Config platform service admin endpoints to https for DC

With this update https is enabled for platform services' admin endpoints for System Controller and subclouds when the first controller is unlocked. The services with admin endpoints enabled are: - fm - patching - vim - smapi - barbican - keystone - sysinv - dcdbsync - dcmanager Change-Id: I45b3c541cdb6191dad6d3e2b3e9cf8a3398b3a1b Story: 2007347 Task: 38891 Depends-On: https://review.opendev.org/#/c/720224/ Signed-off-by: Andy Ning <andy.ning@windriver.com>
2020-04-06 10:11:56 -04:00 · 2020-04-06 10:11:56 -04:00 · e5f325ccca
commit e5f325ccca
parent 7665c92ec9
12 changed files with 180 additions and 4 deletions
--- a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp
+++ b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp
@ -43,6 +43,10 @@ class dcorch::keystone::auth (
  $cinder_proxy_public_url_v3    = 'http://127.0.0.1:28776/v3/%(tenant_id)s',
  $patching_proxy_public_url     = 'http://127.0.0.1:25491',
  $identity_proxy_public_url     = 'http://127.0.0.1:25000/v3',
+
+  $identity_proxy_admin_url      = 'http://127.0.0.1:25000/v3',
+  $sysinv_proxy_admin_url        = 'http://127.0.0.1:26385/v1',
+  $patching_proxy_admin_url      = 'http://127.0.0.1:25491',
 ) {
  if $::platform::params::distributed_cloud_role =='systemcontroller' {
    keystone::resource::service_identity { 'dcorch':
@ -68,7 +72,7 @@ class dcorch::keystone::auth (
      type         =>  'platform',
      region       =>  $region,
      public_url   =>  $sysinv_proxy_public_url,
-      admin_url    =>  $sysinv_proxy_internal_url,
+      admin_url    =>  $sysinv_proxy_admin_url,
      internal_url =>  $sysinv_proxy_internal_url
    }

@ -78,7 +82,7 @@ class dcorch::keystone::auth (
      type         =>  'patching',
      region       =>  $region,
      public_url   =>  $patching_proxy_public_url,
-      admin_url    =>  $patching_proxy_internal_url,
+      admin_url    =>  $patching_proxy_admin_url,
      internal_url =>  $patching_proxy_internal_url
    }
    keystone_endpoint { "${region}/keystone::identity" :
@ -87,7 +91,7 @@ class dcorch::keystone::auth (
      type         =>  'identity',
      region       =>  $region,
      public_url   =>  $identity_proxy_public_url,
-      admin_url    =>  $identity_proxy_internal_url,
+      admin_url    =>  $identity_proxy_admin_url,
      internal_url =>  $identity_proxy_internal_url
    }
  }
--- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp
@ -90,12 +90,26 @@ class openstack::barbican::service (

 class openstack::barbican::haproxy
  inherits ::openstack::barbican::params {
+  include ::platform::params
+  include ::platform::haproxy::params

  platform::haproxy::proxy { 'barbican-restapi':
    server_name  => 's-barbican-restapi',
    public_port  => $api_port,
    private_port => $api_port,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'barbican-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-barbican-restapi',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }

 class openstack::barbican::api
--- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
@ -131,6 +131,7 @@ class openstack::keystone::haproxy
  inherits ::openstack::keystone::params {

  include ::platform::params
+  include ::platform::haproxy::params

  if !$::platform::params::region_config {
    platform::haproxy::proxy { 'keystone-restapi':
@ -139,6 +140,18 @@ class openstack::keystone::haproxy
      private_port => $api_port,
    }
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'keystone-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-keystone',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }

 define delete_endpoints (
--- a/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp
+++ b/puppet-manifests/src/modules/platform/manifests/dcdbsync.pp
@ -41,6 +41,26 @@ class platform::dcdbsync::api
      }
    }
  }
+
+  include ::platform::dcdbsync::haproxy
+}
+
+class platform::dcdbsync::haproxy
+  inherits ::platform::dcdbsync::params {
+  include ::platform::params
+  include ::platform::haproxy::params
+
+  # Configure rules for https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'dcdbsync-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-dcdbsync',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }

 class platform::dcdbsync::stx_openstack::runtime
--- a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp
+++ b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp
@ -51,6 +51,9 @@ class platform::dcmanager

 class platform::dcmanager::haproxy
  inherits ::platform::dcmanager::params {
+  include ::platform::params
+  include ::platform::haproxy::params
+
  if $::platform::params::distributed_cloud_role =='systemcontroller' {
    platform::haproxy::proxy { 'dcmanager-restapi':
      server_name  => 's-dcmanager',
@ -58,6 +61,17 @@ class platform::dcmanager::haproxy
      private_port => $api_port,
    }
  }
+
+  # Configure rules for https enabled admin endpoint.
+  if $::platform::params::distributed_cloud_role == 'systemcontroller' {
+    platform::haproxy::proxy { 'dcmanager-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-dcmanager',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }

 class platform::dcmanager::manager {
--- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp
+++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp
@ -69,6 +69,8 @@ class platform::dcorch::firewall

 class platform::dcorch::haproxy
  inherits ::platform::dcorch::params {
+  include ::platform::haproxy::params
+
  if $::platform::params::distributed_cloud_role =='systemcontroller' {
    platform::haproxy::proxy { 'dcorch-neutron-api-proxy':
      server_name  => 's-dcorch-neutron-api-proxy',
@ -100,6 +102,31 @@ class platform::dcorch::haproxy
      public_port  => $identity_api_proxy_port,
      private_port => $identity_api_proxy_port,
    }
+
+    # Configure rules for https enabled identity api proxy admin endpoint.
+    platform::haproxy::proxy { 'dcorch-identity-api-proxy-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-dcorch-identity-api-proxy',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $identity_api_proxy_port + 1,
+      private_port      => $identity_api_proxy_port,
+    }
+    # Configure rules for https enabled sysinv api proxy admin endpoint.
+    platform::haproxy::proxy { 'dcorch-sysinv-api-proxy-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-dcorch-sysinv-api-proxy',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $sysinv_api_proxy_port + 1,
+      private_port      => $sysinv_api_proxy_port,
+    }
+    # Configure rules for https enabled patching api proxy admin endpoint.
+    platform::haproxy::proxy { 'dcorch-patch-api-proxy-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-dcorch-patch-api-proxy',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $patch_api_proxy_port + 1,
+      private_port      => $patch_api_proxy_port,
+    }
  }
 }

--- a/puppet-manifests/src/modules/platform/manifests/fm.pp
+++ b/puppet-manifests/src/modules/platform/manifests/fm.pp
@ -38,6 +38,7 @@ class platform::fm
 class platform::fm::haproxy
  inherits ::platform::fm::params {

+  include ::platform::params
  include ::platform::haproxy::params

  platform::haproxy::proxy { 'fm-api-internal':
@ -54,6 +55,18 @@ class platform::fm::haproxy
    public_port  => $api_port,
    private_port => $api_port,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'fm-api-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-fm-api-admin',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }

 class platform::fm::api
--- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp
+++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp
@ -3,6 +3,7 @@ class platform::haproxy::params (
  $public_ip_address,
  $public_address_url,
  $enable_https = false,
+  $https_ep_type = 'public',

  $global_options = undef,
  $tpm_object = undef,
@ -20,6 +21,7 @@ define platform::haproxy::proxy (
  $client_timeout = undef,
  $x_forwarded_proto = true,
  $enable_https = undef,
+  $https_ep_type = undef,
  $public_api = true,
  $tcp_mode = false,
 ) {
@ -31,13 +33,23 @@ define platform::haproxy::proxy (
    $https_enabled = $::platform::haproxy::params::enable_https
  }

+  if $https_ep_type != undef {
+    $https_ep = $https_ep_type
+  } else {
+    $https_ep = $::platform::haproxy::params::https_ep_type
+  }
+
  if $x_forwarded_proto {
-    if $https_enabled and $public_api {
+    if $https_enabled and $public_api and $https_ep == 'public' {
        $ssl_option = 'ssl crt /etc/ssl/private/server-cert.pem'
        $proto = 'X-Forwarded-Proto:\ https'
        # The value of max-age matches lighttpd.conf, and should be
        # maintained for consistency
        $hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains'
+    } elsif $https_ep == 'admin' {
+        $ssl_option = 'ssl crt /etc/ssl/private/admin-ep-cert.pem'
+        $proto = 'X-Forwarded-Proto:\ https'
+        $hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains'
    } else {
      $ssl_option = ' '
      $proto = 'X-Forwarded-Proto:\ http'
@ -147,6 +159,11 @@ class platform::haproxy::runtime {
  include ::platform::nfv::haproxy
  include ::platform::ceph::haproxy
  include ::platform::fm::haproxy
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    include ::platform::dcdbsync::haproxy
+    include ::platform::smapi::haproxy
+  }
  if $::platform::params::distributed_cloud_role =='systemcontroller' {
    include ::platform::dcmanager::haproxy
    include ::platform::dcorch::haproxy
--- a/puppet-manifests/src/modules/platform/manifests/nfv.pp
+++ b/puppet-manifests/src/modules/platform/manifests/nfv.pp
@ -56,12 +56,26 @@ class platform::nfv::runtime {

 class platform::nfv::haproxy
  inherits ::platform::nfv::params {
+  include ::platform::params
+  include ::platform::haproxy::params

  platform::haproxy::proxy { 'vim-restapi':
    server_name  => 's-vim-restapi',
    public_port  => $api_port,
    private_port => $api_port,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'vim-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-vim-restapi',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }


--- a/puppet-manifests/src/modules/platform/manifests/patching.pp
+++ b/puppet-manifests/src/modules/platform/manifests/patching.pp
@ -51,6 +51,8 @@ class platform::patching

 class platform::patching::haproxy
  inherits ::platform::patching::params {
+  include ::platform::params
+  include ::platform::haproxy::params

  platform::haproxy::proxy { 'patching-restapi':
    server_name    => 's-patching',
@ -58,6 +60,18 @@ class platform::patching::haproxy
    private_port   => $private_port,
    server_timeout => $server_timeout,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'patching-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-patching',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $private_port + 1,
+      private_port      => $private_port,
+    }
+  }
 }


--- a/puppet-manifests/src/modules/platform/manifests/smapi.pp
+++ b/puppet-manifests/src/modules/platform/manifests/smapi.pp
@ -29,6 +29,18 @@ class platform::smapi::haproxy
    public_port  => $port,
    private_port => $port,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'sm-api-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-smapi-admin',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $port + 1,
+      private_port      => $port,
+    }
+  }
 }

 class platform::smapi
--- a/puppet-manifests/src/modules/platform/manifests/sysinv.pp
+++ b/puppet-manifests/src/modules/platform/manifests/sysinv.pp
@ -78,12 +78,26 @@ class platform::sysinv::conductor {

 class platform::sysinv::haproxy
  inherits ::platform::sysinv::params {
+  include ::platform::params
+  include ::platform::haproxy::params

  platform::haproxy::proxy { 'sysinv-restapi':
    server_name  => 's-sysinv',
    public_port  => $api_port,
    private_port => $api_port,
  }
+
+  # Configure rules for DC https enabled admin endpoint.
+  if ($::platform::params::distributed_cloud_role == 'systemcontroller' or
+      $::platform::params::distributed_cloud_role == 'subcloud') {
+    platform::haproxy::proxy { 'sysinv-restapi-admin':
+      https_ep_type     => 'admin',
+      server_name       => 's-sysinv',
+      public_ip_address => $::platform::haproxy::params::private_ip_address,
+      public_port       => $api_port + 1,
+      private_port      => $api_port,
+    }
+  }
 }