The current configuration of services is that if SSL is in use (signaled by
stunnel.connect_ip) we bind to 127.0.0.1 - which is great, but it breaks
simultaneous non-SSL due to there being no pass-through stunnel equivalent on
all the nodes. As an interim measure, teach stunnel to connect to the ctlplane
address instead. We will need this flexability in future anyway to deal with
mixed-mode configurations, but we don't yet have an SSL only configuration.
The change will permit SSL only by altering the Deployment object only - the
SSL config object should now be flexible enough to run in either mode (but as
yet on an all-one-way-or-the-other basis).
Change-Id: Ibac3dec1fe7b573029482fdd9ad2d2f6223fbce0
server: {Ref: controller0}
signal_transport: NO_SIGNAL
input_values:
+ controller_host:
+ Fn::Select:
+ - 0
+ - Fn::Select:
+ - ctlplane
+ - Fn::GetAtt:
+ - controller0
+ - networks
ssl_certificate: {Ref: SSLCertificate}
ssl_key: {Ref: SSLKey}
ssl_ca_certificate: {Ref: SSLCACertificate}
- name: 'ec2'
accept: 13773
connect: 8773
+ connect_host:
+ get_input: controller_host
- name: 'image'
accept: 13292
connect: 9292
+ connect_host:
+ get_input: controller_host
- name: 'identity'
accept: 13000
connect: 5000
+ connect_host:
+ get_input: controller_host
- name: 'network'
accept: 13696
connect: 9696
+ connect_host:
+ get_input: controller_host
- name: 'compute'
accept: 13774
connect: 8774
+ connect_host:
+ get_input: controller_host
- name: 'swift-proxy'
accept: 13080
connect: 8080
+ connect_host:
+ get_input: controller_host
- name: 'cinder'
accept: 13776
connect: 8776
+ connect_host:
+ get_input: controller_host
- name: 'ceilometer'
accept: 13777
connect: 8777
+ connect_host:
+ get_input: controller_host
Code Review / apex-tripleo-heat-templates.git / commitdiff