Secure haproxy stats endpoint

Currently when we deploy our haproxy configuration, it includes the
stats endpoint as unauthenticated.  This means anyone with access
to the undercloud can query the haproxy stats, which is a security
concern.

Conflicts:
	elements/puppet-stack-config/puppet-stack-config.yaml.template
	instack_undercloud/undercloud.py
	undercloud.conf.sample

Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab
Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
(cherry picked from commit f923da0c99)

elements/puppet-stack-config/install.d/02-puppet-stack-config

@@ -39,6 +39,7 @@ context = {
     'UNDERCLOUD_SWIFT_HASH_SUFFIX': os.environ.get('UNDERCLOUD_SWIFT_HASH_SUFFIX', 'unset'),
     'UNDERCLOUD_SWIFT_PASSWORD': os.environ.get('UNDERCLOUD_SWIFT_PASSWORD', 'unset'),
     'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
+    'UNDERCLOUD_HAPROXY_STATS_PASSWORD': os.environ.get('UNDERCLOUD_HAPROXY_STATS_PASSWORD', 'unset'),
     'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'),
     'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
     'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),

elements/puppet-stack-config/puppet-stack-config.yaml.template

@@ -350,6 +350,9 @@ horizon_secret_key: {{UNDERCLOUD_HORIZON_SECRET_KEY}}
 horizon::wsgi::apache::priority: 10
 horizon::openstack_endpoint_type: internalURL
 
+# Loadbalancer
+tripleo::loadbalancer::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}}
+
 # service tenant
 ceilometer::api::keystone_tenant: 'service'
 aodh::api::keystone_tenant: 'service'

elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords

@@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
 UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
 UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
 UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
+UNDERCLOUD_HAPROXY_STATS_PASSWORD=$(sudo hiera tripleo::loadbalancer::haproxy_stats_password)
 UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
 UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
 UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)

instack_undercloud/undercloud.py

@@ -286,6 +286,10 @@ _auth_opts = [
                help=('Swift hash suffix. '
                      'If left unset, one will be automatically generated.')
                ),
+    cfg.StrOpt('undercloud_haproxy_stats_password',
+               help=('HAProxy stats password. '
+                     'If left unset, one will be automatically generated.')
+               ),
 ]
 CONF.register_opts(_opts)
 CONF.register_opts(_auth_opts, group='auth')

undercloud.conf.sample

@@ -88,7 +88,6 @@
 # Whether to use iPXE for deploy by default. (boolean value)
 #ipxe_deploy = true
 
-
 # Whether to store events in the Undercloud Ceilometer. (boolean
 # value)
 #store_events = false
@@ -143,14 +142,14 @@
 # generated. (string value)
 #undercloud_ironic_password = <None>
 
+# Aodh service password. If left unset, one will be automatically
+# generated. (string value)
+#undercloud_aodh_password = <None>
+
 # Ceilometer service password. If left unset, one will be
 # automatically generated. (string value)
 #undercloud_ceilometer_password = <None>
 
-# Aodh service password. If left unset, one will be
-# automatically generated. (string value)
-#undercloud_aodh_password = <None>
-
 # Ceilometer metering secret. If left unset, one will be automatically
 # generated. (string value)
 #undercloud_ceilometer_metering_secret = <None>
@@ -188,3 +187,7 @@
 # Swift hash suffix. If left unset, one will be automatically
 # generated. (string value)
 #undercloud_swift_hash_suffix = <None>
+
+# HAProxy stats password. If left unset, one will be automatically
+# generated. (string value)
+#undercloud_haproxy_stats_password = <None>