From 22ad1bc8c51dffb40e3ebaf5fef35de333adb53d Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 3 Apr 2018 11:15:33 +0300
Subject: [PATCH] Change default endpoint map entries to use TLS

This changes the default entries to use TLS as a default for
the public endpoints.

Change-Id: I2d211b51ddb2f9fde5902cfb8004392a66e15a5c
Depends-On: I3d3cad0eb1396e7bee146794b29badad302efdf3
Depends-On: I8b46ce3f9cd6e36d0b8f604b49e4113301461a4c
Depends-On: Ief352f9e54bee95d5e4035725ab6a63ef4be0269
---
 network/endpoints/endpoint_data.yaml          | 58 ++++++++++++++++++-
 network/endpoints/endpoint_map.yaml           | 58 +++++++++----------
 ...endpoints-by-default-6f70ef3c82c547de.yaml |  7 +++
 3 files changed, 93 insertions(+), 30 deletions(-)
 create mode 100644 releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml

diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml
index a8aa8b176f..31c2ceb218 100644
--- a/network/endpoints/endpoint_data.yaml
+++ b/network/endpoints/endpoint_data.yaml
@@ -6,6 +6,8 @@ Aodh:
         net_param: AodhApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13042
     Admin:
         net_param: AodhApi
     port: 8042
@@ -15,6 +17,8 @@ Barbican:
         net_param: BarbicanApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13311
     Admin:
         net_param: BarbicanApi
     port: 9311
@@ -24,6 +28,8 @@ Ceilometer:
         net_param: CeilometerApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13777
     Admin:
         net_param: CeilometerApi
     port: 8777
@@ -33,6 +39,8 @@ Designate:
         net_param: DesignateApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13001
     Admin:
         net_param: DesignateApi
     port: 9001
@@ -42,6 +50,8 @@ Ec2Api:
         net_param: Ec2Api
     Public:
         net_param: Public
+        protocol: https
+        port: 13788
     Admin:
         net_param: Ec2Api
     port: 8788
@@ -51,6 +61,8 @@ Gnocchi:
         net_param: GnocchiApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13041
     Admin:
         net_param: GnocchiApi
     port: 8041
@@ -60,6 +72,8 @@ Panko:
         net_param: PankoApi
     Public:
         net_param: Public
+        protocol: https
+        portt: 13977
     Admin:
         net_param: PankoApi
     port: 8977
@@ -77,6 +91,8 @@ Cinder:
             '': /v1/%(tenant_id)s
             V2: /v2/%(tenant_id)s
             V3: /v3/%(tenant_id)s
+        protocol: https
+        port: 13776
     Admin:
         net_param: CinderApi
         uri_suffixes:
@@ -90,6 +106,8 @@ Congress:
         net_param: CongressApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13789
     Admin:
         net_param: CongressApi
     port: 1789
@@ -99,6 +117,8 @@ Glance:
         net_param: GlanceApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13292
     Admin:
         net_param: GlanceApi
     port: 9292
@@ -118,6 +138,8 @@ Heat:
         net_param: Public
         uri_suffixes:
             '': /v1/%(tenant_id)s
+        protocol: https
+        port: 13004
     Admin:
         net_param: HeatApi
         uri_suffixes:
@@ -138,6 +160,8 @@ HeatCfn:
         net_param: Public
         uri_suffixes:
             '': /v1
+        protocol: https
+        port: 13005
     Admin:
         net_param: HeatApi
         uri_suffixes:
@@ -149,7 +173,8 @@ Horizon:
         net_param: Public
         uri_suffixes:
             '': /dashboard
-    port: 80
+        protocol: https
+    port: 443
 
 # TODO(ayoung): V3 is a temporary fix. Endpoints should be versionless.
 # Required for https://bugs.launchpad.net/puppet-nova/+bug/1542486
@@ -166,6 +191,8 @@ Keystone:
         uri_suffixes:
             '': /
             V3: /v3
+        protocol: https
+        port: 13000
     Admin:
         net_param: KeystoneAdminApi
         uri_suffixes:
@@ -190,6 +217,8 @@ Manila:
         uri_suffixes:
             '': /v2/%(tenant_id)s
             V1: /v1/%(tenant_id)s
+        protocol: https
+        port: 13786
     Admin:
         net_param: ManilaApi
         uri_suffixes:
@@ -206,6 +235,8 @@ Mistral:
         net_param: Public
         uri_suffixes:
             '': /v2
+        protocol: https
+        port: 13989
     Admin:
         net_param: MistralApi
         uri_suffixes:
@@ -222,6 +253,8 @@ Neutron:
         net_param: NeutronApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13696
     Admin:
         net_param: NeutronApi
     port: 9696
@@ -235,6 +268,8 @@ Nova:
         net_param: Public
         uri_suffixes:
             '': /v2.1
+        protocol: https
+        port: 13774
     Admin:
         net_param: NovaApi
         uri_suffixes:
@@ -255,6 +290,8 @@ NovaPlacement:
         net_param: Public
         uri_suffixes:
             '': /placement
+        protocol: https
+        port: 13778
     Admin:
         net_param: NovaPlacement
         uri_suffixes:
@@ -266,6 +303,8 @@ NovaVNCProxy:
         net_param: NovaApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13080
     Admin:
         net_param: NovaApi
     port: 6080
@@ -281,6 +320,8 @@ Swift:
         uri_suffixes:
             '': /v1/AUTH_%(tenant_id)s
             S3:
+        protocol: https
+        port: 13808
     Admin:
         net_param: SwiftProxy
         uri_suffixes:
@@ -302,6 +343,8 @@ CephRgw:
         net_param: Public
         uri_suffixes:
             '': /swift/v1
+        protocol: https
+        port: 13808
     Admin:
         net_param: CephRgw
         uri_suffixes:
@@ -317,6 +360,8 @@ Sahara:
         net_param: Public
         uri_suffixes:
             '': /v1.1/%(tenant_id)s
+        protocol: https
+        port: 13386
     Admin:
         net_param: SaharaApi
         uri_suffixes:
@@ -328,6 +373,8 @@ Tacker:
         net_param: TackerApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13989
     Admin:
         net_param: TackerApi
     port: 9890
@@ -341,6 +388,8 @@ Ironic:
         net_param: Public
         uri_suffixes:
             '': /v1
+        protocol: https
+        port: 13385
     Admin:
         net_param: IronicApi
         uri_suffixes:
@@ -357,6 +406,8 @@ IronicInspector:
         net_param: IronicInspector
     Public:
         net_param: Public
+        protocol: https
+        port: 13050
     Admin:
         net_param: IronicInspector
     UIConfig:
@@ -371,6 +422,8 @@ Zaqar:
         net_param: ZaqarApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13888
     Admin:
         net_param: ZaqarApi
     port: 8888
@@ -380,6 +433,7 @@ ZaqarWebSocket:
         net_param: ZaqarApi
     Public:
         net_param: Public
+        protocol: https
     Admin:
         net_param: ZaqarApi
     UIConfig:
@@ -395,6 +449,8 @@ Octavia:
         net_param: OctaviaApi
     Public:
         net_param: Public
+        protocol: https
+        port: 13876
     Admin:
         net_param: OctaviaApi
     port: 9876
diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml
index 4666f637d0..b943921520 100644
--- a/network/endpoints/endpoint_map.yaml
+++ b/network/endpoints/endpoint_map.yaml
@@ -21,101 +21,101 @@ parameters:
     default:
       AodhAdmin: {protocol: http, port: '8042', host: IP_ADDRESS}
       AodhInternal: {protocol: http, port: '8042', host: IP_ADDRESS}
-      AodhPublic: {protocol: http, port: '8042', host: CLOUDNAME}
+      AodhPublic: {protocol: https, port: '13042', host: CLOUDNAME}
       BarbicanAdmin: {protocol: http, port: '9311', host: IP_ADDRESS}
       BarbicanInternal: {protocol: http, port: '9311', host: IP_ADDRESS}
-      BarbicanPublic: {protocol: http, port: '9311', host: CLOUDNAME}
+      BarbicanPublic: {protocol: https, port: '13311', host: CLOUDNAME}
       CeilometerAdmin: {protocol: http, port: '8777', host: IP_ADDRESS}
       CeilometerInternal: {protocol: http, port: '8777', host: IP_ADDRESS}
-      CeilometerPublic: {protocol: http, port: '8777', host: CLOUDNAME}
+      CeilometerPublic: {protocol: https, port: '13777', host: CLOUDNAME}
       CephRgwAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
       CephRgwInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
-      CephRgwPublic: {protocol: http, port: '8080', host: CLOUDNAME}
+      CephRgwPublic: {protocol: https, port: '13808', host: CLOUDNAME}
       CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS}
       CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS}
-      CinderPublic: {protocol: http, port: '8776', host: CLOUDNAME}
+      CinderPublic: {protocol: https, port: '13776', host: CLOUDNAME}
       CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS}
       CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS}
-      CongressPublic: {protocol: http, port: '1789', host: CLOUDNAME}
+      CongressPublic: {protocol: https, port: '13789', host: CLOUDNAME}
       DesignateAdmin: {protocol: http, port: '9001', host: IP_ADDRESS}
       DesignateInternal: {protocol: http, port: '9001', host: IP_ADDRESS}
-      DesignatePublic: {protocol: http, port: '9001', host: CLOUDNAME}
+      DesignatePublic: {protocol: https, port: '13001', host: CLOUDNAME}
       DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
       Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS}
       Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS}
-      Ec2ApiPublic: {protocol: http, port: '8788', host: CLOUDNAME}
+      Ec2ApiPublic: {protocol: https, port: '13788', host: CLOUDNAME}
       GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
       GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
       GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
-      GlancePublic: {protocol: http, port: '9292', host: CLOUDNAME}
+      GlancePublic: {protocol: https, port: '13292', host: CLOUDNAME}
       GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
       GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
-      GnocchiPublic: {protocol: http, port: '8041', host: CLOUDNAME}
+      GnocchiPublic: {protocol: https, port: '13041', host: CLOUDNAME}
       HeatAdmin: {protocol: http, port: '8004', host: IP_ADDRESS}
       HeatInternal: {protocol: http, port: '8004', host: IP_ADDRESS}
-      HeatPublic: {protocol: http, port: '8004', host: CLOUDNAME}
+      HeatPublic: {protocol: https, port: '13004', host: CLOUDNAME}
       HeatUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       HeatCfnAdmin: {protocol: http, port: '8000', host: IP_ADDRESS}
       HeatCfnInternal: {protocol: http, port: '8000', host: IP_ADDRESS}
-      HeatCfnPublic: {protocol: http, port: '8000', host: CLOUDNAME}
-      HorizonPublic: {protocol: http, port: '80', host: CLOUDNAME}
+      HeatCfnPublic: {protocol: https, port: '13005', host: CLOUDNAME}
+      HorizonPublic: {protocol: https, port: '443', host: CLOUDNAME}
       IronicAdmin: {protocol: http, port: '6385', host: IP_ADDRESS}
       IronicInternal: {protocol: http, port: '6385', host: IP_ADDRESS}
-      IronicPublic: {protocol: http, port: '6385', host: CLOUDNAME}
+      IronicPublic: {protocol: https, port: '13385', host: CLOUDNAME}
       IronicUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       IronicInspectorAdmin: {protocol: http, port: '5050', host: IP_ADDRESS}
       IronicInspectorInternal: {protocol: http, port: '5050', host: IP_ADDRESS}
-      IronicInspectorPublic: {protocol: http, port: '5050', host: CLOUDNAME}
+      IronicInspectorPublic: {protocol: https, port: '13050', host: CLOUDNAME}
       IronicInspectorUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       KeystoneAdmin: {protocol: http, port: '35357', host: IP_ADDRESS}
       KeystoneInternal: {protocol: http, port: '5000', host: IP_ADDRESS}
-      KeystonePublic: {protocol: http, port: '5000', host: CLOUDNAME}
+      KeystonePublic: {protocol: https, port: '13000', host: CLOUDNAME}
       KeystoneUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       ManilaAdmin: {protocol: http, port: '8786', host: IP_ADDRESS}
       ManilaInternal: {protocol: http, port: '8786', host: IP_ADDRESS}
-      ManilaPublic: {protocol: http, port: '8786', host: CLOUDNAME}
+      ManilaPublic: {protocol: https, port: '13786', host: CLOUDNAME}
       MistralAdmin: {protocol: http, port: '8989', host: IP_ADDRESS}
       MistralInternal: {protocol: http, port: '8989', host: IP_ADDRESS}
-      MistralPublic: {protocol: http, port: '8989', host: CLOUDNAME}
+      MistralPublic: {protocol: https, port: '13989', host: CLOUDNAME}
       MistralUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       MysqlInternal: {protocol: mysql+pymysql, port: '3306', host: IP_ADDRESS}
       NeutronAdmin: {protocol: http, port: '9696', host: IP_ADDRESS}
       NeutronInternal: {protocol: http, port: '9696', host: IP_ADDRESS}
-      NeutronPublic: {protocol: http, port: '9696', host: CLOUDNAME}
+      NeutronPublic: {protocol: https, port: '13696', host: CLOUDNAME}
       NovaAdmin: {protocol: http, port: '8774', host: IP_ADDRESS}
       NovaInternal: {protocol: http, port: '8774', host: IP_ADDRESS}
-      NovaPublic: {protocol: http, port: '8774', host: CLOUDNAME}
+      NovaPublic: {protocol: https, port: '13774', host: CLOUDNAME}
       NovaUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       NovaPlacementAdmin: {protocol: http, port: '8778', host: IP_ADDRESS}
       NovaPlacementInternal: {protocol: http, port: '8778', host: IP_ADDRESS}
-      NovaPlacementPublic: {protocol: http, port: '8778', host: CLOUDNAME}
+      NovaPlacementPublic: {protocol: https, port: '13778', host: CLOUDNAME}
       NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS}
       NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS}
-      NovaVNCProxyPublic: {protocol: http, port: '6080', host: CLOUDNAME}
+      NovaVNCProxyPublic: {protocol: https, port: '13080', host: CLOUDNAME}
       OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS}
       OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS}
-      OctaviaPublic: {protocol: http, port: '9876', host: CLOUDNAME}
+      OctaviaPublic: {protocol: https, port: '13876', host: CLOUDNAME}
       OpenDaylightAdmin: {protocol: http, port: '8081', host: IP_ADDRESS}
       OpenDaylightInternal: {protocol: http, port: '8081', host: IP_ADDRESS}
       PankoAdmin: {protocol: http, port: '8977', host: IP_ADDRESS}
       PankoInternal: {protocol: http, port: '8977', host: IP_ADDRESS}
-      PankoPublic: {protocol: http, port: '8977', host: CLOUDNAME}
+      PankoPublic: {protocol: https, port: '8977', host: CLOUDNAME}
       SaharaAdmin: {protocol: http, port: '8386', host: IP_ADDRESS}
       SaharaInternal: {protocol: http, port: '8386', host: IP_ADDRESS}
-      SaharaPublic: {protocol: http, port: '8386', host: CLOUDNAME}
+      SaharaPublic: {protocol: https, port: '13386', host: CLOUDNAME}
       SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS}
       SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS}
-      SwiftPublic: {protocol: http, port: '8080', host: CLOUDNAME}
+      SwiftPublic: {protocol: https, port: '13808', host: CLOUDNAME}
       SwiftUIConfig: {protocol: http, port: '3000', host: IP_ADDRESS}
       TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS}
       TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS}
-      TackerPublic: {protocol: http, port: '9890', host: CLOUDNAME}
+      TackerPublic: {protocol: https, port: '13989', host: CLOUDNAME}
       ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS}
       ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS}
-      ZaqarPublic: {protocol: http, port: '8888', host: CLOUDNAME}
+      ZaqarPublic: {protocol: https, port: '13888', host: CLOUDNAME}
       ZaqarWebSocketAdmin: {protocol: ws, port: '9000', host: IP_ADDRESS}
       ZaqarWebSocketInternal: {protocol: ws, port: '9000', host: IP_ADDRESS}
-      ZaqarWebSocketPublic: {protocol: ws, port: '9000', host: CLOUDNAME}
+      ZaqarWebSocketPublic: {protocol: https, port: '9000', host: CLOUDNAME}
       ZaqarWebSocketUIConfig: {protocol: ws, port: '3000', host: IP_ADDRESS}
     description: Mapping of service endpoint -> protocol. Typically set
       via parameter_defaults in the resource registry.
diff --git a/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml b/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml
new file mode 100644
index 0000000000..d739ee9552
--- /dev/null
+++ b/releasenotes/notes/Use-TLS-endpoints-by-default-6f70ef3c82c547de.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    TripleO now uses TLS on the public interfaces by default. This is reflected
+    on the EndpointMap, as now the default entries have 'https' endpoints.
+    Note that it's still possible to deploy TripleO without TLS, using the
+    environments/no-tls-endpoints-public-ip.yaml environment file.