Secure haproxy stats endpoint
Currently when we deploy our haproxy configuration, it includes the
stats endpoint as unauthenticated. This means anyone with access
to the undercloud can query the haproxy stats, which is a security
concern.
Conflicts:
elements/puppet-stack-config/puppet-stack-config.yaml.template
instack_undercloud/undercloud.py
undercloud.conf.sample
Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab
Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
(cherry picked from commit f923da0c99
)
This commit is contained in:
parent
ce3c8da9a0
commit
43ee07cc30
|
@ -39,6 +39,7 @@ context = {
|
|||
'UNDERCLOUD_SWIFT_HASH_SUFFIX': os.environ.get('UNDERCLOUD_SWIFT_HASH_SUFFIX', 'unset'),
|
||||
'UNDERCLOUD_SWIFT_PASSWORD': os.environ.get('UNDERCLOUD_SWIFT_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HAPROXY_STATS_PASSWORD': os.environ.get('UNDERCLOUD_HAPROXY_STATS_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'),
|
||||
'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),
|
||||
|
|
|
@ -350,6 +350,9 @@ horizon_secret_key: {{UNDERCLOUD_HORIZON_SECRET_KEY}}
|
|||
horizon::wsgi::apache::priority: 10
|
||||
horizon::openstack_endpoint_type: internalURL
|
||||
|
||||
# Loadbalancer
|
||||
tripleo::loadbalancer::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}}
|
||||
|
||||
# service tenant
|
||||
ceilometer::api::keystone_tenant: 'service'
|
||||
aodh::api::keystone_tenant: 'service'
|
||||
|
|
|
@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
|
|||
UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
|
||||
UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
|
||||
UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
|
||||
UNDERCLOUD_HAPROXY_STATS_PASSWORD=$(sudo hiera tripleo::loadbalancer::haproxy_stats_password)
|
||||
UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
|
||||
UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
|
||||
UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)
|
||||
|
|
|
@ -286,6 +286,10 @@ _auth_opts = [
|
|||
help=('Swift hash suffix. '
|
||||
'If left unset, one will be automatically generated.')
|
||||
),
|
||||
cfg.StrOpt('undercloud_haproxy_stats_password',
|
||||
help=('HAProxy stats password. '
|
||||
'If left unset, one will be automatically generated.')
|
||||
),
|
||||
]
|
||||
CONF.register_opts(_opts)
|
||||
CONF.register_opts(_auth_opts, group='auth')
|
||||
|
|
|
@ -88,7 +88,6 @@
|
|||
# Whether to use iPXE for deploy by default. (boolean value)
|
||||
#ipxe_deploy = true
|
||||
|
||||
|
||||
# Whether to store events in the Undercloud Ceilometer. (boolean
|
||||
# value)
|
||||
#store_events = false
|
||||
|
@ -143,14 +142,14 @@
|
|||
# generated. (string value)
|
||||
#undercloud_ironic_password = <None>
|
||||
|
||||
# Aodh service password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_aodh_password = <None>
|
||||
|
||||
# Ceilometer service password. If left unset, one will be
|
||||
# automatically generated. (string value)
|
||||
#undercloud_ceilometer_password = <None>
|
||||
|
||||
# Aodh service password. If left unset, one will be
|
||||
# automatically generated. (string value)
|
||||
#undercloud_aodh_password = <None>
|
||||
|
||||
# Ceilometer metering secret. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_ceilometer_metering_secret = <None>
|
||||
|
@ -188,3 +187,7 @@
|
|||
# Swift hash suffix. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_swift_hash_suffix = <None>
|
||||
|
||||
# HAProxy stats password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_haproxy_stats_password = <None>
|
||||
|
|
Loading…
Reference in New Issue