Secure haproxy stats endpoint
Currently when we deploy our haproxy configuration, it includes the stats endpoint as unauthenticated. This means anyone with access to the undercloud can query the haproxy stats, which is a security concern. Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
This commit is contained in:
parent
10526c85d1
commit
f923da0c99
|
@ -41,6 +41,7 @@ context = {
|
|||
'UNDERCLOUD_MISTRAL_PASSWORD': os.environ.get('UNDERCLOUD_MISTRAL_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_ZAQAR_PASSWORD': os.environ.get('UNDERCLOUD_ZAQAR_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HAPROXY_STATS_PASSWORD': os.environ.get('UNDERCLOUD_HAPROXY_STATS_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'),
|
||||
'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),
|
||||
|
|
|
@ -436,6 +436,9 @@ zaqar::transport::wsgi::bind: {{LOCAL_IP}}
|
|||
zaqar::management::mongodb::uri: mongodb://127.0.0.1:27017
|
||||
zaqar::messaging::mongodb::uri: mongodb://127.0.0.1:27017
|
||||
|
||||
# Loadbalancer
|
||||
tripleo::loadbalancer::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}}
|
||||
|
||||
# service tenant
|
||||
ceilometer::api::keystone_tenant: 'service'
|
||||
aodh::api::keystone_tenant: 'service'
|
||||
|
|
|
@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
|
|||
UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
|
||||
UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
|
||||
UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
|
||||
UNDERCLOUD_HAPROXY_STATS_PASSWORD=$(sudo hiera tripleo::loadbalancer::haproxy_stats_password)
|
||||
UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
|
||||
UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
|
||||
UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)
|
||||
|
|
|
@ -313,6 +313,10 @@ _auth_opts = [
|
|||
help=('Sensu service password. '
|
||||
'If left unset, one will be automatically generated.')
|
||||
),
|
||||
cfg.StrOpt('undercloud_haproxy_stats_password',
|
||||
help=('HAProxy stats password. '
|
||||
'If left unset, one will be automatically generated.')
|
||||
),
|
||||
]
|
||||
CONF.register_opts(_opts)
|
||||
CONF.register_opts(_auth_opts, group='auth')
|
||||
|
|
|
@ -92,10 +92,11 @@
|
|||
# Whether to install Tempest in the Undercloud. (boolean value)
|
||||
#enable_tempest = true
|
||||
|
||||
# Whether to install Mistral in the Undercloud. (boolean value)
|
||||
# Whether to install Mistral services in the Undercloud. (boolean
|
||||
# value)
|
||||
#enable_mistral = false
|
||||
|
||||
# Whether to install Zaqar in the Undercloud. (boolean value)
|
||||
# Whether to install Zaqar services in the Undercloud. (boolean value)
|
||||
#enable_zaqar = false
|
||||
|
||||
# Whether to use iPXE for deploy by default. (boolean value)
|
||||
|
@ -159,18 +160,14 @@
|
|||
# generated. (string value)
|
||||
#undercloud_ironic_password = <None>
|
||||
|
||||
# Aodh service password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_aodh_password = <None>
|
||||
|
||||
# Ceilometer service password. If left unset, one will be
|
||||
# automatically generated. (string value)
|
||||
#undercloud_ceilometer_password = <None>
|
||||
|
||||
# Aodh service password. If left unset, one will be
|
||||
# automatically generated. (string value)
|
||||
#undercloud_aodh_password = <None>
|
||||
|
||||
# Sensu service password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_sensu_password = <None>
|
||||
|
||||
# Ceilometer metering secret. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_ceilometer_metering_secret = <None>
|
||||
|
@ -212,3 +209,11 @@
|
|||
# Swift hash suffix. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_swift_hash_suffix = <None>
|
||||
|
||||
# Sensu service password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_sensu_password = <None>
|
||||
|
||||
# HAProxy stats password. If left unset, one will be automatically
|
||||
# generated. (string value)
|
||||
#undercloud_haproxy_stats_password = <None>
|
||||
|
|
Loading…
Reference in New Issue