Commit fe07438d authored by Thomas Goirand's avatar Thomas Goirand

No SSL for VNC proxy.

parent 52535b1d
......@@ -20,6 +20,7 @@ openstack-cluster-installer (18) unstable; urgency=medium
- network_vlan_ranges = external (so, we use br-ex for the VLANs).
* Do not chown swift:swift /srv/node/X if X isn't mounted (which may be the
case if there's a borken drive in a swift cluster).
* Add firewalling of Octavia API on the VIP.
-- Thomas Goirand <zigo@debian.org> Thu, 24 Jan 2019 15:09:46 +0100
......
......@@ -274,6 +274,12 @@ export OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
action => drop,
destination => "${vip_ipaddr}/${vip_netmask}",
dport => [7080, 7443],
}->
firewall { '008 deny public access to octavia API without haproxy':
proto => tcp,
action => drop,
destination => "${vip_ipaddr}/${vip_netmask}",
dport => [9876],
}
##############################
......@@ -392,6 +398,8 @@ export OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
{ 'use_backend' => 'novabe if url_nova'},
{ 'acl' => 'url_placement path_beg -i /placement'},
{ 'use_backend' => 'placementbe if url_placement'},
{ 'acl' => 'url_novnc path_beg -i /novnc'},
{ 'use_backend' => 'novncbe if url_novnc'},
]
$neutron_haproxy_options = [
......@@ -714,6 +722,22 @@ export OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
ports => 8778,
options => 'check ssl verify none',
}
haproxy::backend { 'novncbe':
options => [
{ 'option' => 'forwardfor' },
{ 'mode' => 'http' },
{ 'balance' => 'source' },
{ 'reqrep' => '^([^\ ]*\ /)novnc[/]?(.*) \1\2'},
],
}
haproxy::balancermember { 'novncbm':
listening_service => 'novnctbe',
ipaddresses => $all_masters_ip,
server_names => $all_masters,
ports => 6080,
options => 'check',
}
}
if $has_subrole_neutron {
......@@ -2157,7 +2181,16 @@ test -e \$mon_data/done
class { '::nova::scheduler': }
class { '::nova::scheduler::filter': }
class { '::nova::vncproxy': }
class { '::nova::vncproxy':
host => $machine_ip,
vncproxy_path => "/novnc/vnc_auto.html",
}
class { '::nova::vncproxy::common':
vncproxy_protocol => 'https',
vncproxy_host => "${vip_hostname}",
vncproxy_path => "/novnc/vnc_auto.html",
vncproxy_port => "443",
}
nova_config {
'neutron/cafile': value => '/etc/ssl/certs/oci-pki-oci-ca-chain.pem';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment