Merge "Allow deploying keystone with SSL certificates"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
bddaf0afb6
@ -209,6 +209,7 @@ function configure_cinder() {
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken cafile
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user
|
||||
inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password
|
||||
@ -219,6 +220,7 @@ function configure_cinder() {
|
||||
iniset $CINDER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $CINDER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $CINDER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $CINDER_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $CINDER_CONF keystone_authtoken admin_user cinder
|
||||
iniset $CINDER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
|
||||
|
||||
@ -82,6 +82,7 @@ function configure_glance() {
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_user glance
|
||||
@ -99,6 +100,7 @@ function configure_glance() {
|
||||
iniset $GLANCE_API_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $GLANCE_API_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $GLANCE_API_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $GLANCE_API_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $GLANCE_API_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/
|
||||
iniset $GLANCE_API_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $GLANCE_API_CONF keystone_authtoken admin_user glance
|
||||
|
||||
1
lib/heat
1
lib/heat
@ -96,6 +96,7 @@ function configure_heat() {
|
||||
iniset $HEAT_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $HEAT_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $HEAT_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0
|
||||
iniset $HEAT_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $HEAT_CONF keystone_authtoken admin_user heat
|
||||
iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
|
||||
|
||||
@ -98,6 +98,7 @@ function configure_ironic_api() {
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $IRONIC_CONF_FILE keystone_authtoken admin_user ironic
|
||||
|
||||
19
lib/keystone
19
lib/keystone
@ -4,6 +4,7 @@
|
||||
# Dependencies:
|
||||
#
|
||||
# - ``functions`` file
|
||||
# - ``tls`` file
|
||||
# - ``DEST``, ``STACK_USER``
|
||||
# - ``IDENTITY_API_VERSION``
|
||||
# - ``BASE_SQL_CONN``
|
||||
@ -79,6 +80,13 @@ KEYSTONE_VALID_IDENTITY_BACKENDS=kvs,ldap,pam,sql
|
||||
# valid assignment backends as per dir keystone/identity/backends
|
||||
KEYSTONE_VALID_ASSIGNMENT_BACKENDS=kvs,ldap,sql
|
||||
|
||||
# if we are running with SSL use https protocols
|
||||
if is_ssl_enabled_service "key"; then
|
||||
KEYSTONE_AUTH_PROTOCOL="https"
|
||||
KEYSTONE_SERVICE_PROTOCOL="https"
|
||||
fi
|
||||
|
||||
|
||||
# Functions
|
||||
# ---------
|
||||
# cleanup_keystone() - Remove residual data files, anything left over from previous
|
||||
@ -172,6 +180,15 @@ function configure_keystone() {
|
||||
iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/"
|
||||
iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/"
|
||||
|
||||
# Register SSL certificates if provided
|
||||
if is_ssl_enabled_service key; then
|
||||
ensure_certificates KEYSTONE
|
||||
|
||||
iniset $KEYSTONE_CONF ssl enable True
|
||||
iniset $KEYSTONE_CONF ssl certfile $KEYSTONE_SSL_CERT
|
||||
iniset $KEYSTONE_CONF ssl keyfile $KEYSTONE_SSL_KEY
|
||||
fi
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
# Set the service ports for a proxy to take the originals
|
||||
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
|
||||
@ -386,7 +403,7 @@ function start_keystone() {
|
||||
fi
|
||||
|
||||
echo "Waiting for keystone to start..."
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -s http://$SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then
|
||||
die $LINENO "keystone did not start"
|
||||
fi
|
||||
|
||||
|
||||
2
lib/nova
2
lib/nova
@ -225,6 +225,7 @@ function configure_nova() {
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken auth_host
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken auth_protocol
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken admin_tenant_name
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken cafile
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken admin_user
|
||||
inicomment $NOVA_API_PASTE_INI filter:authtoken admin_password
|
||||
fi
|
||||
@ -399,6 +400,7 @@ function create_nova_conf() {
|
||||
iniset $NOVA_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $NOVA_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $NOVA_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset $NOVA_CONF keystone_authtoken admin_user nova
|
||||
iniset $NOVA_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
|
||||
fi
|
||||
|
||||
@ -316,6 +316,7 @@ function configure_swift() {
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken cafile $KEYSTONE_SSL_CA
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken admin_user swift
|
||||
@ -339,6 +340,7 @@ paste.filter_factory = keystone.middleware.s3_token:filter_factory
|
||||
auth_port = ${KEYSTONE_AUTH_PORT}
|
||||
auth_host = ${KEYSTONE_AUTH_HOST}
|
||||
auth_protocol = ${KEYSTONE_AUTH_PROTOCOL}
|
||||
cafile = ${KEYSTONE_SSL_CA}
|
||||
auth_token = ${SERVICE_TOKEN}
|
||||
admin_token = ${SERVICE_TOKEN}
|
||||
|
||||
|
||||
50
lib/tls
50
lib/tls
@ -22,7 +22,8 @@
|
||||
# - make_int_ca
|
||||
# - new_cert $INT_CA_DIR int-server "abc"
|
||||
# - start_tls_proxy HOST_IP 5000 localhost 5000
|
||||
|
||||
# - ensure_certificates
|
||||
# - is_ssl_enabled_service
|
||||
|
||||
# Defaults
|
||||
# --------
|
||||
@ -309,6 +310,53 @@ function make_root_CA() {
|
||||
}
|
||||
|
||||
|
||||
# Certificate Input Configuration
|
||||
# ===============================
|
||||
|
||||
# check to see if the service(s) specified are to be SSL enabled.
|
||||
#
|
||||
# Multiple services specified as arguments are ``OR``'ed together; the test
|
||||
# is a short-circuit boolean, i.e it returns on the first match.
|
||||
#
|
||||
# Uses global ``SSL_ENABLED_SERVICES``
|
||||
function is_ssl_enabled_service() {
|
||||
services=$@
|
||||
for service in ${services}; do
|
||||
[[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
# Ensure that the certificates for a service are in place. This function does
|
||||
# not check that a service is SSL enabled, this should already have been
|
||||
# completed.
|
||||
#
|
||||
# The function expects to find a certificate, key and CA certificate in the
|
||||
# variables {service}_SSL_CERT, {service}_SSL_KEY and {service}_SSL_CA. For
|
||||
# example for keystone this would be KEYSTONE_SSL_CERT, KEYSTONE_SSL_KEY and
|
||||
# KEYSTONE_SSL_CA. If it does not find these certificates the program will
|
||||
# quit.
|
||||
function ensure_certificates() {
|
||||
local service=$1
|
||||
|
||||
local cert_var="${service}_SSL_CERT"
|
||||
local key_var="${service}_SSL_KEY"
|
||||
local ca_var="${service}_SSL_CA"
|
||||
|
||||
local cert=${!cert_var}
|
||||
local key=${!key_var}
|
||||
local ca=${!ca_var}
|
||||
|
||||
if [[ !($cert && $key && $ca) ]]; then
|
||||
die $LINENO "Missing either the ${cert_var} ${key_var} or ${ca_var}" \
|
||||
"variable to enable SSL for ${service}"
|
||||
fi
|
||||
|
||||
cat $ca >> $SSL_BUNDLE_FILE
|
||||
}
|
||||
|
||||
|
||||
# Proxy Functions
|
||||
# ===============
|
||||
|
||||
|
||||
@ -29,7 +29,6 @@ TROVE_DIR=$DEST/trove
|
||||
TROVECLIENT_DIR=$DEST/python-troveclient
|
||||
TROVE_CONF_DIR=/etc/trove
|
||||
TROVE_LOCAL_CONF_DIR=$TROVE_DIR/etc/trove
|
||||
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION
|
||||
TROVE_AUTH_CACHE_DIR=${TROVE_AUTH_CACHE_DIR:-/var/cache/trove}
|
||||
TROVE_BIN_DIR=/usr/local/bin
|
||||
|
||||
@ -102,6 +101,7 @@ function configure_trove() {
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth auth_host $KEYSTONE_AUTH_HOST
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth auth_port $KEYSTONE_AUTH_PORT
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth cafile $KEYSTONE_SSL_CA
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth admin_tenant_name $SERVICE_TENANT_NAME
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth admin_user trove
|
||||
iniset $TROVE_API_PASTE_INI filter:tokenauth admin_password $SERVICE_PASSWORD
|
||||
@ -123,6 +123,8 @@ function configure_trove() {
|
||||
|
||||
# (Re)create trove taskmanager conf file if needed
|
||||
if is_service_enabled tr-tmgr; then
|
||||
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION
|
||||
|
||||
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD
|
||||
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove`
|
||||
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager
|
||||
|
||||
5
openrc
5
openrc
@ -58,6 +58,7 @@ export OS_NO_CACHE=${OS_NO_CACHE:-1}
|
||||
HOST_IP=${HOST_IP:-127.0.0.1}
|
||||
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
|
||||
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
|
||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
|
||||
# Some exercises call glance directly. On a single-node installation, Glance
|
||||
# should be listening on HOST_IP. If its running elsewhere, it can be set here
|
||||
@ -71,10 +72,10 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-2.0}
|
||||
# the user/tenant has access to - including nova, glance, keystone, swift, ...
|
||||
# We currently recommend using the 2.0 *identity api*.
|
||||
#
|
||||
export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v${OS_IDENTITY_API_VERSION}
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:5000/v${OS_IDENTITY_API_VERSION}
|
||||
|
||||
# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
|
||||
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||
export OS_CACERT=${OS_CACERT:-$INT_CA_DIR/ca-chain.pem}
|
||||
|
||||
# Currently novaclient needs you to specify the *compute api* version. This
|
||||
# needs to match the config of your catalog returned by Keystone.
|
||||
|
||||
26
stack.sh
26
stack.sh
@ -290,6 +290,10 @@ LOG_COLOR=`trueorfalse True $LOG_COLOR`
|
||||
# Service startup timeout
|
||||
SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-60}
|
||||
|
||||
# Reset the bundle of CA certificates
|
||||
SSL_BUNDLE_FILE="$DATA_DIR/ca-bundle.pem"
|
||||
rm -f $SSL_BUNDLE_FILE
|
||||
|
||||
|
||||
# Configure Projects
|
||||
# ==================
|
||||
@ -799,6 +803,17 @@ fi
|
||||
restart_rpc_backend
|
||||
|
||||
|
||||
# Export Certicate Authority Bundle
|
||||
# ---------------------------------
|
||||
|
||||
# If certificates were used and written to the SSL bundle file then these
|
||||
# should be exported so clients can validate their connections.
|
||||
|
||||
if [ -f $SSL_BUNDLE_FILE ]; then
|
||||
export OS_CACERT=$SSL_BUNDLE_FILE
|
||||
fi
|
||||
|
||||
|
||||
# Configure database
|
||||
# ------------------
|
||||
|
||||
@ -1146,6 +1161,7 @@ if is_service_enabled trove; then
|
||||
start_trove
|
||||
fi
|
||||
|
||||
|
||||
# Create account rc files
|
||||
# =======================
|
||||
|
||||
@ -1154,7 +1170,13 @@ fi
|
||||
# which is helpful in image bundle steps.
|
||||
|
||||
if is_service_enabled nova && is_service_enabled key; then
|
||||
$TOP_DIR/tools/create_userrc.sh -PA --target-dir $TOP_DIR/accrc
|
||||
USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc"
|
||||
|
||||
if [ -f $SSL_BUNDLE_FILE ]; then
|
||||
USERRC_PARAMS="$USERRC_PARAMS --os-cacert $SSL_BUNDLE_FILE"
|
||||
fi
|
||||
|
||||
$TOP_DIR/tools/create_userrc.sh $USERRC_PARAMS
|
||||
fi
|
||||
|
||||
|
||||
@ -1230,7 +1252,7 @@ fi
|
||||
CURRENT_RUN_TIME=$(date "+$TIMESTAMP_FORMAT")
|
||||
echo "# $CURRENT_RUN_TIME" >$TOP_DIR/.stackenv
|
||||
for i in BASE_SQL_CONN ENABLED_SERVICES HOST_IP LOGFILE \
|
||||
SERVICE_HOST SERVICE_PROTOCOL STACK_USER TLS_IP; do
|
||||
SERVICE_HOST SERVICE_PROTOCOL STACK_USER TLS_IP KEYSTONE_AUTH_PROTOCOL OS_CACERT; do
|
||||
echo $i=${!i} >>$TOP_DIR/.stackenv
|
||||
done
|
||||
|
||||
|
||||
@ -43,6 +43,7 @@ Optional Arguments
|
||||
--os-tenant-name <tenant_name>
|
||||
--os-tenant-id <tenant_id>
|
||||
--os-auth-url <auth_url>
|
||||
--os-cacert <cert file>
|
||||
--target-dir <target_directory>
|
||||
--skip-tenant <tenant-name>
|
||||
--debug
|
||||
@ -53,7 +54,7 @@ $0 -P -C mytenant -u myuser -p mypass
|
||||
EOF
|
||||
}
|
||||
|
||||
if ! options=$(getopt -o hPAp:u:r:C: -l os-username:,os-password:,os-tenant-name:,os-tenant-id:,os-auth-url:,target-dir:,skip-tenant:,help,debug -- "$@")
|
||||
if ! options=$(getopt -o hPAp:u:r:C: -l os-username:,os-password:,os-tenant-name:,os-tenant-id:,os-auth-url:,target-dir:,skip-tenant:,os-cacert:,help,debug -- "$@")
|
||||
then
|
||||
#parse error
|
||||
display_help
|
||||
@ -80,6 +81,7 @@ do
|
||||
--os-tenant-id) export OS_TENANT_ID=$2; shift ;;
|
||||
--skip-tenant) SKIP_TENANT="$SKIP_TENANT$2,"; shift ;;
|
||||
--os-auth-url) export OS_AUTH_URL=$2; shift ;;
|
||||
--os-cacert) export OS_CACERT=$2; shift ;;
|
||||
--target-dir) ACCOUNT_DIR=$2; shift ;;
|
||||
--debug) set -o xtrace ;;
|
||||
-u) MODE=${MODE:-one}; USER_NAME=$2; shift ;;
|
||||
@ -201,6 +203,7 @@ export OS_USERNAME="$user_name"
|
||||
# Openstack Tenant ID = $tenant_id
|
||||
export OS_TENANT_NAME="$tenant_name"
|
||||
export OS_AUTH_URL="$OS_AUTH_URL"
|
||||
export OS_CACERT="$OS_CACERT"
|
||||
export EC2_CERT="$ec2_cert"
|
||||
export EC2_PRIVATE_KEY="$ec2_private_key"
|
||||
export EC2_USER_ID=42 #not checked by nova (can be a 12-digit id)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user