
Public:
net_param: Public
protocol: https
Admin:
net_param: ZaqarApi
UIConfig:
@ -395,6 +449,8 @@ Octavia:
net_param: OctaviaApi
Public:
net_param: Public
protocol: https
port: 13876
Admin:
net_param: OctaviaApi
port: 9876

58
network/endpoints/endpoint_map.yaml
View File

@ -21,101 +21,101 @@ parameters:
default:
AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME}
AodhPublic: {protocol: https, port: '13042', host: CLOUDNAME}
BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME}
BarbicanPublic: {protocol: https, port: '13311', host: CLOUDNAME}
CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS}
CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS}
CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME}
CeilometerPublic: {protocol: https, port: '13777', host: CLOUDNAME}
CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME}
CephRgwPublic: {protocol: https, port: '13808', host: CLOUDNAME}
CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME}
CinderPublic: {protocol: https, port: '13776', host: CLOUDNAME}
CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS}
CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS}
CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME}
CongressPublic: {protocol: https, port: '13789', host: CLOUDNAME}
DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS}
DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS}
DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME}
DesignatePublic: {protocol: https, port: '13001', host: CLOUDNAME}
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME}
Ec2ApiPublic: {protocol: https, port: '13788', host: CLOUDNAME}
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME}
GlancePublic: {protocol: https, port: '13292', host: CLOUDNAME}
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME}
GnocchiPublic: {protocol: https, port: '13041', host: CLOUDNAME}
HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME}
HeatPublic: {protocol: https, port: '13004', host: CLOUDNAME}
HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME}
HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME}
HeatCfnPublic: {protocol: https, port: '13005', host: CLOUDNAME}
HorizonPublic: {protocol: https, port: '443', host: CLOUDNAME}
IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME}
IronicPublic: {protocol: https, port: '13385', host: CLOUDNAME}
IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME}
IronicInspectorPublic: {protocol: https, port: '13050', host: CLOUDNAME}
IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME}
KeystonePublic: {protocol: https, port: '13000', host: CLOUDNAME}
KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME}
ManilaPublic: {protocol: https, port: '13786', host: CLOUDNAME}
MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME}
MistralPublic: {protocol: https, port: '13989', host: CLOUDNAME}
MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME}
NeutronPublic: {protocol: https, port: '13696', host: CLOUDNAME}
NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME}
NovaPublic: {protocol: https, port: '13774', host: CLOUDNAME}
NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME}
NovaPlacementPublic: {protocol: https, port: '13778', host: CLOUDNAME}
NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME}
NovaVNCProxyPublic: {protocol: https, port: '13080', host: CLOUDNAME}
OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME}
OctaviaPublic: {protocol: https, port: '13876', host: CLOUDNAME}
OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME}
PankoPublic: {protocol: https, port: '8977', host: CLOUDNAME}
SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME}
SaharaPublic: {protocol: https, port: '13386', host: CLOUDNAME}
SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME}
SwiftPublic: {protocol: https, port: '13808', host: CLOUDNAME}
SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME}
TackerPublic: {protocol: https, port: '13989', host: CLOUDNAME}
ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME}
ZaqarPublic: {protocol: https, port: '13888', host: CLOUDNAME}
ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME}
ZaqarWebSocketPublic: {protocol: https, port: '9000', host: CLOUDNAME}
ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.

7
releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
TripleO now uses TLS on the public interfaces by default. This is reflected
on the EndpointMap, as now the default entries have 'https' endpoints.
Note that it's still possible to deploy TripleO without TLS, using the
environments/no-tls-endpoints-public-ip.yaml environment file.