e3d5a91a90
This patch introduces an optional backend encryption for Horizon and Placement services. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the Horizon and Placement services. Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d Partially-Implements: blueprint add-ssl-internal-network
142 lines
5.0 KiB
YAML
142 lines
5.0 KiB
YAML
---
|
|
- name: Ensuring config directories exist
|
|
become: true
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item.key }}"
|
|
state: "directory"
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
mode: "0770"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ horizon_services }}"
|
|
|
|
- name: Set empty custom policy
|
|
set_fact:
|
|
custom_policy: []
|
|
|
|
- include_tasks: policy_item.yml
|
|
vars:
|
|
project_name: "{{ item.name }}"
|
|
when: item.enabled | bool
|
|
with_items:
|
|
- { name: "ceilometer", enabled: "{{ enable_ceilometer_horizon_policy_file }}" }
|
|
- { name: "cinder", enabled: "{{ enable_cinder_horizon_policy_file }}" }
|
|
- { name: "congress", enabled: "{{ enable_congress_horizon_policy_file }}" }
|
|
- { name: "cloudkitty", enabled: "{{ enable_horizon_cloudkitty }}" }
|
|
- { name: "designate", enabled: "{{ enable_horizon_designate }}" }
|
|
- { name: "freezer", enabled: "{{ enable_horizon_freezer }}" }
|
|
- { name: "glance", enabled: "{{ enable_glance_horizon_policy_file }}" }
|
|
- { name: "heat", enabled: "{{ enable_heat_horizon_policy_file }}" }
|
|
- { name: "ironic", enabled: "{{ enable_horizon_ironic }}" }
|
|
- { name: "keystone", enabled: "{{ enable_keystone_horizon_policy_file }}" }
|
|
- { name: "karbor", enabled: "{{ enable_horizon_karbor }}" }
|
|
- { name: "magnum", enabled: "{{ enable_horizon_magnum }}" }
|
|
- { name: "manila", enabled: "{{ enable_horizon_manila }}" }
|
|
- { name: "masakari", enabled: "{{ enable_horizon_masakari }}" }
|
|
- { name: "mistral", enabled: "{{ enable_horizon_mistral }}" }
|
|
- { name: "monasca", enabled: "{{ enable_horizon_monasca }}" }
|
|
- { name: "murano", enabled: "{{ enable_horizon_murano }}" }
|
|
- { name: "neutron", enabled: "{{ enable_neutron_horizon_policy_file }}" }
|
|
- { name: "nova", enabled: "{{ enable_nova_horizon_policy_file }}" }
|
|
- { name: "octavia", enabled: "{{ enable_horizon_octavia }}" }
|
|
- { name: "qinling", enabled: "{{ enable_horizon_qinling }}" }
|
|
- { name: "sahara", enabled: "{{ enable_horizon_sahara }}" }
|
|
- { name: "searchlight", enabled: "{{ enable_horizon_searchlight }}" }
|
|
- { name: "senlin", enabled: "{{ enable_horizon_senlin }}" }
|
|
- { name: "solum", enabled: "{{ enable_horizon_solum }}" }
|
|
- { name: "tacker", enabled: "{{ enable_horizon_tacker }}" }
|
|
- { name: "trove", enabled: "{{ enable_horizon_trove }}" }
|
|
- { name: "watcher", enabled: "{{ enable_horizon_watcher }}" }
|
|
|
|
- name: Copying over config.json files for services
|
|
become: true
|
|
vars:
|
|
horizon: "{{ horizon_services['horizon'] }}"
|
|
template:
|
|
src: "horizon.json.j2"
|
|
dest: "{{ node_config_directory }}/horizon/config.json"
|
|
mode: "0660"
|
|
when:
|
|
- horizon.enabled | bool
|
|
- inventory_hostname in groups[horizon.group]
|
|
notify:
|
|
- Restart horizon container
|
|
|
|
- name: Copying over horizon.conf
|
|
become: true
|
|
vars:
|
|
horizon: "{{ horizon_services['horizon'] }}"
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_config_directory }}/horizon/horizon.conf"
|
|
mode: "0660"
|
|
with_first_found:
|
|
- "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/horizon.conf"
|
|
- "{{ node_custom_config }}/horizon/horizon.conf"
|
|
- "horizon.conf.j2"
|
|
when:
|
|
- horizon.enabled | bool
|
|
- inventory_hostname in groups[horizon.group]
|
|
notify:
|
|
- Restart horizon container
|
|
|
|
- name: Copying over local_settings
|
|
become: true
|
|
vars:
|
|
horizon: "{{ horizon_services['horizon'] }}"
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_config_directory }}/horizon/local_settings"
|
|
mode: "0660"
|
|
with_first_found:
|
|
- "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/local_settings"
|
|
- "{{ node_custom_config }}/horizon/local_settings"
|
|
- "local_settings.j2"
|
|
when:
|
|
- horizon.enabled | bool
|
|
- inventory_hostname in groups[horizon.group]
|
|
notify:
|
|
- Restart horizon container
|
|
|
|
- name: Copying over custom_local_settings
|
|
become: true
|
|
vars:
|
|
horizon: "{{ horizon_services['horizon'] }}"
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_config_directory }}/horizon/custom_local_settings"
|
|
mode: "0660"
|
|
with_first_found:
|
|
- "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/custom_local_settings"
|
|
- "{{ node_custom_config }}/horizon/custom_local_settings"
|
|
- "custom_local_settings.j2"
|
|
when:
|
|
- horizon.enabled | bool
|
|
- inventory_hostname in groups[horizon.group]
|
|
notify:
|
|
- Restart horizon container
|
|
|
|
- name: Copying over existing policy file
|
|
become: true
|
|
vars:
|
|
horizon: "{{ horizon_services['horizon'] }}"
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_config_directory }}/horizon/{{ item | basename }}"
|
|
mode: "0660"
|
|
when:
|
|
- horizon.enabled | bool
|
|
- inventory_hostname in groups[horizon.group]
|
|
with_items: "{{ custom_policy }}"
|
|
notify:
|
|
- Restart horizon container
|
|
|
|
- include_tasks: copy-certs.yml
|
|
when:
|
|
- kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool
|
|
|
|
- include_tasks: check-containers.yml
|
|
when: kolla_action != "config"
|