Browse Source

Enable TLS by default

This enables TLS by defalut in the undercloud. This is done by setting
the generate_service_certificate option to True by default, although,
the deployer can turn it off if needed.

Change-Id: Id329081c06343373309d6880d464ba99aba0c7be
tags/9.0.0
Juan Antonio Osorio Robles 1 year ago
parent
commit
41f2694d13
4 changed files with 25 additions and 14 deletions
  1. +18
    -12
      instack_undercloud/tests/test_undercloud.py
  2. +1
    -1
      instack_undercloud/undercloud.py
  3. +5
    -0
      releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml
  4. +1
    -1
      undercloud.conf.sample

+ 18
- 12
instack_undercloud/tests/test_undercloud.py View File

@@ -213,10 +213,10 @@ class TestUndercloud(BaseTestCase):
def test_extract_from_stackrc(self):
with open(os.path.expanduser('~/stackrc'), 'w') as f:
f.write('OS_USERNAME=aturing\n')
f.write('OS_AUTH_URL=http://bletchley:5000/\n')
f.write('OS_AUTH_URL=https://bletchley:5000/\n')
self.assertEqual('aturing',
undercloud._extract_from_stackrc('OS_USERNAME'))
self.assertEqual('http://bletchley:5000/',
self.assertEqual('https://bletchley:5000/',
undercloud._extract_from_stackrc('OS_AUTH_URL'))

@mock.patch('instack_undercloud.undercloud._check_hostname')
@@ -589,14 +589,14 @@ class TestGenerateEnvironment(BaseTestCase):
if k.startswith('UNDERCLOUD_ENDPOINT')}
self.assertEqual(90, len(endpoint_vars))
# Spot check one service
self.assertEqual('http://192.168.24.1:5000',
self.assertEqual('https://192.168.24.2:13000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
self.assertEqual('http://192.168.24.1:5000',
self.assertEqual('http://192.168.24.3:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
self.assertEqual('http://192.168.24.1:35357',
self.assertEqual('http://192.168.24.3:35357',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
# Also check that the tenant id part is preserved
self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])

def test_generate_endpoints_ssl_manual(self):
@@ -615,18 +615,18 @@ class TestGenerateEnvironment(BaseTestCase):
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])

def test_generate_endpoints_ssl_auto(self):
self.conf.config(generate_service_certificate=True)
def test_generate_endpoints_ssl_off(self):
self.conf.config(generate_service_certificate=False)
env = undercloud._generate_environment('.')
# Spot check one service
self.assertEqual('https://192.168.24.2:13000',
self.assertEqual('http://192.168.24.1:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_PUBLIC'])
self.assertEqual('http://192.168.24.3:5000',
self.assertEqual('http://192.168.24.1:5000',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_INTERNAL'])
self.assertEqual('http://192.168.24.3:35357',
self.assertEqual('http://192.168.24.1:35357',
env['UNDERCLOUD_ENDPOINT_KEYSTONE_ADMIN'])
# Also check that the tenant id part is preserved
self.assertEqual('https://192.168.24.2:13808/v1/AUTH_%(tenant_id)s',
self.assertEqual('http://192.168.24.1:8080/v1/AUTH_%(tenant_id)s',
env['UNDERCLOUD_ENDPOINT_SWIFT_PUBLIC'])

def test_absolute_cert_path(self):
@@ -650,6 +650,12 @@ class TestGenerateEnvironment(BaseTestCase):
os.chdir(cur_dir)

def test_no_cert_path(self):
env = undercloud._generate_environment('.')
self.assertEqual('/etc/pki/tls/certs/undercloud-192.168.24.2.pem',
env['UNDERCLOUD_SERVICE_CERTIFICATE'])

def test_no_ssl(self):
self.conf.config(generate_service_certificate=False)
env = undercloud._generate_environment('.')
self.assertEqual('', env['UNDERCLOUD_SERVICE_CERTIFICATE'])


+ 1
- 1
instack_undercloud/undercloud.py View File

@@ -210,7 +210,7 @@ _opts = [
'OpenStack API endpoints, leaving it unset disables SSL.')
),
cfg.BoolOpt('generate_service_certificate',
default=False,
default=True,
help=('When set to True, an SSL certificate will be generated '
'as part of the undercloud install and this certificate '
'will be used in place of the value for '

+ 5
- 0
releasenotes/notes/TLS-by-default-bc12660c12ba7ab1.yaml View File

@@ -0,0 +1,5 @@
---
security:
- |
TLS is now used by default for the public endpoints. This is done through
the generate_service_certificates option, which now defaults to 'True'.

+ 1
- 1
undercloud.conf.sample View File

@@ -81,7 +81,7 @@
# /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem. This
# certificate is signed by CA selected by the
# "certificate_generation_ca" option. (boolean value)
#generate_service_certificate = false
#generate_service_certificate = true

# The certmonger nickname of the CA from which the certificate will be
# requested. This is used only if the generate_service_certificate

Loading…
Cancel
Save