Secure haproxy stats endpoint

Currently when we deploy our haproxy configuration, it includes the
stats endpoint as unauthenticated.  This means anyone with access
to the undercloud can query the haproxy stats, which is a security
concern.

Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab
Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565

elements/puppet-stack-config/install.d/02-puppet-stack-config

@@ -41,6 +41,7 @@ context = {
     'UNDERCLOUD_MISTRAL_PASSWORD': os.environ.get('UNDERCLOUD_MISTRAL_PASSWORD', 'unset'),
     'UNDERCLOUD_ZAQAR_PASSWORD': os.environ.get('UNDERCLOUD_ZAQAR_PASSWORD', 'unset'),
     'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
+    'UNDERCLOUD_HAPROXY_STATS_PASSWORD': os.environ.get('UNDERCLOUD_HAPROXY_STATS_PASSWORD', 'unset'),
     'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'),
     'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
     'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),

elements/puppet-stack-config/puppet-stack-config.yaml.template

@@ -436,6 +436,9 @@ zaqar::transport::wsgi::bind: {{LOCAL_IP}}
 zaqar::management::mongodb::uri: mongodb://127.0.0.1:27017
 zaqar::messaging::mongodb::uri: mongodb://127.0.0.1:27017
 
+# Loadbalancer
+tripleo::loadbalancer::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}}
+
 # service tenant
 ceilometer::api::keystone_tenant: 'service'
 aodh::api::keystone_tenant: 'service'

elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords

@@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
 UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
 UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
 UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
+UNDERCLOUD_HAPROXY_STATS_PASSWORD=$(sudo hiera tripleo::loadbalancer::haproxy_stats_password)
 UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
 UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
 UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)

instack_undercloud/undercloud.py

@@ -313,6 +313,10 @@ _auth_opts = [
                help=('Sensu service password. '
                      'If left unset, one will be automatically generated.')
                ),
+    cfg.StrOpt('undercloud_haproxy_stats_password',
+               help=('HAProxy stats password. '
+                     'If left unset, one will be automatically generated.')
+               ),
 ]
 CONF.register_opts(_opts)
 CONF.register_opts(_auth_opts, group='auth')

undercloud.conf.sample

@@ -92,10 +92,11 @@
 # Whether to install Tempest in the Undercloud. (boolean value)
 #enable_tempest = true
 
-# Whether to install Mistral in the Undercloud. (boolean value)
+# Whether to install Mistral services in the Undercloud. (boolean
+# value)
 #enable_mistral = false
 
-# Whether to install Zaqar in the Undercloud. (boolean value)
+# Whether to install Zaqar services in the Undercloud. (boolean value)
 #enable_zaqar = false
 
 # Whether to use iPXE for deploy by default. (boolean value)
@@ -159,18 +160,14 @@
 # generated. (string value)
 #undercloud_ironic_password = <None>
 
+# Aodh service password. If left unset, one will be automatically
+# generated. (string value)
+#undercloud_aodh_password = <None>
+
 # Ceilometer service password. If left unset, one will be
 # automatically generated. (string value)
 #undercloud_ceilometer_password = <None>
 
-# Aodh service password. If left unset, one will be
-# automatically generated. (string value)
-#undercloud_aodh_password = <None>
-
-# Sensu service password. If left unset, one will be automatically
-# generated. (string value)
-#undercloud_sensu_password = <None>
-
 # Ceilometer metering secret. If left unset, one will be automatically
 # generated. (string value)
 #undercloud_ceilometer_metering_secret = <None>
@@ -212,3 +209,11 @@
 # Swift hash suffix. If left unset, one will be automatically
 # generated. (string value)
 #undercloud_swift_hash_suffix = <None>
+
+# Sensu service password. If left unset, one will be automatically
+# generated. (string value)
+#undercloud_sensu_password = <None>
+
+# HAProxy stats password. If left unset, one will be automatically
+# generated. (string value)
+#undercloud_haproxy_stats_password = <None>